Attack-as-a-service is lowering the bar for identity fraud

At a glance

What this is: This is an analysis of how attack-as-a-service marketplaces are industrialising identity verification fraud and lowering the technical barrier for attackers.

Why it matters: It matters because IAM, NHI, and human identity programmes now face organised, subscription-style fraud operations that adapt faster than periodic verification controls.

By the numbers:

• The iSOC identified 31 new online threat actor groups in 2024 alone, bringing the total number of tracked communities to an alarming level.
• With identity-related fraud generating billions in annual losses, an estimated $8.8 billion in 2023 according to FTC data, the market incentive for attack services remains strong.

👉 Read iProov's analysis of attack-as-a-service and identity verification fraud

Context

Attack-as-a-Service turns fraud techniques into a purchasable service layer, much like SaaS but aimed at bypassing identity verification and other controls. In practice, that means attackers no longer need to build every capability themselves, which changes how identity verification programmes must think about scale, reuse, and speed of abuse.

For IAM teams, the problem is not only technical bypass. It is the existence of a commercial ecosystem that sells face swaps, virtual cameras, account farming, tutorials, and custom development, then iterates based on customer feedback. That combination makes static checks, periodic tuning, and one-time hardening much less effective than continuous detection and adaptive verification.

The article’s starting position is typical of the current threat landscape: identity fraud is no longer a niche capability held by skilled operators, but an accessible marketplace service that broadens the pool of attackers.

Key questions

Q: How should organisations defend against attack-as-a-service identity fraud?

A: Organisations should assume identity fraud is being purchased, reused, and improved by different threat actors. The right response is continuous validation, dynamic liveness, strong device and session signals, and fraud intelligence that updates controls as marketplaces evolve. A single static check is not enough when bypass techniques are sold as a service.

Q: Why do static identity checks fail against deepfakes and synthetic identities?

A: Static checks fail because they usually verify a captured moment, not an ongoing identity state. Deepfakes, virtual cameras, and synthetic documents can satisfy a one-time challenge while still being fraudulent. Controls need to evaluate freshness, context, and behavioural consistency across the full onboarding and recovery journey.

Q: What signals indicate identity verification is being commoditised by attackers?

A: Look for repeated bypass patterns, sudden spikes in attempted enrollments, abnormal reuse of devices or media, and evidence that the same fraud path is succeeding across multiple accounts. Those patterns suggest attackers are reusing a packaged service, not improvising. That is a sign your programme is being targeted at scale.

Q: How can security teams reduce replayable identity evidence?

A: Reduce reliance on artefacts that can be copied, edited, or replayed, such as static selfies and fixed documents. Add device binding, transaction context, and liveness checks so the proof has to hold up during real interaction. That makes the attacker’s purchased tooling less reusable.

Technical breakdown

How attack-as-a-service marketplaces package identity fraud

Attack-as-a-Service is the commercial packaging of attack capabilities into products, subscriptions, and service menus. Instead of selling a single tool, providers bundle technical infrastructure, operational help, and sometimes customer support for activities such as face swaps, identity farming, and verification bypass. This is different from informal forum sharing because the service model encourages repeat use, reputation tracking, and faster refinement. In identity verification attacks, that means the barrier to entry drops while the attack process becomes more standardised and scalable.

Practical implication: treat fraud capability as a service supply chain, not isolated attacker behaviour.

Why static identity verification fails against commoditised bypass tools

Static verification works only when the proof being checked is hard to reproduce or replay. Attack-as-a-Service undermines that assumption with deepfakes, image-to-video conversion, virtual cameras, and metadata manipulation, all of which can be purchased or assembled quickly. Once the bypass method is commoditised, the control is exposed to copycat abuse at scale. Dynamic liveness and continuous validation matter because they test for active, changing human presence rather than a single captured artefact.

Practical implication: move from one-time proof checks toward adaptive and continuous verification signals.

What the crime-as-a-service ecosystem changes about fraud operations

Attack-as-a-Service sits inside a broader Crime-as-a-Service economy that lets different specialist groups combine capabilities across stages of fraud. One group may provide synthetic identities, another may sell KYC bypass instructions, and a third may offer target intelligence or infrastructure. That division of labour makes operations more resilient and more difficult to disrupt with controls focused on only one stage. It also means threat intelligence must include marketplace behaviour, not just direct attack telemetry.

Practical implication: link fraud detection, threat intelligence, and identity controls into one operating model.

Threat narrative

Attacker objective: The attacker aims to obtain trusted accounts and identities that can be used for fraud, access abuse, or resale at scale.

1. Entry begins when a purchaser acquires attack services such as face swaps, virtual camera tooling, or step-by-step verification bypass instructions from an online marketplace.
2. Credential or identity abuse follows when the attacker uses synthetic identities, KYC bypass methods, or manipulated media to pass onboarding and remote verification checks.
3. Impact occurs when fraudulent accounts are created, reused, or monetised at scale, increasing losses and expanding the attack surface for further abuse.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Attack-as-a-Service has turned identity fraud into a supply chain, not a one-off attack. The most important shift is not that attackers have better tools, but that verification bypass has become a repeatable service with sellers, buyers, support, and iteration loops. That is a governance problem because it changes fraud from isolated abuse into an ecosystem that learns from defender behaviour. Practitioners should treat this as a standing control environment, not a periodic incident pattern.

