$20 for a face: the underground assembly line of KYC in the crypto world.

Written by: angelilu, Foresight News

"Service is not currently supported in your region."

I've lost count of how many times I've seen this message. This time, I was fully prepared—I took out my passport, took photos of the front and back of the camera, switched to selfie mode, took a photo of myself holding the ID, and followed the on-screen prompts to nod, shake my head, and blink. The whole process took about ten minutes, and I was more careful than last time. Then the page redirected, displaying "Submission successful, awaiting review."

I waited three days. On the fourth day, I refreshed the page, and the status was still "under review." The withdrawal function was frozen, with the reason being "awaiting identity verification completion." The subscription window for the project I wanted to participate in will close in 48 hours.

Or, there's no waiting at all—the page identifies the IP address before I even take any action, and immediately pops up the message: "Service is not currently supported in your region." There's no reason given, no appeal channel, and no explanation of what else I can do. It's not that I don't want to cooperate; it's that I don't even have the right to cooperate.

This is a situation we often encounter; it's the most common hurdle in the crypto industry: KYC, Know Your Customer. KYC is the most weighty part of the word "compliance": you have to prove you are who you are to get in.

Over the past five years, some mainstream exchanges have gradually outsourced their KYC (Know Your Customer) processes to commercial identity verification systems such as Sumsub and Jumio. Compliance costs have been "productized" and have become a continuous expense. For leading platforms, this expenditure has reached the millions to tens of millions of US dollars.

Several cryptocurrency payment industry professionals told Foresight News that the industry still heavily relies on third-party service providers such as Sumsub and Jumio for KYC procedures, as these solutions have significant advantages in global data coverage and compliance capabilities.

However, as transaction volume expands and risk control demands increase, some leading institutions have begun to explore a hybrid model of "self-built risk control + third-party KYC" in order to achieve a better balance between cost, pass rate and risk control.

However, no matter how high this wall is built, the underground market has already set its own price. And on the other side of this wall, there exists a complete underground industry chain dedicated to penetrating this system at low cost. The price to penetrate it is 20 USDT—covering the entire verification process required by the exchange: passport or driver's license upload, facial recognition, proof of residence, all delivered in one package.

500,000 people, a market no one has ever counted.

Based on the principle that "where there's a policy, there's a countermeasure," I started searching for "Web3 KYC" online. Instead of tutorials, I saw more warnings.

A 2023 report by CertiK scanned more than 20 underground KYC markets and found that the total number of participants at the time exceeded 500,000, specializing in buying and selling verified accounts on various platforms, concentrated in Southeast Asia, with group sizes ranging from 4,000 to 300,000 people.

Cybersecurity company ZeroFox once estimated that over a year, more than 1 million posts selling KYC accounts were found on public forums and Telegram, involving mainstream compliant exchanges such as Coinbase Pro and Kraken, with prices ranging from $150 to $500.

A CoinDesk investigation took a more direct approach, purchasing several accounts for verification. Each account was associated with a real user's name, home address, and date of birth—for US residents, the accounts even included their Social Security numbers. They then searched public databases and found four real individuals whose information perfectly matched the account details, sending them written notifications. These individuals reported complete ignorance, unaware that their names were linked to a stranger's exchange account, an account they had never set a password for.

The technological aspects are also deteriorating simultaneously. According to Sumsub 's 2025 Identity Fraud Report, deepfake attacks have increased by more than 2,000% in the past three years and now account for about one-fifteenth of all identity fraud attempts.

The attack path forms a three-layer structure:

• The lowest layer uses a high-resolution screen in conjunction with a polarizing filter to eliminate reflections, making the "video playback" image optically close to the real shooting;
• The second layer is a hook injection attack, which directly hijacks the system call interface of the phone camera and "feeds" a pre-recorded 4K video into the application's capture window. What the application "sees" is the real-time output of the camera, but what actually flows in is a pre-prepared video.
• The third layer is a one-click AI face-swapping tool; simply upload a photo to generate a face, lowering the barrier to attack to zero. The average cost of breaking through a real-person liveness detection system is $10, resulting in a return on investment of up to 1400%.

