Inside the Underground Site Where ‘Neural Networks’ Churn Out Fake IDs

submitted by Drewski from (404media.co)

all 10 comments
sorted by:
new (suggested)
topinsightfulfun

[–]Bitch-Im-a-cow 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (2 children)

interesting

I have to 'sign up' to read the rest of it

[–]Drewski[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

I posted the full article in another comment.

[–]Bitch-Im-a-cow 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

thanks

[–]In-the-clouds 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (4 children)

Obviously we have a problem with proving who is really who they say they are. The "solution" to this and other "problems"? The mark of the beast will be required in the right hand or forehead as identification. The world will adore the beast and forfeit their salvation only available through Jesus Christ. Those that take the mark might think they are getting a good deal, but they will be damned. Get ready to choose wisely, if you are still alive to see that soon-to-be-here day!

[–]Drewski[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

I think the rise of AI and the inability to tell what's real will drive many people back to in person interactions.

[–]In-the-clouds 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (2 children)

That looks like a good idea, until the next pandemic. When the ruling class says it's time for another lockdown.... No one is allowed to leave their homes and no one is allowed to communicate face to face. Remember the COVID lockdowns? Stay six feet apart! The restrictions were really bad in China.

There will also be riots and chaos in the streets. And a civil war and race war are here. The rulers will declare martial law. Again, people will be isolated.

But you can always communicate with God through prayer. The ruling class can never take that away.

[–]Drewski[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

I am hoping that people will not go along with another lockdown. I know I won't.

[–]In-the-clouds 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

I'm glad you do not support lockdowns. A prophetic message from God months ago already revealed that when the next lockdown is imposed people will revolt. I recommend to you and anyone else to stay away from the riots. They will be violent and will not be successful. When the lockdowns do not work, the ruling class will release a worse disease that will kill many, and that will put people into a state of fear. They control people with fear. God provides freedom through his spirit of love and peace, as shown by the life of Jesus.

[–]Drewski[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (1 child)

An underground website called OnlyFake is claiming to use “neural networks” to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds.

In our own tests, OnlyFake created a highly convincing California driver's license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes. 404 Media then used another fake ID generated by this site to successfully step through the identity verification process on OKX. OKX is a cryptocurrency exchange that has recently appeared in multiple court records because of its use by criminals.

Rather than painstakingly crafting a fake ID by hand—a highly skilled criminal profession that can take years to master—or waiting for a purchased one to arrive in the mail with the risk of interception, OnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. Or at least fool some people.

“The era of rendering documents using Photoshop is coming to an end,” an announcement posted to OnlyFake’s Telegram account reads. As well as “neural networks,” the service claims to use “generators” which create up to 20,000 documents a day. The service’s owner, who goes by the moniker John Wick, told 404 Media that hundreds of documents can be generated at once using data from an Excel table.

ID front

ID back

A fake ID generated by the service. Image: 404 Media.

To create the ID, I entered the information I wanted to appear on the card, uploaded a passport photo, and cycled through a series of automatically generated images that took the name I entered and turned it into a signature. Sometimes these made squiggles with the full name, other times with just the initials. “The neural network generates signatures very realistically,” Wick said.

Finally, I hit “generate photo.” Once the generation process started, the screen displayed updates on the system’s progress: “Generating PDF417 and Code128,” “Sending to Server,” “Replacing the Text,” before suddenly finishing and providing a preview of the finished product. I then clicked “download and pay,” which gave me access to two files, the front and back of my new fake ID laying on the carpet. That process took around one or two minutes.

On Telegram, OnlyFake has uploaded a wealth of other photos showing the high quality of their service. In one demonstration photo, what appears to be a U.S. passport card sits on a blanket. In another, a fake Arizona driver’s license lays flat on a hard surface. Another set shows a fake Swiss passport and identification card on a piece of fabric. Other photos show a Canadian passport and Austrian ID too. In all, OnlyFake offers generations of identity documents from more than two dozen different countries, but its administrator sometimes shows a particular interest in creating U.S. identities.

💡

*Do you know anything else about these ID generation services? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.*

The backgrounds of the images—the fabric, the hard surface—appear to be real photos. 404 Media compared several different outputs from OnlyFake that showed different IDs laying on the same distinctive background. OnlyFake appears to be then using its technology to rapidly map whatever ID the customer wants onto one of those backdrops.