Static identity proofing is now a brittle assumption, not a durable control. Face swaps, virtual cameras, metadata manipulation, and synthetic identities all exist to defeat controls that expect a single trustworthy artefact. The failure mode is not simply weak detection. The deeper issue is that many verification programmes still assume one challenge is enough to establish identity, when commoditised tooling makes that assumption easy to exploit. Practitioners need to recognise that proof is now continuously contestable.

Low-friction fraud markets create identity blast radius. When a single service can be reused by many buyers, one bypass technique can affect multiple organisations, regions, and sectors at once. That means local remediation is not enough if the same service remains available in the underground market. The practical conclusion is that fraud resistance must be measured as a programme-level capability, not as the success of a single control point.

Continuous verification is becoming the baseline for remote identity trust. The article’s own emphasis on real-time detection, adaptive security, and multi-layer verification reflects where the market is heading, and that direction is correct. Identity teams should expect attackers to keep buying speed and scale, which means governance has to assume adversarial iteration between releases and configuration changes. The implication is a shift from static assurance to ongoing trust evaluation.

Identity verification and NHI governance are converging around the same trust problem. The same enterprise weakness appears in both spaces: trust is often granted too early and revoked too late. In human onboarding, that creates synthetic identity risk; in machine and service identity, it creates credential sprawl and abuse windows. Practitioners should stop treating these as separate disciplines and start designing a single trust model that spans people, workloads, and fraud automation.

From our research:

• The ecosystem encompasses 34,965 total users, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity programmes still lack the baseline inventory needed to spot abuse early.
• That visibility gap pairs with the 92% of organisations that expose NHIs to third parties, making lifecycle control and trust boundaries a forward planning priority, as covered in 52 NHI Breaches Analysis.

What this signals

Attack-as-a-Service should be treated as a fraud operations problem, not only an authentication problem. When bypass methods are sold with support and iteration, the defender is no longer facing a single exploit path. The programme response has to combine verification, device intelligence, and threat intelligence into one operating model, rather than leaving each team to tune controls in isolation.

Identity teams should expect replayable evidence to become more valuable than stolen passwords. The marketplaces described in the article sell the exact materials attackers need to replay trust decisions, which means control design must assume that artefacts will be copied and reused. For practitioners, that shifts emphasis toward challenge freshness, risk-based step-up, and live behavioural validation.

Low Attack Rate Paradox: the most resilient identity checks may attract fewer obvious attacks because criminals move toward easier targets. That makes monitoring more, not less, important, because silence can indicate that a control is working well enough to be avoided rather than too weak to matter.

For practitioners

• Replace single-point proof with continuous validation Use dynamic liveness, behavioural signals, and step-up checks that are difficult to replay through face swap or virtual camera tooling. Build the policy so verification is re-evaluated at risky moments, not only at enrollment.
• Instrument fraud intelligence as a live input Monitor underground tactics, target lists, and emerging bypass services, then feed those findings into detection tuning and control tests. Marketplace intelligence should influence verification thresholds and escalation rules.
• Test onboarding against synthetic identity paths Run red-team exercises that combine ID farming, image manipulation, and KYC bypass methods to see where your controls collapse. Validate not only the front door, but also account activation and recovery steps.
• Shrink the value of replayable artefacts Reduce dependence on static selfies, fixed documents, and single-device proofs where possible. Combine device signals, transaction context, and liveness checks so a captured artifact does not remain useful across multiple attempts.

Key takeaways

• Attack-as-a-Service lowers the barrier to identity fraud by selling bypass capability as a repeatable service.
• The scale evidence is material, with 31 new threat actor groups and 34,965 tracked users showing a growing marketplace behind identity abuse.
• Continuous validation, dynamic liveness, and marketplace-aware threat intelligence are now core controls, not optional enhancements.

Key terms

• Attack-as-a-Service: A criminal delivery model that packages attack capability for purchase, subscription, or on-demand use. In identity fraud, it turns verification bypass into a repeatable service with tooling, instructions, and operational support, which lowers the skill threshold and increases the speed of abuse.
• Dynamic Liveness: A verification method that checks for active, changing human presence rather than a static image or recorded artefact. It is designed to resist replay, deepfake, and virtual-camera attacks by requiring real-time interaction and freshness across the verification step.
• Synthetic Identity: An identity assembled from fabricated, stolen, or blended attributes that can pass weak onboarding checks. It is not just a fake profile, but a structured fraud object used to obtain accounts, move through verification flows, and support later abuse.
• Replayable Evidence: Any identity proof that can be copied, edited, or reused by an attacker to satisfy a control more than once. Examples include static selfies, captured documents, and recorded video, all of which become weaker when verification does not test freshness or context.

Deepen your knowledge

Attack-as-a-Service, identity verification bypass, and dynamic liveness are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls against replayable identity fraud and adjacent NHI abuse, it is worth exploring.

This post draws on content published by iProov: Attack-as-a-Service and identity verification fraud in the remote verification ecosystem. Read the original.