Papa Carder
Professional
- Messages
- 240
- Reaction score
- 226
- Points
- 43
This diagram doesn't provide a 100% guarantee, but you can study it for familiarization purposes.
Content:
● How to fake a live webcam
● How to fake a rotating head verification
● How to make your selfie more lively
● How to fake a phone that requires KYC
ScanFace: A simple request for a facial scan (photo)
Turn your head: You need to turn your head (like on Avito, for example)
Blink Life Test: Requires you to blink during a countdown.
ID Card+Face Selfie(ID Card + Selfie): Most popular among Indonesian applications such as e-wallet and exchanger
There is a way to counter this defense.
You need to download:
● OBS (with virtual camera plugin)
● ManyCams -- Not free, please check reddit piracy megathread for a safe and clean pirated version.
Some download links will be available on the last page of this topic.
Install both programs and prepare the documents.
Now open OBS and on the "Sources" tab, click on "+" and then "Image".
Then select the path to the image and click "OK." You'll see the selected image in OBS.
Now open ManyCams, go to the "Text" tab and uncheck "Show ManyCams logo".
Return to OBS and click "Start Virtual camera".
Now go back to the site you're trying to verify on and run the webcam test, allow access, and you should see the photo you selected on the web page.
You can change the position of a photo (if you're verifying a selfie, your face should be within the "circle") on OBS by moving the photo or resizing it by grabbing a corner of the photo.
What if your KYC puts you into full-screen mode as soon as you start verification and cancels it if you exit full-screen mode?
If you are exiting fullscreen mode, open OBS, then start verification and once you are in fullscreen mode, ALT+TAB into the OBS window so that verification is not cancelled and you can move your photo around.
After that, simply select the photo size you need and take the photo.
Once you have successfully created an account and made a small donation, start a new project and select "Image" and then "Add".
After that you will see your photo on the website, then you should see a small menu in the top center, select "Mode to draw smooth shapes".
Once you have selected the correct mode, carefully draw a shape around the head of your selfie.
Once you've done this, you should see that the selected area is lighter than the background.
On the left side you will see a small frame, select "Rotation mode" and move the cursor slightly within the frame area to rotate the selected area.
Once you've managed to turn your selfie into a 3D model, you can record your screen by moving your head, and then in OBS, in the "Sources" tab, select "Media source".
Or you can select "Window capture" and choose the "Smoothie-3d" tab and rotate your head in real time while you do your KYC verification.
Okay but my selfie looks "not real" how can I make it more alive?
Note: This part of the method assumes using a phone. (Note: An emulator would probably work, too).
Some websites (banks, major cryptocurrency exchange sites, etc.) may see your selfie as just a regular photo because it doesn't look "lively".
To get around this problem, you need two things:
● TikTok account
● Smartphone with a working camera.
If you have it, download TikTok and create an account.
Once your TikTok account is ready, open your selfie on your computer, create a new TikTok video, and select the "Dynamic Photo" filter.
Once you've selected a filter, you'll see your selfie moving, smiling, rolling its eyes, etc.
Record a short video and upload it to TikTok (make sure it's public).
Once your video is uploaded, go to: https://ssstik.io/en (ticktock video downloader) and paste the link to your video.
Download your video without the TikTok tag.
After that, it's simple: go to OBS, under "Sources," select "Media," and select your TikTok video you just uploaded.
To do this you will need several tools:
● LDplayer (Android emulator)
● Logitech Capture Software
Once you have downloaded these 2 tools, create a new LDplayer emulator for Android and select the resolution 640x640
Then open Logitech capture software, open the selfie/docs photo, select 1080p resolution, and then in "Source 1" select the name of the opened photo.
Then go to ManyCams, select camera source as "Logi Capture".
Then go back to the android emulator, make kyc and when the emulator asks
Whether you want to use webcam or screen cropping, select webcam and you should see the photo uploaded right there, proceed to resize or reposition the photo to suit your needs and take the photo.
