Attack-as-a-service and identity fraud: what should IAM teams do?

TL;DR: Attack-as-a-Service is commoditising identity fraud by packaging verification bypass, deepfakes, and account farming into purchasable services, while iProov reports 31 new threat actor groups in 2024 and 34,965 tracked users across the ecosystem. Static identity checks are losing value as attack methods become faster, cheaper, and easier to buy.

NHIMG editorial — based on content published by iProov: Attack-as-a-Service and identity verification fraud in the remote verification ecosystem

By the numbers:

• The iSOC identified 31 new online threat actor groups in 2024 alone, bringing the total number of tracked communities to an alarming level.

Questions worth separating out

Q: How should organisations defend against attack-as-a-service identity fraud?

A: Organisations should assume identity fraud is being purchased, reused, and improved by different threat actors.

Q: Why do static identity checks fail against deepfakes and synthetic identities?

A: Static checks fail because they usually verify a captured moment, not an ongoing identity state.

Q: What signals indicate identity verification is being commoditised by attackers?

A: Look for repeated bypass patterns, sudden spikes in attempted enrollments, abnormal reuse of devices or media, and evidence that the same fraud path is succeeding across multiple accounts.

Practitioner guidance

• Replace single-point proof with continuous validation Use dynamic liveness, behavioural signals, and step-up checks that are difficult to replay through face swap or virtual camera tooling.
• Instrument fraud intelligence as a live input Monitor underground tactics, target lists, and emerging bypass services, then feed those findings into detection tuning and control tests.
• Test onboarding against synthetic identity paths Run red-team exercises that combine ID farming, image manipulation, and KYC bypass methods to see where your controls collapse.

What's in the full article

iProov's full article covers the operational detail this post intentionally leaves for the source:

• The breakdown of face swap, virtual camera, and metadata manipulation tooling used in live bypass operations.
• The detailed menu of fraud services, including ID farming, KYC bypass support, and custom target-specific development.
• The report's own threat intelligence observations on marketplace growth, user counts, and actor specialisation.
• The article's discussion of dynamic liveness and continuous monitoring as implementation options.

👉 Read iProov's analysis of attack-as-a-service and identity verification fraud →

Attack-as-a-service and identity fraud: what should IAM teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →