From VPNs to Face Swaps: How Age Verification Loopholes Mirror the Bigger Fraud Problem

The UK Government’s planned under-16 social media ban has pushed age assurance back into the headlines.

When the Online Safety Act age-check requirements came into force on July 25, 2025, the intent was clear and defensible: children should be better protected from harmful online experiences.

But the rollout also highlighted a challenge that now sits at the center of digital trust: when age checks appear, circumvention will follow.

Proton VPN reported UK sign-ups spiking roughly 1,400% as the rules took effect; NordVPN saw around 1,000%. Ofcom data showed daily UK VPN usage more than doubled to 1.4 million users before settling around 900,000, a significantly elevated baseline.

Tor usage has shown a similar pattern in other markets where age assurance has moved up the policy agenda; Australian data following social media age-verification requirements is one example:

To be clear, the rules are also working: Ofcom reported sharp drops in UK visits to the largest adult sites after enforcement, and polling shows most Britons support the law’s intent. The issue is not that age assurance cannot work. It is that, when checks are tied to signals users can mask, the same rollout can both enforce compliance and drive circumvention.

Similar laws in the UK, Australia, and several US states have revealed the same core challenge.

The question is not whether age-verification laws should exist; the question is whether current approaches to age assurance are exposing a broader weakness in digital trust.

VPNs Don’t Bypass Verification, They Bypass the Trigger

Most age-verification systems rely on IP geolocation to decide whether to prompt a user for verification in the first place. If a site detects a UK IP address, it triggers an age check. If the IP appears to originate from outside the regulated jurisdiction, because the user is connected through a VPN, the verification workflow never starts.

VPNs don’t bypass age checks. They bypass the condition under which age checks are required.

This is not a failure of identity verification technology. It is a reminder that the trigger matters as much as the check. If a verification flow is never invoked, strong biometric verification, document checks, or liveness detection never get the chance to do their job.

There is a second design issue here: not all age assurance methods provide the same level of certainty. Many solutions deployed to meet age verification laws are actually age estimation tools, which are probabilistic and may not deliver the level of certainty required in higher-risk compliance or enforcement contexts. Learn more in our blog on age verification vs estimation.

The UK Government has pointed to AVPA figures showing an additional 5 million age checks a day after the rollout, real evidence that, for the users it reaches, the system is working. What those numbers can’t capture is everyone who never reached a check at all, because a VPN placed them outside its scope.

That is the trigger problem in one sentence: the strongest verification in the world cannot protect a flow that never begins.

Why This Matters Beyond Age Gates

When someone uses a VPN or Tor to access restricted content, they’re using tools that organized fraud rings rely on to:

• Obscure their location when opening fraudulent bank accounts
• Bypass geofencing controls on crypto exchanges
• Evade sanctions by masquerading as customers from unrestricted regions
• Conduct mass account creation from a single physical location
• Test stolen credentials against multiple services without triggering velocity checks

The intent is different. A teenager trying to access a platform is not the same as a criminal opening mule accounts. But the underlying pattern is the same: hide the signal, avoid the trigger, bypass the control.

That overlap is why age gates matter beyond child safety. They make a fraud-prevention problem visible to the wider public. Not everyone who downloads a VPN becomes a fraudster. Of course not. But it is a reminder of how readily people reach for circumvention tools — VPNs, proxies, spoofed locations — the moment a control feels like friction. The toolkit overlaps with the one fraud operations rely on at scale, even when the intent is completely different.

From VPNs to Face Swaps: A Spectrum of Identity Evasion

If VPNs hide where you are, face swaps and deepfakes hide who you are. VPNs show what happens when users can avoid the check. Face swaps show what happens when users reach the check and try to fake the person.

A fictional video game character passed a real age check. When Discord rolled out facial age verification, users found that photo mode in Death Stranding let them puppeteer a character’s face through the “open and close your mouth” step to clear it (PC Gamer). The lesson behind the joke: liveness checks built on predictable, repeatable actions can be vulnerable to replay or imitation. Genuine presence depends on a challenge that can’t be anticipated or reused.