According to Threat Hunter's " 2025 Global KYC Attack Risk Research Report ," cryptocurrency exchanges and wallet payment platforms are the core targets of all KYC attacks, accounting for over 78% of all attacks. The most sold attack materials are "address proof" files, for a simple reason: they require frequent updates, while AI can generate them in batches.

These figures paint a clear picture: fraud, identity theft, and an organized criminal supply chain. Stack these numbers together: 500,000 participants, 1 million publicly traded sales posts, and accounts from leading compliant exchanges like Coinbase, Binance US, and Kraken. This isn't an isolated case on any one platform, but a systemic vulnerability faced by the entire crypto compliance system—as long as KYC exists, a market that bypasses it will exist, and on a considerable scale.

Each report uses very specific language, employing terms like "threat actors," "underground markets," and "illegal operations." But they share a common blind spot: they are all viewed from the outside, from the perspective of regulators and security companies, as if describing a fire behind a glass window.

However, no report explains who those who are "online" on Telegram every day are, how they view what they are doing, and who this business is actually serving.

I decided to talk to people in the industry.

An underground KYC vendor: 600 transactions in two years

Searching for KYC on Telegram will bring up a batch of accounts within seconds.

In early March, I randomly selected a KYC intermediary that seemed trustworthy. Unfortunately, I encountered a cold guy whose replies were no more than five words. He answered most of my questions with "yes" directly, and the most information I got was a price quote, such as "CoinList's KYC is 40 USD" and "Coinbase's KYC is 20 USD".

After a long silence, the other party sent a slightly longer message: "So, can we work together?" The sentence sounded like a forced translation from another language; it read like they were discussing a collaboration, but it was probably just a push for a deal. The conversation was difficult to continue.

So I checked the TRON blockchain receiving address he gave me on the blockchain. This address has been operating since January 2024, and has accumulated over 59,243 USDT in inflows over 600 transactions spanning 26 months. However, the net retention is zero.

Every single transaction was quickly emptied within a short period and redirected to the same upstream address. Tracing this chain, the money was eventually transferred to OKX's hot wallet on the TRON chain. This middleman, who helped people bypass KYC, deposited every penny he earned into the exchange.

An anonymous seller, not particularly large, generated nearly $60,000 in revenue over two years, with 600 transactions. There were no holidays, no off-seasons, only the ebb and flow of new product launches. And this is just one address, one seller, one chain.

The chain didn't connect with me; the trail ended there. Anonymous people won't speak; I need to find someone more willing to talk.

A KYC "businessman": Five years, dozens of platforms

I finally found a "businessman" on X who specializes in KYC services. Through a friend's introduction, I added him on social media, and he agreed to be interviewed.

His name is Maoli, and he runs a "blockchain service platform" with a wide range of products.

When talking about the Web3 KYC service, Maoli said, "I looked for various channels based on the needs of my fans and spent time researching them to gradually build up this business."

MaoLi has been operating for five years now. Currently, he runs the business with one assistant, and most products are automatically shipped. His product catalog covers dozens of platforms and is priced in RMB. The higher the price, the more recent participants and popularity the platform has, or the more difficult it is to bypass the identity verification threshold.

"Once set up, it's basically automated, not to mention that AI can assist now," he said. "Basically, it doesn't require many people to operate it." The exception is when the market is good—when there are many new projects, he can work up to 12 hours a day. When the market is bleak, he devotes his time to the operation of X.

"A small shop for the people, serving all fans in the blockchain industry," he described his business.

His clients are located throughout the Chinese-speaking world: Mainland China, Hong Kong, Taiwan, Malaysia, South Korea, and the United States. Mainland users have the most direct needs—many IPO platforms block Chinese IP addresses; if you upload your passport or ID card, the system automatically rejects it, with no appeal channel or explanation.

"They buy accounts to participate in activities," Maoli said. Each time he delivers an account, he includes a fixed risk warning: "Since this account was registered using someone else's information, please do not keep large sums of money on the platform. Participate in small amounts and withdraw them as needed." The "risk" he points out is that the account may be retrieved by the original owner at any time; using someone else's identity information to register a financial account also constitutes identity fraud in most jurisdictions.

