Category: World

87% of failed biometric verifications in Southern Africa due to AI spoofing: Smile ID

87% of failed biometric verifications in Southern Africa due to AI spoofing: Smile ID

87% of failed biometric verifications in Southern Africa due to AI spoofing: Smile ID
A new report spotlights deepfake fraud posing an acute problem for Africa.

Digital identity, banking and e-government are being used to streamline and more efficiently facilitate financial inclusion and disbursement of funding, along with helping underserved communities access healthcare and other essential public services.

Smile ID’s 2026 Digital Identity Fraud Report has some jaw-dropping findings. In Southern Africa, almost nine in ten (87 percent) rejected biometric verification attempts were connected to AI-assisted impersonation and spoofing. The report says “fraud is overwhelmingly biometric in Southern Africa,” a region that encompasses countries including Botswana, South Africa and Zimbabwe.

Meanwhile, Africa’s percentage of adults owning a financial account has risen from 34 percent to nearly 60 percent over the past decade. However, identity verification systems have largely stood still — tied to a one-time checkpoint model, Smile ID warns. Fraud has accelerated with the arrival of AI.

The figures were compiled from 200 million identity checks by Smile ID’s customer base across dozens of industries and 35 countries in 2025. The analysis covers the full identity lifecycle — onboarding, authentication, and high-risk account events — examining how fraud manifests at different stages of trust.

Smile ID found more than 160,000 fraudulent verification attempts in a single month in 2025, all of which were traced back to just 100 facial identities. “Some of these faces appeared over 12,000 times across multiple platforms,” the report says. Another case saw attackers use the same identity for more than a thousand account registration attempts within a space of 30 minutes.

“The most consequential fraud attacks today are targeted account takeovers (ATOs) — not fake IDs or isolated spoofs, but coordinated operations that compromise the capture pipeline, reuse real identities at scale, and exploit moments after approval when controls are lighter through highly scalable AI-powered tooling,” the reports claims.

This is a professionalized process with fraudsters coming in later in the customer journey, often colluding with insiders, and making use of large facial biometric and identity data sets. AI-powered tools are employed to analyze the data and to scale attacks. Generative AI has lowered the barriers to entry, reducing costs; creating high-quality synthetic documents and imagery while automating biometric manipulation, when this was previously uncommon or costly.

Now the cost of each try is marginal — approaching zero — attackers can reuse the same identity assets across hundreds of thousands attempts. Defenses built for a previous era are straining under the barrage. “Fraud defences must now assume abundance and use networked intelligence to spot patterns and turn the volume generated by fraudsters’ attacks against them,” the Smile ID report argues.

Smile ID discovered that nearly 90 percent of verifications rejected for suspected fraud in 2025 were found to be using mobile SDK integrations. This was up from 15 percent in 2023 and 65 percent in 2024. Mobile SDKs can capture additional on-device signals, such as image integrity and user behavior, that API-only verification flows cannot see. Biometric injection attacks have surged to over 100,000 per month, with Smile ID detecting the shadow of emulators, tampered capture and virtual cameras.

Continuously on defense and network intelligence

Mark Straub, CEO of Smile ID, comments that defense has to move beyond just the end of the pipeline. “Fraud is no longer a ‘KYC’ problem — it is a continuous cybersecurity challenge,” he says.

“Effective defence now requires network intelligence: By leveraging these privacy-preserving indicators throughout the customer lifecycle, we enable real-time adaptation. Identity has entered the security era, where eco-system wide protection is essential to safeguarding the individual,” he believes.

Modern fraud defense should operate across four interconnected zones, Smile ID argues, which form a continuous security infrastructure. These are trusted capture; verification and signal extraction; enforcement and feedback; intelligence and pattern detection, which all flow into another. Three strategic priorities build on this further.

Of these, priority two — harden authentication at high-value moments — is perhaps notable for its granular detail. For example, multi-factor authentication at high-risk moments, which in practical terms would mean requiring biometric verification in addition to OTP for password resets or device changes or high-value transactions.

The other two priorities are lifecycle intelligence, revealing where fraud will concentrate, and trusted capture, with capture integrity enabling richer signals. “Fraud now operates as repeatable, networked infrastructure,” the report concludes. “Defence must do the same.”

“This approach — a Network Defence — connects signals across the identity lifecycle, detects coordination that isolated systems miss, and strengthens with every verification.”

Smile ID’s 2026 Digital Identity Fraud in Africa Report can be downloaded here.

Tycoon 2FA phishing empire dismantled in global cybercrime crackdown

Tycoon 2FA phishing empire dismantled in global cybercrime crackdown

Tycoon 2FA phishing empire dismantled in global cybercrime crackdown
A sprawling cybercrime platform that helped thousands of attackers bypass modern authentication protections has been disrupted in a coordinated global operation led by technology companies, cybersecurity researchers and law enforcement agencies.

The takedown targeted Tycoon 2FA, one of the most prolific phishing-as-a-service platforms in operation in recent years, and underscores how identity-based attacks have become a central battleground in modern cybersecurity.

As organizations move more operations into cloud platforms and rely on digital identities to manage access, phishing campaigns that compromise those identities can provide attackers with direct entry into critical systems.

Through a combination of legal action, infrastructure seizures and cross-border intelligence sharing, the coalition dismantled key parts of the service’s technical backbone and seized hundreds of domains used to support its campaigns.

The operation illustrates both the scale of the modern phishing economy and the increasingly coordinated efforts required to disrupt it.

At the center of the disruption effort was a partnership involving Microsoft, Europol, and a broad set of cybersecurity companies and nonprofit organizations.

The coalition included firms such as Trend Micro, Cloudflare, Intel471, Proofpoint, SpyCloud and Coinbase, along with intelligence sharing groups and law enforcement agencies from multiple European countries.

The combined effort targeted the infrastructure powering Tycoon 2FA’s operations, including the domains used to host phishing pages and administrative panels.

As part of the operation, investigators seized roughly 330 domains that formed the core of the service’s infrastructure. These domains hosted control panels used by cybercriminals as well as fake login pages designed to harvest credentials from victims.

The seizures were carried out under a court order in the United States and supported by coordinated enforcement actions in several European jurisdictions.

Tycoon 2FA had emerged as one of the most significant drivers of phishing activity worldwide since it appeared around 2023. The platform allowed criminals to conduct sophisticated attacks that could defeat multi-factor authentication, the security measure widely adopted by organizations to protect accounts beyond a simple password.

By mid-2025, the service was responsible for about 62 percent of the phishing attempts blocked by Microsoft’s systems, with some months seeing more than 30 million malicious emails sent through the infrastructure.

The impact was substantial. Researchers estimate that the service has been linked to roughly 96,000 victims globally, including tens of thousands of Microsoft customers whose accounts were targeted or compromised.

Healthcare organizations, schools and universities were among the hardest hit sectors, with phishing campaigns disrupting operations and exposing sensitive data.

The platform’s success lay in its design. Tycoon 2FA operated as an adversary-in-the-middle phishing system, a technique that intercepts communication between a victim and a legitimate service during the login process.

When a user entered their credentials and responded to authentication prompts, the system relayed that information in real time to the actual service while simultaneously capturing passwords, authentication codes and session cookies.

Those stolen session tokens allowed attackers to log in to accounts even if the password was later changed, unless all active sessions were revoked. This approach effectively undermined traditional multi-factor authentication protections, which were designed to stop attackers who only possess a password.

By capturing authentication tokens generated during a valid login session, the Tycoon 2FA infrastructure allowed attackers to assume the identity of legitimate users and move through systems without triggering many security alerts.

The service also lowered the barrier to entry for cybercrime. Tycoon 2FA operated as a subscription-based phishing-as-a-service platform, meaning criminals could rent access to the toolkit without needing deep technical skills.

The system provided prebuilt phishing templates that mimicked widely used services such as Microsoft 365 and Google Workspace, along with hosting infrastructure and dashboards for managing campaigns and viewing stolen credentials.

This model reflects a broader trend in the cybercrime ecosystem where specialized services are sold or leased in underground markets to enable large-scale attacks.

Instead of building tools themselves, attackers can purchase ready-made capabilities including phishing kits, malware distribution services, hosting infrastructure and stolen credentials. The result is an interconnected economy that functions much like a legitimate technology supply chain.

Investigators said Tycoon 2FA fit squarely within that ecosystem. The service was reportedly marketed and managed through encrypted messaging platforms such as Telegram and supported by partners responsible for payments, marketing and technical support.

Other illicit services handled mass email distribution or provided the servers used to host phishing infrastructure, allowing the entire operation to scale quickly. Trend Micro researchers who tracked the platform say its infrastructure included thousands of domains and supported a global network of operators.

The service generated enormous volumes of phishing traffic, delivering campaigns targeting enterprises, governments and individuals across multiple continents.

Analysis of victim data also illustrates the breadth of the threat. Intelligence gathered from exposed Tycoon 2FA panels revealed hundreds of thousands of captured credentials and authentication records.

Most of the compromised accounts were tied to corporate email domains rather than free consumer email providers, underscoring the platform’s focus on enterprise environments where access to a single account can open pathways into larger organizational systems.

For attackers, those compromised accounts often served as the starting point for broader intrusions.

Once inside an organization’s email or cloud collaboration environment, criminals could conduct business email compromise scams, steal sensitive data, or use the account to launch additional phishing campaigns targeting colleagues and partners. In some cases, access obtained through phishing operations later facilitated ransomware deployments.

The takedown effort also demonstrates how technology companies increasingly use civil litigation alongside traditional law enforcement methods to disrupt cybercrime infrastructure.

In this case, Microsoft’s Digital Crimes Unit filed a civil complaint in federal court to obtain legal authority to seize domains associated with the platform. The action was supported by threat intelligence gathered by private security companies and shared with international law enforcement agencies.

Europol played a central coordinating role through its Cyber Intelligence Extension Program, which is designed to move beyond intelligence sharing toward direct operational collaboration between governments and the private sector.

Authorities in countries including Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom participated in enforcement actions connected to the case.

Cybersecurity researchers emphasize that while such operations can significantly disrupt cybercrime infrastructure, they rarely eliminate it entirely. Platforms like Tycoon 2FA are part of a broader ecosystem in which new tools quickly emerge to replace those that are shut down.

Nonetheless, investigators say the dismantling of widely used services can have cascading effects by forcing attackers to rebuild infrastructure and raising the cost and complexity of their operations.