ARTICLE
11 April 2025

AML & KYC In The Age Of Deepfakes

MK
Michael Kyprianou Law Firm

Contributor

The firm, based in Cyprus, has an international presence. Its services include Dispute Resolution, Property, Shipping, Immigration, Commercial and Corporate Law. It is highly ranked by leading legal directories, including Legal500 and Chambers and regularly receives accolades from the Cyprus Government and international bodies, in recognition of its excellent service and commitment to the values of integrity, efficiency and professionalism.
Artificial Intelligence is transforming our world, enabling innovation across industries and unlocking operational efficiencies once thought impossible. But with progress comes risk.
Cyprus Technology

Artificial Intelligence is transforming our world, enabling innovation across industries and unlocking operational efficiencies once thought impossible. But with progress comes risk. The same tools enhancing productivity are now being weaponised to undermine the very systems we rely on to verify identity, prevent fraud, and uphold regulatory compliance.

A recent and troubling example involves Polish researcher Borys Musielak, who used OpenAI's latest model, ChatGPT-4o, to generate a near-perfect replica of his own passport, in just five minutes. According to Musielak, the document was realistic enough to bypass automated Know Your Customer (KYC) checks deployed by major fintech and crypto platforms.

"You can now generate fake passports with GPT-4o," he posted. "It took me 5 minutes to create a replica... that most automated KYC systems would likely accept without blinking." He went on to claim that the AI-generated document successfully passed identity checks on platforms such as Binance and Revolut — though these claims remain unverified.

Musielak's demonstration, while intended to raise awareness, highlights a critical vulnerability in current digital identity verification methods. As AI becomes increasingly adept at manipulating both static and dynamic imagery, verification systems based on photo or video matching alone may soon be insufficient.

Unfortunately, this is no longer a theoretical risk. An online service known as OnlyFake is reportedly offering AI-generated passports and driver's licenses from over 25 countries for just $15, payable in cryptocurrency. According to 404 Media and Cointelegraph, users of the site claim to have successfully used these fake IDs to bypass KYC checks on a number of exchanges and platforms, including OKX, Kraken, Bybit, Bitget, Huobi, and PayPal.

Some of the companies mentioned have responded publicly. OKX, for example, stated it is actively investigating and does not tolerate fraudulent activity. Others, such as Revolut and Kraken, have reiterated their use of strong controls and third-party verifications to detect deepfakes and spoofed identities. It's important to note that these reports are based on user claims, and we do not allege that any of these platforms have knowingly allowed such bypasses to occur.

Still, the broader implications are undeniable. The ability to mass-produce deepfake identity documents complete with spoofed metadata such as GPS coordinates, timestamps, and device signatures, introduces a new dimension of risk for AML and KYC frameworks. What was once a high-effort fraud is now cheap, scalable, and alarmingly convincing.

This moment marks a critical inflection point. The misuse of generative AI poses a direct threat not only to financial institutions and crypto platforms, but to the wider regulatory ecosystem built to safeguard against money laundering, terrorist financing, and identity theft.

In light of these developments, we echo the calls for stronger, hardware-based authentication methods — such as NFC-enabled biometric IDs and eID wallets — as promoted under the EU's digital identity framework. Relying solely on facial recognition or document scans is no longer a viable compliance strategy.

While the regulatory landscape will undoubtedly evolve to meet these new realities, there's an increasing need for thoughtful dialogue between the tech world, compliance professionals, and regulators. These developments are not just a challenge, they are an invitation to innovate together and reimagine the future of digital identity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More