The emerging industrial chain

How is a single order completed? Maoli described the complete process: pre-sales consultation, payment, he contacts a "qualified foreigner", the foreigner operates according to the pre-trained process, completes KYC, the account is transferred to the buyer, the buyer verifies and modifies the security settings, and the order is closed.

His most memorable client was a Korean man, the head of a professional incubation team, who always placed large orders. "He would always collaborate with project teams to buy a huge number of accounts," Maoli said. "He told me he made a lot of money through me. But I didn't make much; he made money from resources, while I made hard-earned money from KYC."

In other words, this industry chain has multiple levels. South Korean incubation teams, acting as demanders, profit by participating in project subscriptions in bulk through accounts. This is why intermediaries like Maoli exist. At the bottom level are the "foreigners" who provide information verification; they complete KYC as required and may earn a few dollars in return.

The "foreigners" come from all over the world—those who take orders in Southeast Asia, East Africa, and Latin America under the guise of "online part-time jobs," completing actions such as nodding, shaking their head, and blinking as required, and receiving a reward equivalent to a few to tens of dollars.

Maoli didn't specify how much money was given to the "foreigners," but a recruitment post circulating on a Russian forum read: "All you need is your face. Complete video verification via WhatsApp. 1,500 to 2,000 rubles (about $17 to $23) each time, multiple times a day."

Worldcoin briefly brought this phenomenon to the forefront when it deployed spherical iris scanning equipment in Cambodia and Kenya—a black market for World IDs priced below $30 appeared, and in 2024, Thai authorities ordered the deletion of 1.2 million collected iris data sets, while Indonesia halted all Worldcoin activities. But Worldcoin is merely the tip of the iceberg, and it's the side with a brand and the kind of story journalists can investigate.

There's another logic to pricing. "The more developed the region, the more expensive KYC is," Maoli said. "If the fee you offer isn't even enough to buy breakfast, they simply won't cooperate with you." Orders from the United States are the most difficult, sometimes requiring clients to bring foreigners to New York to complete the paperwork in person.

Every transaction he handles comes with after-sales terms: he only guarantees successful "first login." "Because we can't control the risk control rules of every exchange or platform; they can change them at any time," he explains. Once the buyer receives the account, the first thing they do is change the linked email address, set up two-factor authentication, and kick out unknown devices. The window of opportunity might only last a few hours.

He also admitted that there are situations where it's impossible to do it. "Accounts that require facial recognition every time you log in can't be created. Foreigners can't keep flying to China to have their faces scanned for login." He added, "Following this logic, platforms with very strict risk control are usually platforms that don't lack users or data, and they don't offer particularly high-benefit promotions, so very few people would buy them."

Web3 KYC, an empty door with a frame.

Catfish has a clear understanding of what it does.

When asked whether KYC in the crypto industry is fulfilling its intended purpose, he said, "KYC is a threshold that everyone knows. Platforms and users alike know what they're doing. For those who genuinely want to participate in the industry, it's not an obstacle, but rather a screening method."

In his description, it was a win-win-win deal: users gained access to the platform, the exchange gained new users and data, and he collected service fees. "A win-win-win," he said.

There's a detail hidden in his own after-sales notice: "Since this account was registered using someone else's information, please do not keep large sums of money on the platform. Participate in small amounts and withdraw them as needed." His "foreigner" is a knowledgeable and paid participant. But the word "someone else" implies that there is a real person behind the account, someone who can assert their rights at any time.

However, CoinDesk's investigation reveals that in a larger market, some accounts are linked to the names, addresses, and social security numbers of real residents without their knowledge. These individuals are not part of the "win-win-win" scenario.

Maoli is one of the few people in this market who is willing to be interviewed. Behind him are an estimated 500,000 participants, about 1 million sales posts, and a shadow system that is still in operation.

Note: The Telegram conversation records and on-chain data mentioned in this article were obtained by the author through investigation.