It’s a Tuesday in June. The renewal questionnaire arrives in your inbox at 8:42 AM. You open it, scroll past the SOC 2 attestations and the wallet custody section, and land on a page you don’t recognize from last year.
Lloyd’s Coverholder · Crypto E&O Renewal 2026 · pg 14 of 28
Q. 12.4 — New for 2026
Describe the controls in place at the moment of high-risk action authorization to defend against digital injection attacks on biometric liveness verification, including but not limited to virtual camera driver substitution and synthetic video stream insertion.
☐ iBeta Level 2 PAD certified IDV vendor (specify): ☐ CEN/TS 18099 injection attack detection (specify): ☐ In-house controls (attach methodology): ☐ Other: ____________________________________
Coverage and pricing contingent on Q12.4 attestation. Response required for renewal binding.
You scroll your compliance pack to the IDV vendor’s certification page. Whichever one you pay. Jumio. Onfido. Persona. Sumsub. Veriff. iBeta Level 2 is on the front. The cert you’ve been advertising for two years.
You read Q12.4 again.
The cert doesn’t answer it. It was never designed to.
NIST said so in September 2023.
The cert tests a 2017 threat model. The attacker moved off it in 2023. Nine fiscal quarters later, the front of every IDV compliance pack still leads with a credential that NIST itself flagged as out-of-scope for the dominant attack class.
The cert and the gap
iBeta is the test lab. It is NVLAP-accredited under the National Institute of Standards and Technology’s laboratory accreditation program, which is the credential most regulated industries treat as authoritative for biometric evaluation. iBeta’s Presentation Attack Detection evaluation runs against the framework defined in ISO/IEC 30107-3, an international standard first published in 2017 and refreshed in 2023. Level 1 evaluates low-skill artifacts: printed photographs, screen captures held to the camera, paper masks. Level 2 escalates to silicone masks, three-dimensional resin models, more sophisticated screen replays. Both levels test what the standard names a presentation attack, defined verbatim as “a presentation to the biometric data capture subsystem with the goal of interfering with the operation of the biometric system.”
The phrase doing the load-bearing work is presentation to the biometric data capture subsystem. Something physical. Something held in front of a camera. Something the camera captures and then the algorithm decides whether the captured frame originated from a live human or an inert artifact. The credential evaluates exactly that surface. The lab does its job. The standard is internally consistent.
Something physical. In front of a camera. Captured.
The injection attack does not present anything to the capture subsystem. It bypasses it. A virtual camera driver, whether ManyCam, OBS Studio, or a custom-compiled driver shipped through a typo-squatted installer or a fake meeting application, substitutes a synthetic video feed for the real webcam stream before the verification application reads from the device. The application reads what it believes to be a live camera. There is no artifact in physical space for any presentation-attack-detection algorithm to catch. The relevant defense surface is digital injection attack detection — anti-spoof signal families that operate on the captured frame and its temporal context, plus virtual-driver enumeration. None of that is part of ISO 30107-3. None of it is part of any current iBeta tier.
On September 20, 2023, the National Institute of Standards and Technology published NIST Internal Report 8491, titled “Face Analysis Technology Evaluation (FATE) Part 10: Performance of Passive, Software-Based Presentation Attack Detection Algorithms.” The report is the largest public benchmark of biometric PAD performance ever conducted: 82 algorithms from 45 separate developers, evaluated under controlled conditions against the ISO 30107-3 framework. On page eight, the publication is direct about the boundaries of the test.
The FATE PAD activity evaluated physical attacks with analog artifacts. Digital injection attacks, while an important aspect of the presentation attack threat, were out of scope. — NIST IR 8491 · FATE PAD evaluation · September 2023
The report goes further on the same page. It describes injection attacks as “a direct electronic introduction of a digital image or video” that are “recently of particular concern in personal devices where a virtual camera is not readily distinguishable from the physical camera.” The publication is open-access. It has been on the NIST website for thirty-one months. The certification industry has had nine fiscal quarters to update the scope of its evaluations or to publish a clear distinction between what the credential covers and what it doesn’t.