That same trajectory scales well beyond a game-mode workaround:

• iProov’s threat intelligence documented a 1,151% surge in iOS injection attacks in the second half of 2025.
• Deloitte projects that US generative-AI-enabled fraud losses will climb from $12.3 billion in 2023 to $40 billion by 2027.

These are not isolated problems. They are different expressions of the same fraud logic: if a digital service needs to trust something, attackers will try to fake it. Location can be masked. Devices can be manipulated. Documents can be forged. Faces can be swapped. Video streams can be injected.

That is the spectrum of identity evasion.

The Only Resilient Trust Anchor: Genuine Human Presence

If all of those trust signals can be faked, what’s left?

The answer is genuine human presence, verified live, in that moment.

Technologies like iProov’s Dynamic Liveness establish genuine presence by answering a deceptively simple question: is this a real person, the right person, present right now? Robust biometric liveness detection helps neutralize threats like recordings, deepfakes, face swaps, and injection attacks.

In most identity verification scenarios, opening a bank account, accessing government services, and completing KYC for financial platforms, the trigger doesn’t depend on network location. Whether you’re connecting from London or Lagos, behind a VPN or not, the system still requires you to verify your identity with legitimate credentials like a government-issued document. In these cases, biometric liveness provides a robust trust anchor that VPNs and Tor cannot defeat.

Age verification is uniquely different. When the trigger depends entirely on IP-based geolocation, “are you in a regulated jurisdiction?”, then VPNs and Tor bypass the system before genuine presence verification can even begin. This is not a failure of biometric technology; it is a reminder that the trigger matters as much as the check.

The Path Forward

The UK under-16 social media ban is a timely case study, but it is not the whole story. It is one example of a much wider shift toward proving age, identity, and entitlement online.

Let’s be clear: VPNs and Tor serve critical purposes. Blocking these tools wholesale would be both technically infeasible and ethically questionable. The problem is not the existence of privacy infrastructure. It is the reliance on enforcement triggers that those tools can route around.

That points to where age assurance needs to go. A check tied too heavily to a spoofable IP signal risks becoming the weakest link, so the trigger has to move closer to the user, not their apparent location. That means device and operating-system-level age signals, reusable verified credentials, and privacy-preserving ways for a person to prove age or identity once without re-running a check that geography can defeat. It’s the same principle behind the EU’s move toward digital identity wallets: trust anchored to a verified credential, not to a network signal.

Where verification is already mandatory and not location-gated, banking, KYC, government services, account recovery, and remote work, genuine presence is the resilient anchor today. Age verification simply proves the principle by negation: a check is only as good as the trigger that invokes it.

To perform optimally, future systems must:

• Move the trigger away from easily spoofed network signals
• Favor privacy-first design with privacy-preserving credentials so verification doesn’t become a data honeypot
• Anchor high-risk verification in genuine human presence
• Layer security controls so defeating one signal does not collapse the whole system
• Minimize user friction to reduce the incentive for circumvention
• Design for adversarial behavior from the outset

Assume the system will be tested. Not because every user is malicious, but because some will be curious, some will be frustrated, some will follow tutorials, and some will be criminals.

The bigger story is that digital services increasingly need to establish trust without physical presence. They need to know whether someone is old enough to access a service, whether a customer or remote worker is who they claim to be, whether an account opener is real or synthetic, and whether a face on screen is live or generated.

Age verification loopholes mirror the bigger fraud problem because both expose the same weakness: too many digital systems still trust signals that can be spoofed, avoided, or manufactured.

The future of digital trust depends on proving what matters most: that a real person is genuinely present, in the moment, and authorized to act.

• Digital trust is shifting fast. For more on how it’s being tested and rebuilt, subscribe to Biometric Beat.
• Book a consultative iProov demo here.