That's it! This should be enough to bypass many KYC providers and allow you to easily verify your account!
This article will be about deepfakes. Translation of an article by a person involved in Fraud Simulation.
When a new tool called the "Deepfake Offensive Toolkit" was released, claiming to allow you to input deepfake images into your virtual camera in real time and bypass biometric verification, I was thrilled! As you may have noticed, all my recent posts have been about forging identities and bypassing KYC checks at financial institutions. I thought, why not try and bypass biometric verification using machine learning?
Before I started working, I needed to find a target app and define the testing conditions. After browsing several neobanks on my phone, I found one that asked for a short video recording in certain account resets where the bank wasn't sure of your identity. However, accessing the account still required a lot of information: photos of ID, email access, and possibly card details. Creating a decent deepfake requires hours of high-quality video or photos of a person. All of this is difficult to obtain if the criminals don't know the victim. But everything changes if it's someone from the inside. Your teenager, your disgruntled ex, or your business partner will have photos of your ID, private videos, and temporary access to your email and phone. That's our attacker.
Now that we've established all the prerequisites, we can play around with ML frameworks. But before we start creating fake videos, we need to run through the unmodified verification scenario to have a starting point. I restarted the app, ran the verification conditions, created a 640x480 video, and, using my jailbroken iPhone, successfully submitted it and passed verification.
During the inspection I discovered the following:
- I can run verification requests and automatically submit video files for verification.
- I can run as many verifications as I want. Even if one attempt fails, I can run another one, which won't be affected by previous results.
- Each verification will take different amounts of time to be approved, so it's most likely performed by humans.
Example 1. Deepfake Offensive Toolkit, attempt 1
I asked a friend with a similar haircut and facial features to record a test video and send it to me so I could apply the deepfake tools. Unfortunately, the quality was unsatisfactory:
Status: verification not started ☑
Example 2. Deepfake Offensive Toolkit, attempt 2
After I stopped playing with the different settings options, I decided to apply my own photo to my own video!
This is something I can work with! At first, I was sure the video verification process would fail and I'd have to provide additional documents. But no! The verification was successful, despite obvious signs of video editing: a blurred face, jagged edges, and traces of video editing in the final file.
Status: verified ☑
Example 3. DeepFaceLab, attempt 1
I realized that realistic deepfakes in real time were still a long way off. But I didn't need real-time substitution, so I tried another project: DeepFaceLab. This framework allows for impressive results given high-quality video sources and sufficient resources for model training.
But to save time, I started with the same requirement: replace myself with myself. I recorded a 1000-frame video of myself, then trained an SAEHD model, which was placed on another video of myself.
This is a fake self, generated by the DFL framework. And again, the signs of deep forgery are clear. The blurred, spoofed facial outlines are visible, enough to fool only someone with very poor vision. But it worked! So far, so good.
Status: verified ☑
Example 4. DeepFaceLab, attempt 2
I took the original video I requested from my friend and applied the retrained model to it:
The resulting video is of better quality than the first attempt, but still far from perfect. There are a few issues:
- Different facial colors, making the edges more obvious. As I later discovered, the correct DFL model parameters correct this.
- Straight edge of the fringe shadow. This can be corrected with the right target video and appropriate mask training.
- Lack of glasses. This could be a red flag for video recognition services. Unfortunately, wearing glasses creates terrible artifacts. These conditions should be studied further.
- The target recording had incorrect articulation, which could have raised another red flag.
Unfortunately, this video didn't pass the verification process. But I was confident that I could create a proper video that would pass the verification process.
Status: verification failed ☑
Example 5. Without glasses
After several failed checks, no one tried to block me permanently. How amazing, I thought! So, I could try to pinpoint some of the "black box" conditions of the verification process.
Since glasses are an integral part of some people's lives, what if their absence is the main reason for verification failure? I submitted an unmodified video of myself without glasses. And it failed verification! Despite the fact that absolutely nothing had changed!
Status: verification failed ☑
[BExample 6. DeepNostalgia+Wav2lip+Face-SPARNet[/B]
Now that we know the glasses are crucial, I know what I need in the final video. There's just one problem: deepfakes with glasses have always been very low quality.
One of the brilliant ML scientists, Alexander, suggested I look at https://www.myheritage.com/deep-nostalgia to animate a photo with glasses that wouldn't extend beyond the shape of my face. I used it to create a short video about myself:
Not the best quality, but not the worst either.
Now I need to get rid of the watermarks (sorry about that) and use the wav2lip framework, which will force me to "pronounce" the words. This lowered the quality of the final video even further, so I improved it using Face-SPARNet:
Unfortunately, the final quality was not good enough and verification failed.
Status: verification failed ☑
Example 7. Photo animation with AI+Wav2lip+Face-SPARNet+DeepFaceLab
At some point, something clicked in my head. If I had a three-second recording, I could take a single photo of the victim, create an animated video from just that photo, and then re-overlay the high-resolution sources using DeepFaceLab to dramatically improve the quality! The final steps address the existing issues with the previous examples:
1. The quality of the final DFL video was improved by acquiring Animate Photos AI (https://pixbim.com/animate-photos-pixbim). This also helped remove watermarks.
2. Animate Photos AI detects faces and produces square videos, so we had to "trick" the algorithm into producing a video that could then be cut into frames with a resolution of 640x480:
3. Wav2lip and post-editing with Face-SPARNet resulted in additional artifacts at the bottom of the video:
Wav2lip-HQ didn't produce a high-quality sync. So I recorded lips saying what I needed and overlaid them on top of the video. Since they'll be replaced with DFL later, it doesn't matter!
It's a perfect source for syncing.
5. Let's take the remaining high-resolution video of the "victim" and use it as the SRC for the DFL. I trained the SAEHD model from scratch using Google Colab, and frankly, the results are impressive:
drive.google.com
Status: verified ☑
Final example: RealTimeVoiceCloning
When I was testing whether lip syncing might be an issue, I decided to make a video in which the lips don't show what the voice is saying. Additionally, I decided to generate a completely artificial voice. An insider might have a recording of the victim's voice, but it's unlikely to be exactly what the bank expects. Since this article is about deepfake tools, I used the RealTimeVoiceCloning framework. After a short training session with 10-15 minutes of voice, I created a decent-quality fake voice that said everything I wanted:
drive.google.com
As you can see, this voice sounds quite different from my original voice. I also recorded a video of myself saying words different from the audio:
So again I wasn't sure I would pass the test.
But it all worked! This means the bank employees don't have a standard for my voice. Whoever checks the recordings pays more attention to the video than the audio.
Status: verified ]☑
Based on the varying timeouts for each verification, I concluded that the final confirmation was done by a human. During busy and off-peak hours, verification times were longer than during off-peak hours. If verification is performed solely by humans, there's always a bias factor. The same video, submitted over and over again, can eventually be accepted.
When creating a deepfake, matching faces in the source and final videos is crucial. Also important are lighting conditions, video quality, and even finer details: what kind of glasses are you wearing, what kind of fringe do you have? In my tests, I allowed myself a certain flexibility that the criminals didn't have.
The verification process still remains a "black box" — I don't know whether all my tests combined influenced the results or not.
Ultimately, any human verification can be bypassed.
Content:
● How to fake a live webcam
● How to fake a rotating head verification
● How to make your selfie more lively
● How to fake a phone that requires KYC
MAIN TYPES OF VERIFICATION:
Old standard: Upload a document and a photograph with a signature or with a written name or date on the sheetScanFace: A simple request for a facial scan (photo)
Turn your head: You need to turn your head (like on Avito, for example)
Blink Life Test: Requires you to blink during a countdown.