The appeal of a service like OnlyFake to fraudsters is that these allegedly AI-generated fake IDs could be used to signup to online services which ask for identity verification. It is very common for all sorts of sites—banks, cryptocurrency exchanges—or even individual professionals like lawyers or accountants to ask for, at minimum, a scan or photo of someone’s ID. Some social media sites also ask for identity documents in certain contexts.

404 Media tested the identity verification process of the cryptocurrency exchange OKX with a fake British passport generated by OnlyFake. OKX has appeared in multiple court records in recent weeks, including in the case of a massive scam that may have netted around $40 million. In that instance, the identity documents the scammer provided to OKX as part of the verification process pointed to the real name of the alleged fraudster. This is the bottleneck of cryptocurrency—where converting cryptocurrency into fiat often requires giving up identifying information. More sophisticated criminals may hire others to act as a buffer in this step, while foolish ones use their own documents. But what if a service offered fake IDs at the click of a mouse? Could this make it harder for exchanges, banks, or other institutions to stop money laundering and fraud?

The process started with OKX asking me to snap a photo of the ID with a smartphone camera. This worked despite me not having a physical ID in my hand. I pointed the camera at the OnlyFake-generated photo of the fake ID displayed on my laptop screen, and the system successfully recognized the ID. It then asked me to take a selfie, which I did.

“Identity verified,” OKX’s website read. “Congratulations! You’ve completed your identity verification.”

Verification step 1

Verification step 2

Verification step 3

Verification step 4

The verification process for OKX.

OKX uses a company called Jumio for at least part of its identity verification process. Stuart Wells, CTO for Jumio, said in an emailed statement that the company’s “advanced ID verification process uses mobile or webcam document scanning tools that allow security teams to cross-check against trusted sources and mitigate the number of fake profiles and malicious activity. Ultimately, these added identity verification measures better protect users by deterring fraud attempts right from the user onboarding stage.” When 404 Media then explained we had successfully passed the identity verification process using a fake, generated ID, Jumio said it could only comment on Jumio’s own technology, rather than OKX’s processes. OKX did not respond to a request for comment.

Abhishek Mathew, a cybersecurity researcher who has followed the site, told 404 Media that real criminals are using OnlyFake in this way. “Many use this service for carding, creating fake bank accounts and also many use this service to unban their crypto accounts like Binance where they ask IDd proofs,” they said in an online chat. A Bitcoin address used by the OnlyFake service has received more than $23,500 worth of the cryptocurrency, according to blockchain records. The service accepts many other forms of cryptocurrency too, though.

OnlyFake’s owner, Wick, told 404 Media their service could be used to bypass verification at a host of sites, including Binance, Revolut, Wise, Kraken, Bybit, Payoneer, Huobi, Airbnb, OKX and Coinbase. In the same message they claimed, unconvincingly, “using our site for the purpose of forging documents is prohibited.”

Binance did not respond to a request for comment. A spokesperson for Coinbase said in an email that “At Coinbase we are working with dedicated research teams to combat the potential misuse of AI tools and are dedicated to incorporating the latest AI security features to help mitigate and prevent threats from bad actors using AI.”

A Kraken spokesperson wrote in an email that “Kraken continues to maintain strong crypto industry KYC [know your customer] and fraud checks. We have measures in place to uncover and prevent fabricated identification documents being used in an attempt to circumvent our robust identity verification processes. We also reserve the right, as part of our terms of service, to suspend or close accounts where clients have used questionable or stolen identification documents during our KYC reviews.”

Payoneer said in an email that “Payoneer is aware of underground websites that use AI to generate synthetic IDs and we work with multiple vendors to detect this type of fraud. While a user may try to submit a synthetic ID as part of registration, we have additional controls in place to determine the source of funds, location, and other risk-scoring mechanisms to prevent any financial activity taking place.”

Other companies either did not respond or provide a response in time for publication. ID.me, another verification service, did not respond to a request for comment.

[–]Drewski[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

IDs 1

IDs 2

Some of the IDs uploaded to the OnlyFake Telegram. Image: 404 Media.

OnlyFake offers other technical measures to make its churned out images even more convincing. The service offers a metadata changer because identity verification services, or people, may inspect this information to determine if the photo is fake or not. That includes fabricating what device allegedly took the photo—an Apple iPhone 11 Pro, a Huawei BKL-L09—the date and time of creation, and spoofed GPS coordinates. For my fake California drivers’ license, I set those coordinates to a location in Los Angeles, so it would roughly match the Californian address I printed on the ID itself.

As well as uploading their own photo, users can run through a mass of portraits from OnlyFake’ own archive; these are not AI-generated, the description of a YouTube video advertising the service says. But they still provide an opportunity to create an ID without the fraudster uploading a photo of themselves.