The vendors holding Level 2 today, in alphabetical order, include FaceTec, ID R&D, Innovatrics, iProov, Jumio, Onfido, Persona, Sumsub, Thales, and Veriff. Most of them got the cert between 2018 and 2022, against a threat model designed in 2017. The European Telecommunications Standards Institute has since published CEN/TS 18099, a technical specification that does test injection attacks — but CEN/TS 18099 is not iBeta Level 2, it is not what the renewal questionnaire is asking about, and it is not what the IDV vendor put on the front of the compliance pack.
| Vendor | L2 Cert | L2 Tests Injection? | Separate Cert (CEN/TS 18099) |
|---|---|---|---|
| Jumio | 2019 | No | Not certified |
| Onfido | 2020 | No | Not certified |
| Persona | 2022 | No | Not certified |
| Sumsub | 2023 | No | Not certified |
| Veriff | 2021 | No | Not certified |
| iProov | 2018 | No | CEN/TS 18099 High |
The asymmetry is the whole story. iProov, the only vendor on that list with a public CEN/TS 18099 attestation, is also the only vendor publishing primary telemetry on the attack class the rest of the list doesn’t test.
The telemetry and the pipeline
iProov publishes annual threat intelligence drawn from telemetry inside its own Security Operations Center. The company holds iBeta Level 2 itself. They are not arguing against the credential they paid for. They are reporting where the attacker has moved off it.
The Threat Intelligence Report 2025, released February 27, 2025, covering attack trends measured across 2024, contains the strongest available signal on the shift. Native Virtual Camera attacks, the class in which a malicious or repurposed driver substitutes a synthetic feed for the real webcam stream, grew 2,665 percent in 2024, becoming the primary threat vector against remote identity verification. Face Swap injection attacks, a separate but related class, grew 300 percent versus 2023. The online crime-as-a-service ecosystem grew alongside, with iProov tracking nearly 24,000 users on dark-web marketplaces selling injection-attack tooling. Both attack classes present nothing physical to the camera. Neither is visible to a presentation attack detector at any cert tier.
iProov’s September 2025 follow-up added the platform-coverage number that closes the loop on the iOS exception. Apple devices were once relatively immune to injection attacks because of integrated camera drivers and tighter device-attestation chains. Through the second half of 2025, injection attacks against iOS surged 1,151 percent year-over-year. The platform that held the line for half a decade no longer holds it.
None of this is theoretical. In February 2024, an Arup Group employee in Hong Kong wired $25.6 million to attacker-controlled accounts after joining a video conference in which every participant, including the company’s CFO, was a deepfake. Yoti, an identity verification firm tracking deepfake submission rates as a separate metric, reported that deepfakes and injection attacks now account for 3.9 percent of identity verification checks, up from 1.6 percent in 2023, with daily attack attempts climbing from roughly 1,000 in February 2024 to over 6,000 by January 2025.
That was the warning. This week was the receipt.
On Sunday, April 27, 2026, Arctic Wolf Labs published its disclosure on a North Korean campaign attributed with high confidence to BlueNoroff, the financial-cybercrime sub-unit of the Lazarus Group operating under the DPRK’s Reconnaissance General Bureau. Arctic Wolf observed an active intrusion at a North American Web3 company beginning January 23, 2026, and traced it across the following three months as the campaign expanded to 100 victims across more than 20 countries. The targeting was unambiguous. 41 percent of identified victims were based in the United States. 80 percent operated in cryptocurrency or blockchain finance. 45 percent were CEOs or founders. The campaign maintained 66 days of persistence on the original victim and the technical execution chain ran under five minutes from the first malicious click to full system compromise.
The infrastructure was extensive. More than 80 typo-squatted Zoom and Microsoft Teams meeting domains, registered between late 2025 and March 2026 on shared hosting infrastructure operated by Petrosky Cloud LLC under autonomous system number AS400897. ClickFix-style clipboard injection. Calendly invitations scheduled five months in the future to reduce victim suspicion. Compromised Telegram accounts of prior victims used to seed the next round of lures. Operator activity timestamps clustered between 08:00 and 18:00 Korean Standard Time, weekdays.
None of that is what makes the disclosure relevant to identity verification. What is new in this disclosure is what was on the attacker’s media server when Arctic Wolf scraped it.
Analysis of over 950 files from the attacker’s media hosting server revealed a self-reinforcing deepfake production pipeline: exfiltrated webcam footage from prior victims was combined with AI-generated images to produce new fake meeting content. — Arctic Wolf Labs · BlueNoroff disclosure · April 27, 2026
The pipeline reconstructed from the metadata: the attacker generates a synthetic face using ChatGPT’s GPT-4o image generation, confirmed via C2PA cryptographic provenance markers embedded in the recovered headshots. They then use screen recordings captured on a Windows virtual machine via Game DVR as the body and motion source. The AI face and the human motion are composited in Adobe Premiere Pro 2021. The Premiere project file recovered from the media server referenced 73 such composite videos. The exports run through FFmpeg. The output is a synthetic video stream of a plausibly real person on a plausibly real Zoom call, generated end-to-end without ever holding a printed photograph in front of a camera. Each compromised victim’s exfiltrated footage becomes raw material for the next round.
