That’s not brute force. That’s not phishing. That’s attackers feeding synthetic video directly into an app’s camera pipeline through virtual-camera drivers, bypassing every check that assumes the camera feed is real.
Virtual-camera injection was a niche technique 18 months ago. Today it is the dominant attack vector against biometric onboarding systems. iOS injection attacks alone surged 741% in the second half of 2025. The platform most exchanges assumed was immune is now the primary target.
Sumsub’s 2025 fraud report confirms the pattern from a different angle: sophisticated fraud up 180% globally, deepfake attacks doubling in the UK, synthetic identity document fraud up 300% in the US. Gartner reports 62% of organizations experienced a deepfake attack in the past year. And iProov’s consumer study found that only 0.1% of humans can correctly identify a deepfake when shown one.
The tools are getting cheaper, faster, and more accessible. The defenders haven’t moved.
The damage
Chainalysis logged $3.4 billion in crypto stolen via hacks in 2025. Centralized exchanges absorbed 55% of those losses — $2.55 billion across just 20 breaches. The average hack netted $25 million. DPRK’s Lazarus Group alone accounted for $2.02 billion, a 51% year-over-year increase.
The Bybit hack on February 21, 2025 was the single largest theft in the history of cryptocurrency. $1.5 billion. One exchange. One day. That was 44% of all crypto hack losses for the entire year, concentrated in a single incident.
Every one of these attacks happened after onboarding. After KYC. After 2FA. The identity was verified once, at signup, and then trusted forever.
100% of the money moves after onboarding. 0% of it is re-verified at the moment it moves.
100% of the money moves after onboarding. 0% of it is re-verified at the moment it moves.
Four regulatory deadlines land in 120 days
This is not a future problem. Four independent regulatory regimes are forcing exchanges to act between now and August.
- NYDFS — April 15
- MiCA (EU) — July 1
- EU AI Act — August 2
- FATF — Q3 2026
NYDFS 23 NYCRR Part 500 required its first annual certification by April 15 — yesterday. The October 2024 guidance explicitly tells covered entities that SMS, voice, flat fingerprint, and video-based MFA are now considered deepfake-vulnerable. It specifically recommends liveness detection, texture analysis, and multi-modal biometrics. If your exchange operates in New York and you’re still using SMS for step-up authentication, you’re out of compliance as of yesterday.
MiCA’s grandfathering transition closes July 1. The Transfer of Funds Regulation has been in full force since December 2024 with no de minimis threshold. Every exchange serving EU users needs to meet enhanced identity verification requirements across all 27 member states.
The EU AI Act’s Article 50 transparency rules for biometric categorization and deepfake labeling go into full applicability August 2. FATF signaled Q3 gray-listing for non-compliant jurisdictions, which cascades into bank de-risking — meaning your banking partner may drop you before the regulator does.
Four deadlines. 120 days. Every one of them demands something that doesn’t exist at most exchanges.
Your insurer is already pricing this in
The damage numbers and the regulatory deadlines are in every newsletter. Here’s what isn’t: the insurance market has already moved.
After Bybit, Lloyd’s syndicates reportedly began refusing renewals for exchanges that cannot demonstrate transaction-layer verification beyond password and MFA. Evertas nearly tripled its crypto coverage limits in 2026, but most exchange cyber policies still cap at $250 million — irrelevant at Bybit scale. Post-GENIUS Act, institutional crypto insurance premiums grew 140% year-over-year.
CISOs are not buying security to improve security. They’re buying it to keep their insurance.
If your underwriter hasn’t asked about biometric step-up verification at the transaction layer yet, they will. And when they do, having an answer that isn’t “we send a text message” is the difference between a renewal and a coverage gap that makes your exchange uninsurable.
The problem isn’t at the door. It’s at the vault.
Jumio, Onfido, Persona — they verify who you are when you create an account. That’s the door. Okta, Auth0, Firebase — they verify your credentials when you log in. That’s the hallway.
But at the moment someone initiates a $50,000 wire transfer, changes a beneficiary, or executes an OTC trade — the vault — nothing checks if the human on the other end is still the human who KYC’d six months ago. SMS breaks to a SIM swap. Passkeys prove a device, not a face. The session is trusted because it was authenticated once, and that trust is never re-earned.
That gap — between authentication and the action — is where every dollar of the $3.4 billion disappeared. It’s the gap the 2,665% number is targeting. And it’s the gap four regulators are now demanding you close.
There is no product in the market today that does biometric step-up verification at the transaction layer, returns a signed JWT as cryptographic proof, and runs in under 300 milliseconds.
That’s what we built.