ID Card+Face Selfie(ID Card + Selfie): Most popular among Indonesian applications such as e-wallet and exchanger
Fake webcam
Most websites these days use selfie camera verification, the site will ask you for permission to turn on the camera and record your face, which can have serious consequences if the company you use does not store their data well.There is a way to counter this defense.
You need to download:
● OBS (with virtual camera plugin)
● ManyCams -- Not free, please check reddit piracy megathread for a safe and clean pirated version.
Some download links will be available on the last page of this topic.
Install both programs and prepare the documents.
Now open OBS and on the "Sources" tab, click on "+" and then "Image".
Then select the path to the image and click "OK." You'll see the selected image in OBS.
Now open ManyCams, go to the "Text" tab and uncheck "Show ManyCams logo".
Return to OBS and click "Start Virtual camera".
Now go back to the site you're trying to verify on and run the webcam test, allow access, and you should see the photo you selected on the web page.
You can change the position of a photo (if you're verifying a selfie, your face should be within the "circle") on OBS by moving the photo or resizing it by grabbing a corner of the photo.
What if your KYC puts you into full-screen mode as soon as you start verification and cancels it if you exit full-screen mode?
If you are exiting fullscreen mode, open OBS, then start verification and once you are in fullscreen mode, ALT+TAB into the OBS window so that verification is not cancelled and you can move your photo around.
After that, simply select the photo size you need and take the photo.
What should I do if the website requires me to turn my head to verify?
To bypass this, go to: https://smoothie-3d.com/site/page_index.php and create an account there (This will require you to make a small donation to use their services, I highly recommend you do this as it will help you in bypassing KYC).Once you have successfully created an account and made a small donation, start a new project and select "Image" and then "Add".
After that you will see your photo on the website, then you should see a small menu in the top center, select "Mode to draw smooth shapes".
Once you have selected the correct mode, carefully draw a shape around the head of your selfie.
Once you've done this, you should see that the selected area is lighter than the background.
On the left side you will see a small frame, select "Rotation mode" and move the cursor slightly within the frame area to rotate the selected area.
Once you've managed to turn your selfie into a 3D model, you can record your screen by moving your head, and then in OBS, in the "Sources" tab, select "Media source".
Or you can select "Window capture" and choose the "Smoothie-3d" tab and rotate your head in real time while you do your KYC verification.
Okay but my selfie looks "not real" how can I make it more alive?
Note: This part of the method assumes using a phone. (Note: An emulator would probably work, too).
Some websites (banks, major cryptocurrency exchange sites, etc.) may see your selfie as just a regular photo because it doesn't look "lively".
To get around this problem, you need two things:
● TikTok account
● Smartphone with a working camera.
If you have it, download TikTok and create an account.
Once your TikTok account is ready, open your selfie on your computer, create a new TikTok video, and select the "Dynamic Photo" filter.
Once you've selected a filter, you'll see your selfie moving, smiling, rolling its eyes, etc.
Record a short video and upload it to TikTok (make sure it's public).
Once your video is uploaded, go to: https://ssstik.io/en (ticktock video downloader) and paste the link to your video.
Download your video without the TikTok tag.
After that, it's simple: go to OBS, under "Sources," select "Media," and select your TikTok video you just uploaded.
My target site requires me to verify via phone.
This part, if verification is only possible through the application.To do this you will need several tools:
● LDplayer (Android emulator)
● Logitech Capture Software
Once you have downloaded these 2 tools, create a new LDplayer emulator for Android and select the resolution 640x640
Then open Logitech capture software, open the selfie/docs photo, select 1080p resolution, and then in "Source 1" select the name of the opened photo.
Then go to ManyCams, select camera source as "Logi Capture".
Then go back to the android emulator, make kyc and when the emulator asks
Whether you want to use webcam or screen cropping, select webcam and you should see the photo uploaded right there, proceed to resize or reposition the photo to suit your needs and take the photo.
