May 13, 2025 • 23 mins
If a cybercriminal steals your password, you can change it. But what happens if they steal your face?
Former soldier turned hacker, Gary Ruddell and financial crime veteran, Nick Palmer, explore the actors behind GoldFactory - a cybercriminal group stealing users' facial recognition data to clean out victims bank accounts.
Joined by Craig Jones, who spent five years at Interpol as the director of cybercrime, Group-IB's Gary and Nick explore how masked actors are exploiting AI and Deepfakes for financial gain.
In this episode, they dig into the novel tactics of this Chinese-speaking group who created a first of its kind iOS trojan to steal biometric data and bypass banking facial recognition security systems. Together they unpick how cybercriminals are adopting new technologies and franchising their efforts to manipulate more victims and increase their payoff.
By understanding who these actors are and how they operate, you can better anticipate threats and protect yourself in an increasingly hostile digital world.
Subscribe now to meet these Masked Actors — and stay one step ahead in the fight against cybercrime.
Episode links:
Group-IB's Top 10 Masked Actors
Face Off: Group-IB identifies first iOS trojan stealing facial recognition data
Gold Rush is back to APAC: Group-IB unveils first iOS trojan stealing your face
Meet Group-IB's top 10 Masked Actors here - and stay one step ahead in the fight against cybercrime.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Gary Ruddell (00:00):
In May of 2024, a new threat was uncovered, and
with it, an entirely new methodof theft.
Part of a cluster of aggressivebanking trojans, this
sophisticated mobile malwaredubbed Gold Pickaxe was a first.
It was an iOS trojan, a siblingof its Android predecessor, and
it had just one aim, to getaccess to users' facial
(00:23):
recognition data.
This threat cluster has beenattributed to a single actor
codenamed old factory.
The cyber criminals that wantto steal your face.
I think we should probablystart at the start.
Let's talk about Trojans, Nick.
Tell us what they are.
How do they work?
Nick Palmer (00:42):
Yeah, for sure.
So a Trojan is basically a typeof malware that's trying to
hide itself, disguise itself asessentially legitimate software.
Cybercriminals will developthis seemingly legitimate
software to try to gain accessto your mobile device or PC
computer, etc.
And it's interesting to maybelook at the history of where the
(01:03):
word Trojan comes from.
And if you go back to basicallythe Greek army infiltrating
Troy, they basically tried tohide inside of a wooden horse
and then eventually, surprise,surprise, entered into Troy and,
you know, had their army insidethe castle walls, if you will.
So that's essentially what itis, what it does at a very
(01:24):
simple level.
Gary Ruddell (01:26):
Yeah, I'm trying to imagine were things easier or
harder back then in the days ofTroy compared to today?
So, you know, these things havebeen around forever, basically,
but what's new here from atechnological perspective?
Nick Palmer (01:39):
I think one of the most interesting discoveries in
gold pickaxe from Gold FactoryCyber Criminal Group is really
some of the tactics andtechniques that this malware
employs.
I think with all of theadvancements of artificial
intelligence, you know,researchers have kind of been
forecasting that threat actorswill start to use this in their
tactics and their techniques.
And basically what this malwaredoes after it gains
(02:02):
accessibility services andaccess to your mobile phone is
it will start to record video ofan individual pretending to go
through the KYC process withtheir driver's license and
things like that.
And after the malwareessentially records this video,
the threat actor can reproducethat with deep fake activities
(02:23):
and register in their bankaccount, make a transaction,
something like this.
So that's really what'sexciting to me anyway about this
new malware.
Gary Ruddell (02:34):
Yeah, that's crazy because it's one thing to have
your password stolen.
I've got passwords stolen.
There's probably some you cango and see on the dark web now
of mine.
But I can change those, right?
I can go and do a passwordreset.
I can have multi-factorauthentication, but I can't
change my face.
Nick Palmer (02:52):
Unless you're Nicolas Cage, I guess, yeah?
Gary Ruddell (02:54):
Face off.
So Nick, the Gold FactoryGroup, what do we know about
them so far?
Nick Palmer (03:00):
Yeah, so there's actually not a lot of public
information available.
But what we do know is that thegroup is currently active in
the Asia-Pacific region.
And we believe them to be awell-organized Chinese-speaking
cybercriminal groups withactually close connections to
Gigabud, which was a disruptivebanking Trojan that was first
discovered in 2022.
(03:20):
In fact, these sophisticatedbanking Trojan seemed to be the
group's MO or modus operandi.
And the flashy gold theme namecomes from the lines of code
that actually Group IB'sresearchers discovered in their
first threads.
So actually in October of 2023,this was when Group IB first
(03:41):
released information about apreviously unknown and Yeah, the
iOS side of it is kind ofterrifying for me because,
Gary Ruddell (04:02):
you know.
Historically, Android hasalways been the sort of weaker
system and I've felt very secureusing iOS because those
exploits are harder to come by.
Seeing things like this andhearing that it's possible on
iOS is very interesting.
So gold pickaxe then, how doesthat work?
