$20 for a Face: The “Underground” Business of Crypto KYC

“Services are not supported in your region.”

I’ve lost count of how many times I’ve seen this message. This time, I was fully prepared—I dug out my passport, took photos of the front and back against the camera, switched to selfie mode for a photo holding the document, and then followed the on-screen prompts to nod, shake my head, and blink. The whole process took about ten minutes, and I was more meticulous than last time. Then the page refreshed, showing “Submission successful, awaiting review.”

I waited for three days. On the fourth day, I refreshed, and the status was still “Under Review.” The withdrawal function was frozen, with the reason being “Awaiting completion of identity verification.” The subscription window for the project I wanted to participate in was closing in forty-eight hours.

Or perhaps, there was no waiting at all—the page had already identified my IP address before I could even start, directly popping up that message: “Services are not supported in your region.” No reason given, no appeal channel, and no indication of what else I could do. It’s not that I didn’t want to comply; I simply didn’t have the qualification to comply.

This is perhaps a situation you and I often encounter, the most common wall in the mật mã industry: KYC, Know Your Customer. KYC is the weightiest part of the term “compliance”: you must prove you are who you say you are to get in.

Over the past five years, some mainstream exchanges have gradually outsourced KYC to commercial identity verification systems like Sumsub and Jumio. Compliance costs have been “productized” and become a recurring expense. For top-tier platforms, this expenditure has reached the level of millions to tens of millions of dollars.

Multiple professionals in the mật mã payments industry told Foresight News that the industry still heavily relies on third-party service providers like Sumsub and Jumio for KYC, as these solutions have clear advantages in global data coverage and compliance capabilities.

However, as transaction volumes expand and risk control demands increase, some leading institutions have begun exploring a hybrid model of “self-built risk control + third-party KYC” to achieve a better balance between cost, pass rates, and risk control.

Yet, no matter how high this wall is built, the underground market has already set its own price. On the other side of this wall exists a complete underground industry chain specifically designed to breach this system at low cost. The price to penetrate it is 20 USDT—covering the full verification process required by exchanges: passport or driver’s license upload, facial recognition, proof of residence, all delivered in one package.

500,000 People, An Uncounted Chợ

Adhering to the principle of “where there’s a policy, there’s a countermeasure,” I started searching online for “Web3 KYC.” What popped up wasn’t tutorials, but more warnings.

A 2023 report by CertiK scanned over 20 underground KYC markets, finding that the total number of participants at that time exceeded 500,000, specializing in buying and selling verified accounts for various platforms, concentrated in Southeast Asia, with group sizes ranging from 4,000 to 300,000.

Cybersecurity company ZeroFox once counted over 1 million posts selling KYC accounts on public forums and Telegram within a year, involving mainstream compliant exchanges like Coinbase Pro and Kraken, with prices ranging from $150 to $500.

A more direct investigation by CoinDesk involved directly purchasing several accounts for verification. Each account came with a real user’s name, home address, date of birth—accounts for US residents even included Social Security Numbers. They then searched public databases and found four real individuals whose information perfectly matched the account details, sending them written notifications. Their reactions were complete unawareness, not realizing their names were attached to a stranger’s exchange account, the password for which they had never set.

The technical landscape is also deteriorating simultaneously. According to Sumsub’s released 2025 Identity Fraud Report, deepfake attacks have grown over 2000% in the past three years and now account for about 1/15 of all identity fraud attempts.

The attack path has formed a three-layer structure:

• The lowest layer uses high-resolution screens with polarizing filters to eliminate glare, making the “playing video” screen optically resemble a real capture;
• The second layer involves HOOK injection attacks, directly hijacking the system call interface of the phone’s camera, “feeding” pre-recorded 4K video into the application’s capture window—the application “sees” the camera’s real-time output, but what actually flows in is a pre-prepared video;
• The third layer is one-click AI face-swapping tools, generating results from uploaded photos, lowering the attack barrier to zero. The average cost to breach a real-person liveness verification system: $10, with a return on investment as high as 1400%.

The “2025 Global KYC Attack Risk Research Report” released by Threat Hunter chương trình that from an industry distribution perspective, virtual currency exchanges and wallet payment platforms are the core targets of all KYC attacks, accounting for over 78% combined. Among attack materials, “proof of address” documents sell the most, for a simple reason: they require frequent updates, and AI can generate them in bulk.

These numbers paint a clear picture: fraud, identity theft, organized criminal industry chains. Layering these numbers together: 500,000 participants, 1 million publicly circulating sales posts, accounts from top compliant exchanges like Coinbase, Binance US, and Kraken are all included. This is not an isolated case for a single platform, but a systemic vulnerability faced by the entire crypto compliance system—as long as KYC exists, a market to bypass it exists, and its scale is comparable.

The wording of each report is very bất chấpnitive, using terms like “threat actors,” “underground markets,” “illegal operations.” But they share a common blind spot in perspective. They are all viewed from the outside, from the perspective of regulators and security companies, like describing a fire happening behind glass.

But no report explains who those people hanging “online” on Telegram every day actually are, how they view what they’re doing, and who this business ultimately serves.

I decided to talk to people in the circle.

An Underground KYC Vendor: 600 Transactions in Two Years

Searching for KYC on Telegram brings up a batch of accounts in seconds.

In early March, I randomly picked a seemingly trustworthy KYC middleman. Unfortunately, I encountered a cold guy. His replies didn’t exceed 5 words, and he mostly answered my various questions with a direct “yes.” The most information I got was the quotes, like “CoinList KYC 40 U,” “Coinbase KYC 20 U.”

After a long silence, the other party sent a slightly longer message: “So can we work together?” The sentence seemed hard-translated from another language, reading like discussing cooperation, but probably was just pushing for an order. The conversation was hard to continue.

So I switched to checking the TRON chain receiving address he gave me on-chain. This address has been operational since January 2024, with cumulative inflows exceeding 59,243 USDT, totaling 600 incoming transactions, spanning 26 months. But the net balance is zero.

Every inflow was quickly emptied out within a period, transferred to the same upstream address. Following this chain, he ultimately transferred to OKX’s hot wallet on the TRON chain. This middleman helping people bypass KYC deposits every penny he earns into an exchange.

A small-scale anonymous seller, nearly $60,000 in turnover over two years, 600 transactions, no holidays, no off-season, only tidal fluctuations driven by token launch rhythms. And this is just one address, one seller, one chain.

This chain didn’t connect for me; the trail went cold here. Anonymous people won’t talk; I needed to find someone more willing to speak.

A KYC “Businessman”: Five Years, Dozens of Platforms

I finally found a “businessman” specializing in KYC services on X. Introduced by a friend, I added his contact, and he was willing to be interviewed.

His name is Maoli, operating a “blockchain service platform” with a rich variety of products.

Speaking about the method of Web3 KYC services, Maoli said, “I started this business based on the needs of my own followers, looking for various channels, investing time in research, and gradually building it up.”

Maoli has been doing this for five years. Now he operates with one assistant, most products are automatically delivered. His product catalog covers dozens of platforms, priced in RMB. Higher prices represent either higher recent participation/user heat for that platform or greater difficulty in bypassing its identity verification threshold.

“Once set up, it’s basically automated, not to mention AI can assist now,” he said. “Basically, it doesn’t require many people to operate.” Except during good market conditions—when token launches cluster, he can work up to 12 hours a day. During bleak market conditions, he invests time into operating his X account.

“The people’s convenience store, serving all fans in the blockchain industry.” This is how he describes his business.

His clients are spread across Chinese-speaking regions: Mainland China, Hong Kong, Taiwan, Malaysia, South Korea, the United States. Mainland users have the most direct demand—many token launch platforms block Chinese IPs. Uploading a passport or ID card results in automatic system rejection, with no appeal channel or explanation.

“They buy accounts to participate in activities,” Maoli said. With each delivery, he includes a fixed risk warning: “Since this is an account registered with someone else’s information, please do not place large amounts of funds on the platform. Participate with small amounts, deposit and withdraw promptly.” The “risk” he warns of is that the account could be reclaimed by the original owner at any time; using another person’s identity information to register a financial account itself constitutes identity fraud in most jurisdictions.

The Emerging Industry Chain

How is a single order completed? Maoli described the full process: pre-sales consultation, payment, he contacts a “qualified foreigner,” the foreigner follows the pre-trained procedure to complete KYC, the account is transferred to the buyer, the buyer verifies and modifies security settings, order closed.

The client that left the deepest impression on him was a Korean, the head of a professional incubation team, who always placed large orders. “He always collaborates with project teams, purchasing a very large number of accounts,” Maoli said. “He told me he made a lot of money through me. But I didn’t make that much; he makes money from resources, while I make the hard-earned money from the KYC part.”

In other words, this industry chain also has multiple tiers. As the demand side, Korean incubation teams profit by using accounts to participate in project subscriptions in bulk. Hence, middlemen like Maoli exist, and at the bottom are the “foreigners” providing information verification, completing KYC as required, perhaps taking just a few dollars.

The sources of “foreigners” are global—those in Southeast Asia, East Africa, Latin America who take orders under the guise of “online part-time jobs,” performing the required nods, head shakes, and blinks, taking rewards equivalent to a few dollars to tens of dollars.

Maoli didn’t specify exactly how much money is given to the “foreigners,” but a recruitment post circulating on a Russian-language forum reads: “Only your face needed. Complete video verification via WhatsApp. 1,500 to 2,000 rubles per time (approximately $17 to $23), can be done multiple times a day.”

When Worldcoin deployed its spherical iris-scanning devices in Cambodia and Kenya, this phenomenon briefly surfaced—a black market for World IDs priced below $30 quickly emerged. In 2024, Thai authorities ordered the deletion of 1.2 million collected iris data sets, and Indonesia halted all Worldcoin activities. But Worldcoin is just the tip of the iceberg, and it’s the branded side with journalists who can ask questions.

Pricing follows another logic. “The more developed the region, the more expensive the KYC,” Maoli said. “If the fee you offer isn’t enough to buy breakfast, they simply won’t cooperate with your operation.” US orders are the hardest, sometimes requiring the client to take the “foreigner” to get documents offline in New York.

Every transaction he services comes with after-sales terms: he only guarantees “first login” success. “Because we can’t control the risk control rules of each exchange or platform; they can change at any time,” he said. The buyer’s first task upon receiving the account is to change the bound email, set up two-factor authentication, and kick out unknown devices. The window may only be a few hours.

He also admits there are cases he can’t handle. “Accounts that require face scan every login cannot be made; a foreigner can’t possibly fly to China every time to scan your face for login.” He added: “Following this logic, platforms with very, very strict risk control usually don’t lack users or data, nor do they have activities with particularly high benefits, so few people buy them.”

Web3 KYC: A Door Frame with an Empty Door

Maoli has a clear positioning of what he’s doing.

When asked whether KYC in the crypto industry is fulfilling its intended purpose, he said, “KYC is a threshold everyone is aware of—platforms, users, everyone knows what they’re doing. For those genuinely wanting to participate in the industry, it’s not a barrier, more like a screening method.”

In his description, this is a win-win-win transaction: users gain access to the platform, exchanges gain new users and data, and he collects a service fee. “A triple win,” he said.

This logic has a detail hidden in his own after-sales warning: “Since this is an account registered with someone else’s information, please do not place large amounts of funds on the platform. Participate with small amounts, deposit and withdraw promptly.” His “foreigners” are informed, compensated participants. But the term “someone else” implies there is a real person behind the account, a person who can claim rights at any time.

But CoinDesk’s investigation shows that in the larger market, some accounts come with the names, addresses, and Social Security Numbers of real residents who are completely unaware. These people are not within the “triple win.”

Maoli is one person in this market willing to be interviewed. Behind him, there are an estimated 500,000 participants, about 1 million sales posts, and a still-functioning shadow system.

Note: The Telegram chat records and on-chain data mentioned in the article were obtained by the author during the investigation.

Bài viết này được lấy từ internet: $20 for a Face: The “Underground” Business of Crypto KYC

Related: RWA Weekly Report｜Commodity Assets Surge Over 13%; Nasdaq Enters Prediction Chợ, Plans to Launch 100 Index Binary Options (2.25-3.3)

Author | Ethan (@ethanzhang_web3) RWA Sector Market Performance According to the rwa.xyz data dashboard, as of March 3, 2026, the total on-chain value (Distributed Asset Value) of RWAs grew from $25.07 billion on February 24 to $26.22 billion, an increase of approximately $1.15 billion in a single week, representing a growth of about 4.59%. The scale of on-chain assets accelerated upward again, reaching a new stage high. The total value of representative assets (Represented Asset Value) jumped from $362.56 billion to $390.14 billion, an increase of about $27.58 billion, representing a growth of about 7.61%, with a growth rate significantly higher than the previous week. On the user side, structural adjustments continued, with the number of addresses contracting temporarily. The total number of asset holders further declined from 710,400 to…