Attack-as-a-Service
“Attack-as-a-Service” refers to a business model where threat actors offer specialized services to bypass remote identity verification systems rather than selling the attack tools themselves.
In this model:
- Instead of selling software tools, threat actors provide end-to-end services where they handle the technical aspects of creating verification bypasses
- Customers can purchase in two main ways:
- Service-based: Paying for specific technical services (such as having photos processed into convincing face swaps)
- Volume-based: Purchasing a set number of pre-verified accounts or identities ready for use
- The typical process involves customers sending photos and payment to the service provider, who then creates the required bypass materials and returns the finished product
“Most recently, threat groups are no longer offering software itself for sale but are offering a service whereby an interested user will pay for an image to be processed or pay for a certain number of accounts. They have various specialty or boutique capabilities that a customer can go to to fulfill the request.” – Matt Welch, Head of Threat Intelligence, iProov.
This business model offers several advantages for threat actors:
- It protects them from security monitoring since they don’t distribute their actual tools
- It maintains control of its proprietary techniques and methods
- It creates a more secure transactional relationship rather than selling tools that could be analyzed by security researchers
- It allows them to specialize in complex technical work while their customers focus on using the end results
This evolution reflects a maturing criminal ecosystem where remote identity verification bypass has become a specialized service within the broader “Crime-as-a-Service” landscape. Just as legitimate businesses use Software-as-a-Service to access specialized capabilities without developing them in-house, criminals now purchase specific expertise rather than mastering complex technical skills themselves.
In this Crime-as-a-Service marketplace, different groups specialize in distinct areas: some focus exclusively on remote identity verification bypass (which is the Attack-as-a-Service component), while others concentrate on credential theft or money laundering. Criminals can then combine these specialized services to execute sophisticated, multi-stage fraud operations.
The 2025 Threat Intelligence Report highlights a significant development in this space: previously isolated regional criminal groups are now collaborating and sharing techniques across borders. This cross-pollination of expertise mimics how legitimate business markets naturally evolve from regional operations into global networks, making the threat landscape more sophisticated and challenging to combat.
| Feature | Attack-as-a-Service (Identity Verification Bypass) | Broader Crime-as-a-Service |
|---|---|---|
| Definition | Specialized services focused on bypassing remote identity verification systems | A comprehensive criminal ecosystem where various illegal services and activities are offered on demand across physical and digital domains |
| Scope | Narrowly focused on identity verification bypass techniques | Covers the full spectrum of criminal activities, including drug trafficking, human trafficking, contract violence, document forgery, money laundering, smuggling, and cybercrime |
| Service Examples | Face swap processing, Creation of synthetic identities, Providing pre-verified accounts, Processing ID documents | Drug production and distribution networks, Human trafficking operations, Document forgery services, Contract violence, Money laundering services, Smuggling networks, Various cybercrime services |
| Specialization | Highly specialized with deep expertise in remote identity verification systems | Multiple specializations covering diverse criminal activities across physical and digital domains |
| Integration | Functions as a component within the broader Crime-as-a-Service ecosystem | Acts as the overall marketplace framework for criminal services of all types |
| Target Customers | Those specifically looking to commit identity fraud or access restricted systems | Wide range of criminals with various objectives across multiple criminal domains |
| Business Model | Processing services for specific bypass needs, Volume-based identity/account sales | Varies by criminal domain – includes service fees, commission structures, subscription models, territorial arrangements, and supply chain participation |
| Technical Expertise | Focused on remote identity verification, deepfakes, and injection techniques | Varies widely from highly technical cybercrime skills to expertise in physical criminal operations like smuggling or manufacturing |
| Evolution | Relatively newer specialization, growing rapidly with AI advancement | A long-established concept that has evolved from traditional criminal organizations into service-oriented business models |
| Relationship | Attack-as-a-Service is a specialized subset within the Crime-as-a-Service ecosystem | Crime-as-a-Service is the umbrella framework encompassing all types of criminal services |
Differentiation at a glance: Attack-as-a-Service for Remote Identity Verification Bypass
Attack-as-a-Service in the Remote IDV context refers specifically to specialized services that help criminals bypass identity verification systems used by banks, government services, crypto exchanges, and other organizations requiring proof of identity.
Rather than selling tools, these services:
- Process customer-provided photos into convincing deepfakes
- Create synthetic identities that allegedly bypass verification checks
- Provide pre-verified accounts ready for fraudulent use
- Offer technical expertise to circumvent specific verification systems
The process typically involves sending photos and payment to specialists who handle the technical work of creating verification bypass materials, and then providing the finished product to the customer.
This represents just one specialized service within the much broader Crime-as-a-Service ecosystem, which encompasses diverse criminal activities ranging from drug trafficking and human exploitation to various forms of cybercrime, money laundering, and physical criminal operations.
Crime-as-a-Service (CaaS): The Broader Ecosystem
Crime-as-a-Service (CaaS) represents the evolution of criminal enterprises into sophisticated business models that mirror legitimate service industries, extending far beyond cybercrime. This ecosystem encompasses diverse illicit activities where specialized criminal service providers offer their expertise, infrastructure, and resources to clients who wish to commit crimes without developing capabilities themselves.
The CaaS ecosystem spans numerous criminal domains, including drug trafficking networks, human trafficking and modern slavery operations, illegal pornography production and distribution, contract violence services, document forgery specialists, money laundering operations, smuggling networks, cybercrime services, and criminal expertise marketplaces.
This service model has transformed criminal operations by creating specialized roles within ecosystems that mimic legitimate business structures, complete with division of labor, quality assurance, customer service, and even dispute resolution mechanisms. The model has proven particularly effective as different regional and linguistic criminal groups have begun sharing techniques and collaborating across borders, creating global criminal service networks.
The advent of CaaS has significantly lowered barriers to entry for criminal activity, allowing clients to purchase only the specific criminal services they need without developing comprehensive capabilities themselves, making law enforcement disruption increasingly challenging.