That's it! This should be enough to bypass many KYC providers and allow you to easily verify your account!
Bypassing KYC Deepfakes.
Since I've been getting private messages asking about bypassing KYC, and my article on the topic has shot up the search engine results for some queries and already garnered a couple thousand views, I decided to write a second part.This article will be about deepfakes. Translation of an article by a person involved in Fraud Simulation.
When a new tool called the "Deepfake Offensive Toolkit" was released, claiming to allow you to input deepfake images into your virtual camera in real time and bypass biometric verification, I was thrilled! As you may have noticed, all my recent posts have been about forging identities and bypassing KYC checks at financial institutions. I thought, why not try and bypass biometric verification using machine learning?
Before I started working, I needed to find a target app and define the testing conditions. After browsing several neobanks on my phone, I found one that asked for a short video recording in certain account resets where the bank wasn't sure of your identity. However, accessing the account still required a lot of information: photos of ID, email access, and possibly card details. Creating a decent deepfake requires hours of high-quality video or photos of a person. All of this is difficult to obtain if the criminals don't know the victim. But everything changes if it's someone from the inside. Your teenager, your disgruntled ex, or your business partner will have photos of your ID, private videos, and temporary access to your email and phone. That's our attacker.
Now that we've established all the prerequisites, we can play around with ML frameworks. But before we start creating fake videos, we need to run through the unmodified verification scenario to have a starting point. I restarted the app, ran the verification conditions, created a 640x480 video, and, using my jailbroken iPhone, successfully submitted it and passed verification.
During the inspection I discovered the following:
- I can run verification requests and automatically submit video files for verification.
- I can run as many verifications as I want. Even if one attempt fails, I can run another one, which won't be affected by previous results.
- Each verification will take different amounts of time to be approved, so it's most likely performed by humans.
Example 1. Deepfake Offensive Toolkit, attempt 1
I asked a friend with a similar haircut and facial features to record a test video and send it to me so I could apply the deepfake tools. Unfortunately, the quality was unsatisfactory:
Status: verification not started ☑
Example 2. Deepfake Offensive Toolkit, attempt 2
After I stopped playing with the different settings options, I decided to apply my own photo to my own video!
This is something I can work with! At first, I was sure the video verification process would fail and I'd have to provide additional documents. But no! The verification was successful, despite obvious signs of video editing: a blurred face, jagged edges, and traces of video editing in the final file.
Status: verified ☑
Example 3. DeepFaceLab, attempt 1
I realized that realistic deepfakes in real time were still a long way off. But I didn't need real-time substitution, so I tried another project: DeepFaceLab. This framework allows for impressive results given high-quality video sources and sufficient resources for model training.
But to save time, I started with the same requirement: replace myself with myself. I recorded a 1000-frame video of myself, then trained an SAEHD model, which was placed on another video of myself.
This is a fake self, generated by the DFL framework. And again, the signs of deep forgery are clear. The blurred, spoofed facial outlines are visible, enough to fool only someone with very poor vision. But it worked! So far, so good.
Status: verified ☑
Example 4. DeepFaceLab, attempt 2
I took the original video I requested from my friend and applied the retrained model to it:
The resulting video is of better quality than the first attempt, but still far from perfect. There are a few issues:
- Different facial colors, making the edges more obvious. As I later discovered, the correct DFL model parameters correct this.
- Straight edge of the fringe shadow. This can be corrected with the right target video and appropriate mask training.
- Lack of glasses. This could be a red flag for video recognition services. Unfortunately, wearing glasses creates terrible artifacts. These conditions should be studied further.
- The target recording had incorrect articulation, which could have raised another red flag.
Unfortunately, this video didn't pass the verification process. But I was confident that I could create a proper video that would pass the verification process.
Status: verification failed ☑
Example 5. Without glasses
After several failed checks, no one tried to block me permanently. How amazing, I thought! So, I could try to pinpoint some of the "black box" conditions of the verification process.
Since glasses are an integral part of some people's lives, what if their absence is the main reason for verification failure? I submitted an unmodified video of myself without glasses. And it failed verification! Despite the fact that absolutely nothing had changed!
Status: verification failed ☑
[BExample 6. DeepNostalgia+Wav2lip+Face-SPARNet[/B]
Now that we know the glasses are crucial, I know what I need in the final video. There's just one problem: deepfakes with glasses have always been very low quality.
One of the brilliant ML scientists, Alexander, suggested I look at https://www.myheritage.com/deep-nostalgia to animate a photo with glasses that wouldn't extend beyond the shape of my face. I used it to create a short video about myself:
Not the best quality, but not the worst either.
Now I need to get rid of the watermarks (sorry about that) and use the wav2lip framework, which will force me to "pronounce" the words. This lowered the quality of the final video even further, so I improved it using Face-SPARNet:
Unfortunately, the final quality was not good enough and verification failed.
Status: verification failed ☑
Example 7. Photo animation with AI+Wav2lip+Face-SPARNet+DeepFaceLab
At some point, something clicked in my head. If I had a three-second recording, I could take a single photo of the victim, create an animated video from just that photo, and then re-overlay the high-resolution sources using DeepFaceLab to dramatically improve the quality! The final steps address the existing issues with the previous examples:
1. The quality of the final DFL video was improved by acquiring Animate Photos AI (https://pixbim.com/animate-photos-pixbim). This also helped remove watermarks.
2. Animate Photos AI detects faces and produces square videos, so we had to "trick" the algorithm into producing a video that could then be cut into frames with a resolution of 640x480:
3. Wav2lip and post-editing with Face-SPARNet resulted in additional artifacts at the bottom of the video:
Wav2lip-HQ didn't produce a high-quality sync. So I recorded lips saying what I needed and overlaid them on top of the video. Since they'll be replaced with DFL later, it doesn't matter!
It's a perfect source for syncing.
5. Let's take the remaining high-resolution video of the "victim" and use it as the SRC for the DFL. I trained the SAEHD model from scratch using Google Colab, and frankly, the results are impressive:
fake-deom.mp4
drive.google.com
Status: verified ☑
Final example: RealTimeVoiceCloning
When I was testing whether lip syncing might be an issue, I decided to make a video in which the lips don't show what the voice is saying. Additionally, I decided to generate a completely artificial voice. An insider might have a recording of the victim's voice, but it's unlikely to be exactly what the bank expects. Since this article is about deepfake tools, I used the RealTimeVoiceCloning framework. After a short training session with 10-15 minutes of voice, I created a decent-quality fake voice that said everything I wanted:
test voice.mp4
drive.google.com
As you can see, this voice sounds quite different from my original voice. I also recorded a video of myself saying words different from the audio:
So again I wasn't sure I would pass the test.
But it all worked! This means the bank employees don't have a standard for my voice. Whoever checks the recordings pays more attention to the video than the audio.
Status: verified ]☑
Reflections on the Verification Testing Process.
I was lucky. I found testing conditions that allowed me to trigger verification requests and even fail or pass them without directly affecting subsequent tests. These conditions allow for trial-and-error testing — exactly what I needed.Based on the varying timeouts for each verification, I concluded that the final confirmation was done by a human. During busy and off-peak hours, verification times were longer than during off-peak hours. If verification is performed solely by humans, there's always a bias factor. The same video, submitted over and over again, can eventually be accepted.
When creating a deepfake, matching faces in the source and final videos is crucial. Also important are lighting conditions, video quality, and even finer details: what kind of glasses are you wearing, what kind of fringe do you have? In my tests, I allowed myself a certain flexibility that the criminals didn't have.
The verification process still remains a "black box" — I don't know whether all my tests combined influenced the results or not.
Ultimately, any human verification can be bypassed.
Last edited:
