If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Regulators spent the last few years demanding that banks, crypto exchanges, and fintech apps collect face scans, ID photos, and biometric templates from every customer. They sold this as a defense against financial crime. What it actually built was a global inventory of the most sensitive identifiers a person has, stored across thousands of corporate databases, waiting to be breached. Now the stolen contents of those databases power a thriving economy that lets money launderers walk through the front door of major banks wearing someone else’s face. The push toward biometric access and digital ID verification did not stop the fraud. It supplied the raw material for it. A video reviewed by MIT Technology Review shows the consequence in miniature. Somewhere inside a Cambodian scam compound, a worker opens a popular Vietnamese banking app, taps through the login flow, and reaches the liveness check. He holds up a static photo of a woman who looks nothing like the 30-something Asian man whose account he’s accessing. The app asks him to adjust the face in the frame. Ninety seconds later, he’s in. That demonstration arrived from Hieu Minh Ngo, a former hacker turned cybersecurity advisor to the Vietnamese government who now investigates money laundering for an anti-scam nonprofit. The exploit he shared uses a virtual camera, a tool that replaces a phone’s live video feed with whatever the operator wants to show, whether a stolen photo, a deepfake, or a cardboard cutout of a stranger. Banks designed liveness checks to confirm a real person is sitting behind the screen. Virtual cameras make that confirmation meaningless. The facial templates feeding those cameras had to come from somewhere. They came from the KYC files that regulators required banks and exchanges to build. Face scans, passport photos, and liveness videos, once submitted to open an account, do not disappear. They accumulate in corporate archives governed by retention policies most users never read, and they leak through breaches, insider theft, and vendor compromises into the same Telegram marketplaces that sell the bypass kits. Your face is your face. Your passport photo is your passport photo. Once those templates circulate online, they circulate forever, feeding every future fraud attempt against every future KYC system you encounter. MIT Technology Review spent two months earlier this year cataloging that marketplace. The result was 22 public Telegram channels and groups operating in Chinese, Vietnamese, and English, hawking bypass kits and stolen biometric data to anyone willing to pay. Some had thousands of subscribers. The bio of the program used by the Cambodian launderer read, “Specializing in bank services—handling dirty money,” finished with a thumbs-up emoji. “Secure. Professional. High quality.” The channels advertised services with bullet points like “All kinds of KYC verification services” and “It’s all smooth and seamless,” paired with videos purporting to show real bypasses. Governments and financial institutions describe the underlying data hoarding as the price of stopping financial crime. The actual ledger looks different. Compliance requirements produced centralized collections of biometric data that cannot be changed after a leak. Passwords can be rotated. Credit cards can be reissued. Faces cannot. Every mandate that pushes more institutions to collect more biometric templates from more users expands the pool of permanently compromised identity data without giving anyone a way to claw it back. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post How the KYC Mandate Became a Biometric Heist appeared first on Reclaim The Net.