Beyond Face Verification: Jinkusu Cam Triggers Trust Collapse in eKYC

Security Research Statement This paper, released by the Huameng security research team, analyses the latest attack tool from the black‑market group Jinkusu (金克斯) to raise awareness among financial and RegTech practitioners. The technical details are intended solely for authorized testing and defense hardening.

Jinkusu Cam: Real‑time Deepfake Tool for KYC Bypass

Organizational Evolution

Active on dark‑web forums (XSS, BreachForums) in 2024‑2025, the group first released phishing kits such as Starkiller that used headless Chrome and reverse‑proxy techniques to evade MFA. In 2026 the focus shifted to AI‑based Identity Fraud‑as‑a‑Service as banks adopted biometric verification.

Industry Context

By 2026 deepfake technology became a structural threat to identity verification. Remote onboarding made facial‑recognition‑based eKYC the trust cornerstone. Industry data from early 2026 shows a 40 % increase in deepfake‑related fraud attempts over the previous twelve months, with record‑high success rates for fraudulent account openings.

Technical Stack

1. Real‑Time Performance (Latency Gap)

Inference is accelerated with TensorRT and DirectML , keeping end‑to‑end latency under 30 ms at 1080p/30 fps, making frame‑rate changes imperceptible to humans and to most baseline liveness algorithms.

2. Neural Expression Mapping

Uses a 478‑point 3D face mesh to capture pupil contraction, nasal wing tremor, and dental‑phoneme synchronization. Because attacker motions are mapped onto the forged face in real time, traditional blink or head‑shake challenges are ineffective.

3. Injection Attacks

Employs kernel‑level hooking or a virtual‑camera pipeline to inject fabricated streams directly into low‑level interfaces such as the WebRTC capture layer. The target application receives video data from the system’s device list, bypassing any physical light capture.

Current Industry Challenges

“All Green” Fraud : Risk‑control dashboards show green for device compliance, location authenticity, biometric match, and liveness, while attackers combine stolen synthetic identities with perfect visual forgeries, rendering rule‑based audits ineffective.

Industrialized Fraud : The tool is often paired with “Money‑Laundering‑as‑a‑Service”. Low‑skill operators can launch thousands of fake account attempts per day, overwhelming manual review.

Technology Gap : Many midsize banks still run detection algorithms from 2023‑2024. Jinkusu leverages 2025‑era GAN enhancements (e.g., real‑time GFPGAN) that cause a sharp drop in recall for spatial‑feature‑based detectors.

Defensive Evolution

Injection Prevention : Deploy Runtime Application Self‑Protection (RASP) to monitor camera API hijacking and detect virtual driver presence.

Frequency‑Domain Analysis : AI‑generated images exhibit periodic noise artifacts in the frequency domain, providing an effective mathematical detection method for real‑time face swaps.

Challenge‑Response Upgrade : Require hand‑wave gestures or interaction with random light‑pattern arrays, creating rendering tears or depth inconsistencies that expose 2D deepfakes.

Advanced Attack Path

1. Kernel‑Level Hooking in Emulators

Supports Android emulators (BlueStacks, LDPlayer) by creating a fake V4L2 video capture device in kernel space; the eKYC app receives a circular buffer instead of a physical sensor. Additionally, OpenGLES texture replacement hooks the graphics pipeline to swap facial textures at the framebuffer level, evading screenshot‑based detection.

2. Counteracting Detection with GFPGAN

Integrates a GFPGAN module that smooths generative artifacts, converting mathematical imperfections into plausible skin pores and ambient lighting. This reduces recall for detectors that rely on spatial features such as Xception or EfficientNet.

3. Shift Toward Hardware‑Rooted Trust

Environment integrity is lost when the execution environment is compromised (rooted phone or hardened emulator). Industry is moving toward hardware‑backed challenge‑response, e.g., iPhone TrueDepth sensor emitting random structured‑light patterns and requiring 3D depth reconstruction; a 2D face‑swap cannot reproduce accurate Z‑axis depth.

“Facing tools like Jinkusu, we must admit that human biometric traits are no longer secret nor unique credentials.” – Huameng Network

Recommendations for CISOs

Optical‑Flow Continuity Audits : Require users to move the phone in an arc during verification; extreme oblique angles often cause model tearing or flickering in real‑time rendering.

Device Attestation : Use Google Play Integrity API or Apple DeviceCheck to reject operations from simulators or insecure devices.

Multimodal Behaviour Analysis : Correlate facial data with typing rhythm, gyroscope micro‑movements, and other sensor signals; forging these auxiliary signals is considerably harder.

Conclusion

Jinkusu Cam demonstrates the democratization of black‑market deepfake capabilities: any criminal with a capable GPU can now wield technology previously limited to nation‑state labs. Ongoing monitoring includes large‑scale automated attacks against voiceprint authentication.