- Flashpoint finds AI now heavily used for deepfake‑based KYC bypass, with posts selling toolkits bundling synthetic video, voice cloning, and fake documents
- Criminals focus less on building new AI tools, instead refining jailbreaks, prompt workflows, and shifting to looser models like VeniceAI, with phishing scripts and impersonation prompts traded as commodities
- Researchers stress visibility into these evolving methods is key for defenders, enabling earlier detection and more targeted responses to active fraud techniques
It’s not news that cybercriminals are using Artificial Intelligence (AI) in their campaigns, but how they use the tools shifts almost by the minute, new research has claimed.
A report from security researchers Flashpoint has outlined how crooks are using AI primarily to impersonate people with deepfakes, and thus bypass Know Your Customer (KYC) protocols and enable fraud.
The report is based on more than 2.3 million discussions across the web on how to use artificial intelligence for illicit activity, with Flashpoint seeing more than 63,000 posts discussing KYC bypass methods using AI and, in many instances, the threat actors were selling comprehensive toolkits.
A mature industry
Flashpoint outlined how these solutions bundle synthetic video generation designed to mimic live verification behavior, voice cloning, scripted interaction prompts, and fake documentation, allowing their peers to assume a fake identity from start to finish.
Some sellers even offered guidance on adapting their products to specific platforms or verification requirements, updating listings in real time based on buyer feedback.
Flashpoint also said the hacking collective “matured”, since it is no longer interested in building new AI tools. Instead, it is focused on wringing maximum utility out of existing ones, through discussions around jailbreak methods, prompt-sharing workflows, and migration towards alternative models operating with fewer safeguards compared to industry standards like ChatGPT or Gemini.
VeniceAI is seeing a notable spike in mentions, the report said, driven mostly by newly formed Reddit and Discord communities dedicated to the platform. The prompts themselves became a commodity, with crooks sharing phishing scripts, step-by-step impersonation workflows, and more.
“For security teams, the priority is maintaining visibility into how these methods are evolving and where they are being applied,” Flashpoint said.
“That visibility supports earlier detection, more focused response, and a clearer understanding of which techniques are actively in circulation.”
“Monitoring these sources provides that context. It connects observed activity to the methods behind it and helps teams track how those methods develop over time.”
.png?w=600)