Fed through a virtual camera driver into a biometric verification application, that stream is the canonical injection attack. It is the precise attack class iBeta Level 2 PAD certification, by NIST’s explicit page-eight reading, does not test. It is the class iProov measured at 2,665 percent growth across 2024. It is the class running, this week, against more than a hundred crypto firms across twenty countries.
The same attacker who recorded a victim’s Zoom call last Tuesday is the attacker the cert was supposed to defend against, on a different verification surface, one Wednesday from now.
The layer above
Lorica is not an iBeta Level 2 vendor. Not a Jumio, an Onfido, a Persona, a Sumsub, or a Veriff. Those companies operate the onboarding identity-verification layer. They run the KYC flow at signup. They hold the cert. They do that work well within the threat model the cert was designed for, and they should keep doing it — the onboarding moment is its own surface, and the held-up artifact is still the dominant attack class against an unauthenticated stranger filling out a registration form. The argument is not that they are wrong. The argument is that a different layer is missing above them, and that layer is what an injection-class attacker is now exploiting.
That layer is biometric step-up verification at the moment of a high-risk action: the wire transfer, the withdrawal, the trade beyond a threshold, the beneficiary change, the new device authorization. The user initiates the action. Lorica fires before the action executes. The camera opens, matches the live face against an enrolled high-dimensional embedding, runs the verification pipeline against every captured frame, and returns a signed verdict. Median warm latency is 292 milliseconds. Three endpoints: /enroll, /verify, /delete. Single-call verify. The output is an HMAC-signed JWT containing the user identifier, the action verified, the confidence score, the liveness score, the verification method, the timestamp, and the verification identifier. A per-transaction artifact bound to a specific human authorizing a specific action at a specific moment. The artifact an insurance underwriter, a regulator, or a court can independently verify.
The injection detection layer is what the onboarding cert does not cover, and it is what Q12.4 is asking about. Lorica runs anti-spoof signal families against the captured frame and its temporal context — surfacing the compression and re-encoding artifacts that synthetic generation pipelines leave behind, and the inconsistencies that virtual-camera streams produce when sourced from composite video. Those signals are cross-referenced against active and passive liveness modes, selectable per risk tier. The combined effect is a verdict surface measured against the 2025 attack class, not the 2017 one.
The two layers stack. They do not compete. An exchange running Jumio at signup and Lorica at the action moment is using the right tool for each surface: ISO 30107-3 PAD covers presentation attacks at onboarding, Lorica covers digital injection attacks at the action moment. The procurement conversation is not replace your IDV vendor. It is add the layer your existing vendor’s certification does not cover, before your underwriter asks you about it.
The underwriter side of the equation is moving faster than most exchanges have noticed. Evertas, the largest crypto-native carrier, has tripled coverage limits over 2025-2026 and is restructuring its renewal questionnaires around per-action attribution. The Lloyd’s syndicates writing crypto E&O (Atrium 609, Arch 2012, Canopius, Chaucer, Beazley) tightened renewals through 2025. The brokers placing the coverage, Marsh and Aon and Lockton and Paragon, all have digital-asset practice leads now writing internal memos on injection-class risk that did not exist in their 2024 books. The New York State Department of Financial Services issued cybersecurity guidance in October 2024 recommending biometric liveness detection for regulated entities specifically because SMS, voice, and video MFA are deepfake-vulnerable. NYDFS recommends. It does not require. Underwriters do not have to wait for the regulator to require what their actuaries already need.
That is the procurement window. It is open this summer.
The renewal arrives in summer
The certification industry is not lying. iBeta is not corrupt. ISO 30107-3 is not the wrong standard for the surface it covers. The vendors holding Level 2 certification are not making fraudulent claims about the test they passed. The fact is simpler. A credential built between 2017 and 2023, evaluating a threat model that was the dominant attack class through 2022, is being shown in 2026 on procurement decks and underwriter renewal questionnaires as proof of liveness defense against an attack class the certification itself, by NIST’s explicit page-eight reading, does not test. Across the same period, that attack class grew 2,665 percent, surged 1,151 percent on iOS in six months, and is, this week, in production against more than a hundred crypto firms in twenty countries through a self-reinforcing deepfake assembly line operated by a North Korean state actor.
Two and a half years.
The cert hasn’t moved.
The attacker has.
The renewal questionnaire arrives this summer. You will be asked Q12.4. Your existing IDV vendor’s compliance pack does not have an answer. Your underwriter will not accept silence, and your competitor on the next page of the broker’s book of business is in the process of finding one.
Add the layer that does.
— Tristan