Wick told 404 Media they started creating document templates three years ago. The generator service itself, they wrote in another Telegram channel message, has been in development for “almost a year and a half.” They created this service by feeding it a large collection of images of identity documents.

Wick said that “it's necessary first to find a scan, preferably in very high resolution, such as 10,000 x 10,000 pixels. Such scans usually reveal microtext and any lines. In addition to this, it's preferable to have hologram photos from different angles to understand how they are superimposed.”

In one channel message, they offered to buy scans of identity documents from others, explicitly asking for samples of U.S. documents. “I will buy your scans 1200-2400 dpi. $100+ per scan. The priority is the United States, and the new documents of Europe.”

And with its corpus of data, OnlyFake has introduced generations of more recent types of IDs too, such as the New York State redesign of its drivers’ license from 2022, according to one Telegram message. “We developed a unique algorithm to generate DLs like New York, which have a window and complex curved text that no one else could replicate before us! 👏🎯,” one message read. This also includes generating serial numbers in such a format that are distinctive to that particular type of ID, which again was done by analyzing a large number of IDs. “Each passport, ID, etc., usually has various numbers. Each number has a unique algorithm, which often requires analyzing hundreds or thousands of originals to decipher,” Wick added.

Panel

A screenshot of the OnlyFake generation panel. Image: 404 Media.

OnlyFake also offers images that look like more traditional scans, with the fake passport or ID laying flat, with no background, and taking up the entirety of the frame.

While OnlyFake says it uses “neural networks” to create its fake IDs, 404 Media has not seen evidence that the service uses generative AI tools. “I don’t know exactly what is going on here but I suspect that they are using some tech to insert/replace the image into a template of a license/id,” Hany Farid, a professor at UC Berkeley and one of the world’s leading experts on digitally manipulated images, told 404 Media in an email. “If they were using genAI to create whole cloth the entire ID, they would have trouble dealing with inconsistencies in the background.”

Where things get a bit more tricky for fraudsters, and where some sort of other service or skill set would be required on top of OnlyFake, would be sites that ask for video or photo verification which ask the user to physically hold up their ID to the camera. That, obviously, is not really possible with an ID card that doesn’t actually exist. Other related sites have something of a workaround, or at least offer a helping hand. Users can purchase sets of photos from a choice of hundreds of people holding up blank pieces of paper, laptops, and plain passport-shaped objects to a camera, which they can then superimpose their fake documents onto. Presumably the photos would need to match, but multiple sites 404 Media visited offer a stream of real people ready to fulfill that role. Each set costs $45. It is not clear who exactly these people are, be they unsuspecting victims, direct accomplices, or perhaps people paid to be in the photos.

In my test, I used a photo of my own face for my fake ID. OnlyFake offers the photos of other real peoples’ faces to use, but I did not want to implicate a random and innocent person in this test. That means the test ultimately was a probing of OKX’s document recognition feature, and not so much its selfie one. Still, using a fake ID with a different name would provide a security benefit to a fraudster over simply using their genuine ID in their own name. And Wick says they plan to introduce a face and selfie generator soon.

Members of OnlyFake’s community also discuss the problem of video verification in associated chat rooms. A Russian language room has more than 1,100 members, while its English equivalent has just over 550. Here, members look to work together on scams or other fraudulent activities, and discuss how to create live video feeds of a person holding up a corresponding ID. People in these chat rooms appear determined to find a solution, and several have posted demonstrations of what look to be animated stills of people holding up IDs as a potential approach.

This isn’t the first time I’ve successfully demonstrated the power of AI-adjacent tools for fraud. Last year I created an AI-generated version of my voice using a tool called ElevenLabs. With that, I broke into my own bank account, bypassing the biometric voice verification with my AI clone. “My voice is my password,” I commanded my AI doppelganger to say at the time.

Others have toyed with the idea of using AI to circumvent identity verification services specifically. Recently a user on Reddit showed a photorealistic image they claimed to have created at least in part with text-to-image AI model Stable Diffusion. In the image, a woman smiles at the camera while holding a piece of paper with hand written text, in very much the style of a selfie someone may upload to an identity verification service. Another replaced that piece of paper with a fake ID and writing on the woman’s skin, creating what might be a convincing image of an entirely fabricated and artificial person proving they actually exist—a powerful paradox for fraud. In both cases, the creator later said they used Photoshop for the text.

But with technology like OnlyFake, maybe a future where AI selfies come complete with a fake ID is just around the corner.