A multi-stage flow is commonly followed when face swapping is used to bypass KYC: 1. Preparation and reconnaissance: Targeting criteria are defined on either bulk account creation or targeted impersonation. 2. Document misuse or forging: A document is either stolen, purchased, forged or AI-generated to match the target identity. 3. Face swapping and synthetic media : A face swap model or pipeline is trained or configured to create synthetic images or videos that match identity documents. These tools may provide both pre-generated and real-time synthetic media.144. Camera feed substitution: Camera injection tools are used to replace a device’s default live camera feed with AI synthetic media. When the KYC system captures the “live” biometric, it receives the forged media instead of the actual user, allowing the attacker to pass biometric checks. 5. Device manipulation: Emulators, virtual environments or other device manipulation techniques are rotated or re-provisioned to avoid linking multiple account registrations to a single physical resource. 6. Network layering: Residential proxies, mobile proxies or VPNs (virtual private networks) are used to diversify IP (internet protocol) addresses and geolocation signals, and to defeat simple IP-based correlation. Detailed multi-stage attack flow Unmasking Cybercrime 7

Unmasking Cybercrime Strengthening Digital Identity Verification against Deepfakes 2026