Nick Palmer (04:23):
Yeah, so like most schemes, malicious apps are
really sent via links, right?
So first, the threat actors aretrying to communicate with
potential victims throughdifferent messengers and
encouraging them to install themalicious app via the links.
So for Apple users, it wasactually interesting that they
were encouraged to downloadTestFlight.
(04:43):
So Apple's kind of testing fordifferent applications.
And then Android users wereencouraged to download mobile
device management solution.
With this successful installedon the user's device, the
cybercriminals were able to theninstall their Trojan remotely.
So they gained the necessarypermissions on the device.
And then the Trojan wasbasically encouraging different
(05:05):
users to record a video ofthemselves with, you know,
driver's license or other KYCdocumentation for a fake
application.
So that's where they got thevideo from.
So the video was then used asraw material for the
cybercriminal group to actuallycreate their deep fakes and
perform the final cash outprocedures.
(05:28):
They could install differentbanking applications on their
own devices and use that rawmaterial to actually bypass the
preventative measures that thebank has.
Gary Ruddell (05:39):
Yeah, that's wild.
That is the last thing that youwant to happen to your face.
So Nick, the financial impactof the damage done by Gold
Factory isn't really known yet,but do we know who the victims
are?
Nick Palmer (05:51):
Yeah, the victims are primarily finance companies
and their customers.
And predominantly, the grouphas been targeting the
Asia-Pacific market with a focuson Vietnam and Thailand.
What's interesting, I think, tonote, though, is that, you
know, with this new tactic andtechnique, cybercriminals often
like to test, to validate and tobe ready to scale, right?
(06:12):
So it's very likely that we'llsee this group expand their
operations once they'veperfected their craft, if you
will, and expand this operationoutside of just Asia-Pacific
markets.
Gary Ruddell (06:26):
And are they going after regular people or are
they going after people who workin businesses or is it a mix?
What's the target profile?
Nick Palmer (06:34):
Yeah, I think most importantly is they're going
after people, right?
They want to get access topeople that have specifically
bank accounts, right?
So the ability for a Trojan toreview what applications are on
a specific device is importantand then target those
individuals that have, yeah,bank account access, right?
So ultimately, this is afinancially motivated
(06:55):
cybercriminal group.
So they want to target people,capture their likeness, their
face, application process, andthen perform the cash out
procedures once they've donethat.
Gary Ruddell (07:06):
Okay, so let's talk about the victims.
Nick, you've been at Group IBfor a long time.
You've got a wealth ofexperience working with
businesses and people who havebeen victims of cyber attacks.
What type of impact does anattack like this have on people?
Nick Palmer (07:21):
Well, I think the risks are really twofold, right?
So one is the financial lossfor the individual, the user,
the citizens, etc.
And the second is the risk forthe business as well, right?
So there can be a lot ofreputational damage done to an
organization if, you know,someone is applying for loans
using their facial biometricaldata and it's successful against
(07:43):
a specific business.
It also depends on howwidespread it is.
Obviously, I mentioned beforethat cyber criminals want to
scale their operations.
So if they're able to scale uploan applications or account
takeover at financialinstitutions.
The financial impact could bevery large, but also the risk
for the reputation of thebusiness as well.
It's really important, I think,to take note of a new tactic
(08:07):
and technique being employed bythese cybercriminals for
financial gain, because while itmay target the Asia Pacific
market right now, it's importantto understand that this tactic
and technique, if successful,which it seems it has been, will
be exported to other markets.
So really understanding, youknow, how are my KYC processes
(08:27):
today?
Can I understand as a businessthe entire user session?
You know, do I know if it'sactually my customer logging
into the bank account or anotherAndroid device that the cyber
criminal is performing thesedeepfake activities on to
conduct account takeover?
So, yeah, learning from whatthis is and, you know, take note
and make adjustments so thatyou can defend against this
(08:50):
attack for the future.
Gary Ruddell (08:51):
Yeah, definitely.
Don't just close your eyes andhope for the best.
That won't help.
Obviously, it's important that,you know, businesses report
crimes and things to lawenforcement because that helps
in so many ways.
We're very fortunate today tohave Craig Jones with us, who
spent over five years atInterpol as the director of
cybercrime.
Craig, great to have you here.
(09:12):
What can you tell us about therole of deepfakes and AI in
crimes like these?
Is this common?
Craig Jones (09:19):
Yeah.
Hi, Gary.
Hi, Nick.
Thanks for inviting me on.
Yeah, they're becoming morecommon, unfortunately.
And I think this is wherecriminals are exploiting either
vulnerabilities in systems ornetworks or people effectively.
And they're using tools whichwe use for our everyday lives.
life online to facilitate theirability to commit cybercrime.
(09:41):
And they're testing these newmethods and they're seeing how
they can adapt the new methods,whether it's deepfake, whether
it's AI.
And the main purpose of this, Ithink you've already been
discussing is, you know, from acriminal side of view, it's
around that financial gain.
It's how do they use what'savailable to them to commit
criminal acts, but normally forfinancial gain.
(10:03):
That's the motivation behindthese crime groups, whether it's
an individual, whether it's agroup coming together online,
whether it's a village comingtogether because they may not be
able to have the economy thereand the digitalization that's
now available to them is openingup new opportunities not just
for us to start new industries,but also for the criminals.
Gary Ruddell (10:26):
Are we likely to see this type of thing for sale
in the same way that we seeransomware as a service?
Craig Jones (10:32):
Yeah, I think when we look at these businesses,
they almost start to operate asfranchises.
So if it becomes successful,how do you grow any business?
There is a certain volumeamount that you can work to
effectively.
And the volume and scale ofcybercrime we've seen increasing
exponentially over the last 10,15 years.
(10:52):
We started with those denial ofservices attacks, which, you
know, people used to do for funor they would go on to or get
into someone's network orsystems because that was fun to
do.
But then they realized theycould commodimize that so that
that information, that databecame valuable.
And then as the onlinedigitalizations increased, the
(11:12):
way we're operating now and ourfinances are operating in the
online space as well and thevirtual currencies, that gives
the criminals an opportunity tosort of, as I said already, to
exploit that.
Gary Ruddell (11:24):
And, you know, when this first launched, Gold
Factory's iOS Trojan wasavailable through TestFlight, as
Nick said earlier.
That obviously helped it appearlegitimate.
Thankfully, it didn't lastlong.
But once that was removed,threat actors had to, you know,
employ new techniques,particularly social engineering.
Can we talk about that a littlebit?
(11:46):
You know, these schemes aredesigned to bring victim into
install malicious software.
What are the warning signs ofsocial engineering?
Craig Jones (11:53):
Yeah, I mean, that's on lots of different
levels.
So, you know, we can talkabout, you know, you receive
that email with, well done,you've won X or Y, or this is
the latest update.
You need to update this on yourphone immediately because
you're going to be at risk.
So it plays on vulnerabilities.
On the one hand, it can prey onpeople's insecurities online.
(12:15):
So it could be an individual.
Or it could be quitespecifically targeted at a
business, targeting maybe achief financial officer within a
company where someone'spretending to be a CEO or
something like that.
And the criminals will be usingdifferent scripts, whether
they're automated scripts orthey might seem quite innocuous
(12:35):
to start with.
You know, you just get that popup on your phone saying, oh,
hi, it's so and so.
And you then respond to it andyou start that dialogue.
And what they try to do withinthat is gain your trust.
Gary Ruddell (12:47):
How do we protect ourselves and our businesses
from threat actors like GoldFactory?
Nick Palmer (12:52):
Yeah, well, I think protecting ourselves is really
all about awareness, right?
So individuals need to be awareof how to actually protect
themselves.
I always think to my mother,actually, and I've even trained
her using real world examplesabout how to use VirusTotal to
scan a link to see if it's bador not.
So I I think user awareness andtraining just to make sure your
(13:14):
customers know not to click onlinks that are sent to you from
different messengers is veryimportant or how to scan a link
on VT.
And the second thing really is,you know, on the business,
right?
So I want to bank with a bankwho is serious about protecting
my money.
And I think, you know, usereducation can only go so far.
(13:34):
And, you know, to really fightthe bad guys and ensure that
they don't have an impact toyour organization, it's
important to think about waysthat you can counteract this
threat.
So I go back to what we do hereat Group IB with fraud
protection.
And it's, you know, looking atthe user session.
Can you identify a if someone'svideo camera is being
(13:55):
manipulated during the usersession?
Can you effectively andstickily fingerprint a device
and a user based on theirbehavior and know that it's
really your customer logging inor a new Android device that
maybe is manipulating thecamera?
So I think it's important tolook at from a business
perspective, what is thisthreat?
(14:15):
What are the tactics andtechniques that are being
employed now?
And do I have the necessarymeasures in place to prevent it?
Craig Jones (14:22):
So I think as Nick's just explained, there's
quite a lot of technical stuffthat can be done.
But then we look at that sortof social engineering side, and
we've touched on that brieflyalready.
And that's about personalawareness.
I remember many years ago whenI was in law enforcement in the
UK, we had this stranger dangerprogram.
And this was about thatphysical, you know, don't talk
to strangers.
And it was ingrained, but itwas ingrained at a very, very
(14:45):
early age of a schoolcurriculum.
And that comes back to thatawareness.
We have to start that as soonas the children get, you know, a
device in their hand, three,four, five, six years old.
parents should be educatingthem it's almost like those
conversations you have with yourchildren and you need to be
having that online conversationwith them as well and I think
(15:05):
we're almost in this nottwilight zone but moving across
where you've got the digitalnatives coming in who got it
from day one where maybe maybetalking to myself and when I was
a child we didn't have thesethings so I've had to learn that
and sometimes it can seem alittle bit dull but you know
that that Awareness is soimportant.
Now, governments are picking upon this.
(15:27):
They're doing a lot of work indifferent countries around that
awareness training, not just forindividuals, but small, medium
enterprise companies and formajor companies as well.
And again, it comes back tothat target hardening.
It's at what level do you putthose interventions in effect?
Do you use the internet whenyou're online?
What's your personal habitsabout where are you likely to go
(15:50):
and look online?
What sites are you like whereyou may download something
that's then going to affect yourcomputer or something like
that.
Gary Ruddell (15:56):
On a global level, Craig, what sort of progress
has teams like Interpol madetowards taking down groups like
Gold Factory?
Craig Jones (16:05):
Oh, well, I mean, it's almost night and day from
when we started.
So I sort of think when Istarted back in the UK about
2012, 13, leading a sort ofregional cybercrime team,
looking at the cases we weredealing with then, And, you
know, it really was a whole newway of law enforcement working.
You know, we're just used toworking in our local
environment, protecting ourlocal communities and going
(16:27):
after local criminals because weknew our community, we knew the
criminals in our community, andwe'd see trends and patterns.
Fast forward to where we arenow, we're still there to police
the community.
Prevention of crime, protectionof life and property, it's
really, really important.
But what we don't see withinthat space is the criminal
(16:48):
actors in the online space.
And that's where companies suchas Group IB and others, they
have that information, they dothat detection work, so they can
detect.
And then how do we share thatinformation?
So we look at manyinternational companies now that
are global companies, they canshare that information very,
very readily and very, veryquickly.
But in terms of how lawenforcement operates, we have
(17:09):
legislation within each country.
So this might be a crime in onecountry, but it may not be a
crime in another country.
So what we have is sort of aregional desk model at Interpol
where we have regionalcybercrime officers effectively
for example in Africa who dockdirectly into Interpol and use
our tools and platforms and thenshare that data locally in
(17:33):
Africa or in Asia and SouthPacific or in Europe so it's
still trying to get that thatlocal policing model but it's
about global to local or localto global.
And we've got to make sure wecan share that information.
And Interpol channels areabsolutely perfect for doing
that with 196 countries.
But then there's theprioritization of crime in
countries as well.
And if it's not reported, thenthere's not a problem.
(17:56):
So it sometimes goes unseen incertain countries as well.
Gary Ruddell (18:01):
So Interpol, how does that actually work?
What does it look like?
What's your sort of process fortaking these groups down?
Craig Jones (18:06):
So what Interpol is able to do with companies such
as Group IB is do targetedoperations.
So we can, first of all,identify the victims.
Now, last November to thisFebruary in 2025, Interpol ran
an operation called OperationRed Card.
We coordinated activities withthe private sector of the
countries and over 5,000 victimswere identified.
(18:29):
And from those 5,000 victims,we were then able to identify
the criminals behind Thosecybercrime acts and over 300
suspects were identified.
That led to arrests and thendevices being seized.
This is where that cybercrimemodel is becoming quite
challenging for law enforcementbecause we're then pulling in
more data and more information.
(18:49):
And it's not just aboutarresting that criminal and
interviewing the criminal.
We then have to look throughthose devices because what
happens then is we can then seemore victims.
So it's this continuous loop.
that law enforcement is goingthrough, but the main aim is to
sort of make our communitiessafer.
Gary Ruddell (19:08):
Yeah, I can really see the advantages that the
likes of law enforcement havewhen they collaborate with Group
IB and other companies becauseGroup IB has the technology, but
law enforcement is lawenforcement.
Group IB isn't going to go andarrest anyone, but they can
certainly give the data to lawenforcement to make that happen,
right?
Craig Jones (19:26):
Absolutely.
And I think another thing, andI suppose we back to 2019 when I
first started Interpol, and wehave our regional working
groups, and we were in aclassroom in Nairobi, and we
probably had about 10 heads ofcybercrime units from the
African continent.
So that's about 40 pluscountries.
We had 10.
We had Group IB and othersthere.
And, you know, it was reallysobering listening to those
(19:48):
officers from those countriesdescribe the challenges they
had.
And I remember one that stuckout very clearly to me was I
think it was, they'd gone in andraided a house where they
thought human trafficking wastaking place.
So this is where, you know,people are sort of, you know,
abducted and trafficked throughdifferent countries.
And when law enforcement wentthrough the door, they basically
(20:09):
found, it'd be like a cybercrime factory.
So there were people there infront of their laptops.
You had one sort of gang masterthere controlling it all.
And the people were goingonline and committing crime.
Now they didn't know what theyhad at the time, And if we look
where we are now, what we'reseeing in sort of Southeast
Asia, we're seeing peopletrafficked from one country into
(20:31):
another country.
They think they're going to ajob.
They get there, their passportsare taken off them.
They're then pushed acrossborders, corralled in different
houses or places and effectivelyare forced labour committing
crime.
And we're seeing this modelevolving because, as we know,
there's a shortage of peoplewith online services and
(20:52):
criminals are the same.
So they are looking about howthey can sort of grow their
organized crime groups and growtheir franchise crime model as
well.
So when we look at the deepfakes and the AI side of this,
there's quite often a humanelement under this as well.
Nick Palmer (21:08):
Thanks a lot, Craig.
I guess I'm not a door kickerto arrest the bad guys.
But yeah, it's always apleasure to engage with law
enforcement and actually makesome disruption.
You know, that is really, Ithink, the driving factor for a
lot of people working with GroupIB is, you know, the mission to
fight against cybercrime.
And they're constantlyevolving.
And I think that's what's soexciting, you know, to research
(21:31):
cyber-enabled fraud is that thetactics and the techniques are
always changing, right?
And it's important to know whatthey're moving to so you can
help protect your business andthe customers that you're
working with.
And I think, you know, GoldFactory is a prime example of
that, you know, sophistication,implementation of new scalable
(21:53):
technology within their tacticsand their techniques.
And I'm excited to see whathappens next.
And we'll be here to researchthose bad guys as they start to
pop up.
Gary Ruddell (22:03):
Sure.
And like, you know, GoldFactory is just one example.
It's a frankly, terrifying usecase, in my opinion.
But that is the new realitywe're facing here as security
teams and law enforcement, andwe're going to have to keep up
with it.
You know, as we've discussedhere, the more you know, the
better prepared you are for thistype of threat.
So thanks for listening, andwe'll see you in the next one.
(22:23):
Your data is valuable and it'sunder attack.
Cyber espionage groups,financially motivated threat
actors, ransomware attackers,and other criminal enterprises
are on the rise.
Working in secrecy to dismantlesecurity perimeters, they
spread like a virus through theweb, stoking geopolitical
(22:46):
tensions, holding businesses toransom, and flooding criminal
marketplaces with sensitiveinformation.
These groups thrive in secrecy,now more than ever.
Knowing who your adversariesare is critical.
So join us as we ask who'sbehind the world's most prolific
cybercriminal groups.
(23:06):
What are their tactics, theirmotivations, and their impact?
Who are the world's maskedactors?
Masked Actors is an independentpodcast from Group IB, a
leading voice in the fightagainst cybercrime.
The threat landscape evolvesquickly, but all information was
correct at the time ofrecording and based on Group
(23:27):
IB's Thanks for listening.
See you next time as we uncovermore of the world's top masked
actors.
In May of 2024, a new threat was uncovered, and
with it, an entirely new methodof theft.
Part of a cluster of aggressivebanking trojans, this
sophisticated mobile malwaredubbed Gold Pickaxe was a first.
It was an iOS trojan, a siblingof its Android predecessor, and
it had just one aim, to getaccess to users' facial
(00:23):
recognition data.
This threat cluster has beenattributed to a single actor
codenamed old factory.
The cyber criminals that wantto steal your face.
I think we should probablystart at the start.
Let's talk about Trojans, Nick.
Tell us what they are.
How do they work?
Nick Palmer (00:42):
Yeah, for sure.
So a Trojan is basically a typeof malware that's trying to
hide itself, disguise itself asessentially legitimate software.
Cybercriminals will developthis seemingly legitimate
software to try to gain accessto your mobile device or PC
computer, etc.
And it's interesting to maybelook at the history of where the
(01:03):
word Trojan comes from.
And if you go back to basicallythe Greek army infiltrating
Troy, they basically tried tohide inside of a wooden horse
and then eventually, surprise,surprise, entered into Troy and,
you know, had their army insidethe castle walls, if you will.
So that's essentially what itis, what it does at a very
(01:24):
simple level.
Gary Ruddell (01:26):
Yeah, I'm trying to imagine were things easier or
harder back then in the days ofTroy compared to today?
So, you know, these things havebeen around forever, basically,
but what's new here from atechnological perspective?
Nick Palmer (01:39):
I think one of the most interesting discoveries in
gold pickaxe from Gold FactoryCyber Criminal Group is really
some of the tactics andtechniques that this malware
employs.
I think with all of theadvancements of artificial
intelligence, you know,researchers have kind of been
forecasting that threat actorswill start to use this in their
tactics and their techniques.
And basically what this malwaredoes after it gains
(02:02):
accessibility services andaccess to your mobile phone is
it will start to record video ofan individual pretending to go
through the KYC process withtheir driver's license and
things like that.
And after the malwareessentially records this video,
the threat actor can reproducethat with deep fake activities
(02:23):
and register in their bankaccount, make a transaction,
something like this.
So that's really what'sexciting to me anyway about this
new malware.
Gary Ruddell (02:34):
Yeah, that's crazy because it's one thing to have
your password stolen.
I've got passwords stolen.
There's probably some you cango and see on the dark web now
of mine.
But I can change those, right?
I can go and do a passwordreset.
I can have multi-factorauthentication, but I can't
change my face.
Nick Palmer (02:52):
Unless you're Nicolas Cage, I guess, yeah?
Gary Ruddell (02:54):
Face off.
So Nick, the Gold FactoryGroup, what do we know about
them so far?
Nick Palmer (03:00):
Yeah, so there's actually not a lot of public
information available.
But what we do know is that thegroup is currently active in
the Asia-Pacific region.
And we believe them to be awell-organized Chinese-speaking
cybercriminal groups withactually close connections to
Gigabud, which was a disruptivebanking Trojan that was first
discovered in 2022.
(03:20):
In fact, these sophisticatedbanking Trojan seemed to be the
group's MO or modus operandi.
And the flashy gold theme namecomes from the lines of code
that actually Group IB'sresearchers discovered in their
first threads.
So actually in October of 2023,this was when Group IB first
(03:41):
released information about apreviously unknown and Yeah, the
iOS side of it is kind ofterrifying for me because,
Gary Ruddell (04:02):
you know.
Historically, Android hasalways been the sort of weaker
system and I've felt very secureusing iOS because those
exploits are harder to come by.
Seeing things like this andhearing that it's possible on
iOS is very interesting.
So gold pickaxe then, how doesthat work?
Nick Palmer (04:23):
Yeah, so like most schemes, malicious apps are
really sent via links, right?
So first, the threat actors aretrying to communicate with
potential victims throughdifferent messengers and
encouraging them to install themalicious app via the links.
So for Apple users, it wasactually interesting that they
were encouraged to downloadTestFlight.
(04:43):
So Apple's kind of testing fordifferent applications.
And then Android users wereencouraged to download mobile
device management solution.
With this successful installedon the user's device, the
cybercriminals were able to theninstall their Trojan remotely.
So they gained the necessarypermissions on the device.
And then the Trojan wasbasically encouraging different
(05:05):
users to record a video ofthemselves with, you know,
driver's license or other KYCdocumentation for a fake
application.
So that's where they got thevideo from.
So the video was then used asraw material for the
cybercriminal group to actuallycreate their deep fakes and
perform the final cash outprocedures.
(05:28):
They could install differentbanking applications on their
own devices and use that rawmaterial to actually bypass the
preventative measures that thebank has.
Gary Ruddell (05:39):
Yeah, that's wild.
That is the last thing that youwant to happen to your face.
So Nick, the financial impactof the damage done by Gold
Factory isn't really known yet,but do we know who the victims
are?
Nick Palmer (05:51):
Yeah, the victims are primarily finance companies
and their customers.
And predominantly, the grouphas been targeting the
Asia-Pacific market with a focuson Vietnam and Thailand.
What's interesting, I think, tonote, though, is that, you
know, with this new tactic andtechnique, cybercriminals often
like to test, to validate and tobe ready to scale, right?
(06:12):
So it's very likely that we'llsee this group expand their
operations once they'veperfected their craft, if you
will, and expand this operationoutside of just Asia-Pacific
markets.
Gary Ruddell (06:26):
And are they going after regular people or are
they going after people who workin businesses or is it a mix?
What's the target profile?
Nick Palmer (06:34):
Yeah, I think most importantly is they're going
after people, right?
They want to get access topeople that have specifically
bank accounts, right?
So the ability for a Trojan toreview what applications are on
a specific device is importantand then target those
individuals that have, yeah,bank account access, right?
So ultimately, this is afinancially motivated
(06:55):
cybercriminal group.
So they want to target people,capture their likeness, their
face, application process, andthen perform the cash out
procedures once they've donethat.
Gary Ruddell (07:06):
Okay, so let's talk about the victims.
Nick, you've been at Group IBfor a long time.
You've got a wealth ofexperience working with
businesses and people who havebeen victims of cyber attacks.
What type of impact does anattack like this have on people?
Nick Palmer (07:21):
Well, I think the risks are really twofold, right?
So one is the financial lossfor the individual, the user,
the citizens, etc.
And the second is the risk forthe business as well, right?
So there can be a lot ofreputational damage done to an
organization if, you know,someone is applying for loans
using their facial biometricaldata and it's successful against
(07:43):
a specific business.
It also depends on howwidespread it is.
Obviously, I mentioned beforethat cyber criminals want to
scale their operations.
So if they're able to scale uploan applications or account
takeover at financialinstitutions.
The financial impact could bevery large, but also the risk
for the reputation of thebusiness as well.
It's really important, I think,to take note of a new tactic
(08:07):
and technique being employed bythese cybercriminals for
financial gain, because while itmay target the Asia Pacific
market right now, it's importantto understand that this tactic
and technique, if successful,which it seems it has been, will
be exported to other markets.
So really understanding, youknow, how are my KYC processes
(08:27):
today?
Can I understand as a businessthe entire user session?
You know, do I know if it'sactually my customer logging
into the bank account or anotherAndroid device that the cyber
criminal is performing thesedeepfake activities on to
conduct account takeover?
So, yeah, learning from whatthis is and, you know, take note
and make adjustments so thatyou can defend against this
(08:50):
attack for the future.
Gary Ruddell (08:51):
Yeah, definitely.
Don't just close your eyes andhope for the best.
That won't help.
Obviously, it's important that,you know, businesses report
crimes and things to lawenforcement because that helps
in so many ways.
We're very fortunate today tohave Craig Jones with us, who
spent over five years atInterpol as the director of
cybercrime.
Craig, great to have you here.
(09:12):
What can you tell us about therole of deepfakes and AI in
crimes like these?
Is this common?
Craig Jones (09:19):
Yeah.
Hi, Gary.
Hi, Nick.
Thanks for inviting me on.
Yeah, they're becoming morecommon, unfortunately.
And I think this is wherecriminals are exploiting either
vulnerabilities in systems ornetworks or people effectively.
And they're using tools whichwe use for our everyday lives.
life online to facilitate theirability to commit cybercrime.
(09:41):
And they're testing these newmethods and they're seeing how
they can adapt the new methods,whether it's deepfake, whether
it's AI.
And the main purpose of this, Ithink you've already been
discussing is, you know, from acriminal side of view, it's
around that financial gain.
It's how do they use what'savailable to them to commit
criminal acts, but normally forfinancial gain.
(10:03):
That's the motivation behindthese crime groups, whether it's
an individual, whether it's agroup coming together online,
whether it's a village comingtogether because they may not be
able to have the economy thereand the digitalization that's
now available to them is openingup new opportunities not just
for us to start new industries,but also for the criminals.
Gary Ruddell (10:26):
Are we likely to see this type of thing for sale
in the same way that we seeransomware as a service?
Craig Jones (10:32):
Yeah, I think when we look at these businesses,
they almost start to operate asfranchises.
So if it becomes successful,how do you grow any business?
There is a certain volumeamount that you can work to
effectively.
And the volume and scale ofcybercrime we've seen increasing
exponentially over the last 10,15 years.
(10:52):
We started with those denial ofservices attacks, which, you
know, people used to do for funor they would go on to or get
into someone's network orsystems because that was fun to
do.
But then they realized theycould commodimize that so that
that information, that databecame valuable.
And then as the onlinedigitalizations increased, the
(11:12):
way we're operating now and ourfinances are operating in the
online space as well and thevirtual currencies, that gives
the criminals an opportunity tosort of, as I said already, to
exploit that.
Gary Ruddell (11:24):
And, you know, when this first launched, Gold
Factory's iOS Trojan wasavailable through TestFlight, as
Nick said earlier.
That obviously helped it appearlegitimate.
Thankfully, it didn't lastlong.
But once that was removed,threat actors had to, you know,
employ new techniques,particularly social engineering.
Can we talk about that a littlebit?
(11:46):
You know, these schemes aredesigned to bring victim into
install malicious software.
What are the warning signs ofsocial engineering?
Craig Jones (11:53):
Yeah, I mean, that's on lots of different
levels.
So, you know, we can talkabout, you know, you receive
that email with, well done,you've won X or Y, or this is
the latest update.
You need to update this on yourphone immediately because
you're going to be at risk.
So it plays on vulnerabilities.
On the one hand, it can prey onpeople's insecurities online.
(12:15):
So it could be an individual.
Or it could be quitespecifically targeted at a
business, targeting maybe achief financial officer within a
company where someone'spretending to be a CEO or
something like that.
And the criminals will be usingdifferent scripts, whether
they're automated scripts orthey might seem quite innocuous
(12:35):
to start with.
You know, you just get that popup on your phone saying, oh,
hi, it's so and so.
And you then respond to it andyou start that dialogue.
And what they try to do withinthat is gain your trust.
Gary Ruddell (12:47):
How do we protect ourselves and our businesses
from threat actors like GoldFactory?
Nick Palmer (12:52):
Yeah, well, I think protecting ourselves is really
all about awareness, right?
So individuals need to be awareof how to actually protect
themselves.
I always think to my mother,actually, and I've even trained
her using real world examplesabout how to use VirusTotal to
scan a link to see if it's bador not.
So I I think user awareness andtraining just to make sure your
(13:14):
customers know not to click onlinks that are sent to you from
different messengers is veryimportant or how to scan a link
on VT.
And the second thing really is,you know, on the business,
right?
So I want to bank with a bankwho is serious about protecting
my money.
And I think, you know, usereducation can only go so far.
(13:34):
And, you know, to really fightthe bad guys and ensure that
they don't have an impact toyour organization, it's
important to think about waysthat you can counteract this
threat.
So I go back to what we do hereat Group IB with fraud
protection.
And it's, you know, looking atthe user session.
Can you identify a if someone'svideo camera is being
(13:55):
manipulated during the usersession?
Can you effectively andstickily fingerprint a device
and a user based on theirbehavior and know that it's
really your customer logging inor a new Android device that
maybe is manipulating thecamera?
So I think it's important tolook at from a business
perspective, what is thisthreat?
(14:15):
What are the tactics andtechniques that are being
employed now?
And do I have the necessarymeasures in place to prevent it?
Craig Jones (14:22):
So I think as Nick's just explained, there's
quite a lot of technical stuffthat can be done.
But then we look at that sortof social engineering side, and
we've touched on that brieflyalready.
And that's about personalawareness.
I remember many years ago whenI was in law enforcement in the
UK, we had this stranger dangerprogram.
And this was about thatphysical, you know, don't talk
to strangers.
And it was ingrained, but itwas ingrained at a very, very
(14:45):
early age of a schoolcurriculum.
And that comes back to thatawareness.
We have to start that as soonas the children get, you know, a
device in their hand, three,four, five, six years old.
parents should be educatingthem it's almost like those
conversations you have with yourchildren and you need to be
having that online conversationwith them as well and I think
(15:05):
we're almost in this nottwilight zone but moving across
where you've got the digitalnatives coming in who got it
from day one where maybe maybetalking to myself and when I was
a child we didn't have thesethings so I've had to learn that
and sometimes it can seem alittle bit dull but you know
that that Awareness is soimportant.
Now, governments are picking upon this.
(15:27):
They're doing a lot of work indifferent countries around that
awareness training, not just forindividuals, but small, medium
enterprise companies and formajor companies as well.
And again, it comes back tothat target hardening.
It's at what level do you putthose interventions in effect?
Do you use the internet whenyou're online?
What's your personal habitsabout where are you likely to go
(15:50):
and look online?
What sites are you like whereyou may download something
that's then going to affect yourcomputer or something like
that.
Gary Ruddell (15:56):
On a global level, Craig, what sort of progress
has teams like Interpol madetowards taking down groups like
Gold Factory?
Craig Jones (16:05):
Oh, well, I mean, it's almost night and day from
when we started.
So I sort of think when Istarted back in the UK about
2012, 13, leading a sort ofregional cybercrime team,
looking at the cases we weredealing with then, And, you
know, it really was a whole newway of law enforcement working.
You know, we're just used toworking in our local
environment, protecting ourlocal communities and going
(16:27):
after local criminals because weknew our community, we knew the
criminals in our community, andwe'd see trends and patterns.
Fast forward to where we arenow, we're still there to police
the community.
Prevention of crime, protectionof life and property, it's
really, really important.
But what we don't see withinthat space is the criminal
(16:48):
actors in the online space.
And that's where companies suchas Group IB and others, they
have that information, they dothat detection work, so they can
detect.
And then how do we share thatinformation?
So we look at manyinternational companies now that
are global companies, they canshare that information very,
very readily and very, veryquickly.
But in terms of how lawenforcement operates, we have
(17:09):
legislation within each country.
So this might be a crime in onecountry, but it may not be a
crime in another country.
So what we have is sort of aregional desk model at Interpol
where we have regionalcybercrime officers effectively
for example in Africa who dockdirectly into Interpol and use
our tools and platforms and thenshare that data locally in
(17:33):
Africa or in Asia and SouthPacific or in Europe so it's
still trying to get that thatlocal policing model but it's
about global to local or localto global.
And we've got to make sure wecan share that information.
And Interpol channels areabsolutely perfect for doing
that with 196 countries.
But then there's theprioritization of crime in
countries as well.
And if it's not reported, thenthere's not a problem.
(17:56):
So it sometimes goes unseen incertain countries as well.
Gary Ruddell (18:01):
So Interpol, how does that actually work?
What does it look like?
What's your sort of process fortaking these groups down?
Craig Jones (18:06):
So what Interpol is able to do with companies such
as Group IB is do targetedoperations.
So we can, first of all,identify the victims.
Now, last November to thisFebruary in 2025, Interpol ran
an operation called OperationRed Card.
We coordinated activities withthe private sector of the
countries and over 5,000 victimswere identified.
(18:29):
And from those 5,000 victims,we were then able to identify
the criminals behind Thosecybercrime acts and over 300
suspects were identified.
That led to arrests and thendevices being seized.
This is where that cybercrimemodel is becoming quite
challenging for law enforcementbecause we're then pulling in
more data and more information.
(18:49):
And it's not just aboutarresting that criminal and
interviewing the criminal.
We then have to look throughthose devices because what
happens then is we can then seemore victims.
So it's this continuous loop.
that law enforcement is goingthrough, but the main aim is to
sort of make our communitiessafer.
Gary Ruddell (19:08):
Yeah, I can really see the advantages that the
likes of law enforcement havewhen they collaborate with Group
IB and other companies becauseGroup IB has the technology, but
law enforcement is lawenforcement.
Group IB isn't going to go andarrest anyone, but they can
certainly give the data to lawenforcement to make that happen,
right?
Craig Jones (19:26):
Absolutely.
And I think another thing, andI suppose we back to 2019 when I
first started Interpol, and wehave our regional working
groups, and we were in aclassroom in Nairobi, and we
probably had about 10 heads ofcybercrime units from the
African continent.
So that's about 40 pluscountries.
We had 10.
We had Group IB and othersthere.
And, you know, it was reallysobering listening to those
(19:48):
officers from those countriesdescribe the challenges they
had.
And I remember one that stuckout very clearly to me was I
think it was, they'd gone in andraided a house where they
thought human trafficking wastaking place.
So this is where, you know,people are sort of, you know,
abducted and trafficked throughdifferent countries.
And when law enforcement wentthrough the door, they basically
(20:09):
found, it'd be like a cybercrime factory.
So there were people there infront of their laptops.
You had one sort of gang masterthere controlling it all.
And the people were goingonline and committing crime.
Now they didn't know what theyhad at the time, And if we look
where we are now, what we'reseeing in sort of Southeast
Asia, we're seeing peopletrafficked from one country into
(20:31):
another country.
They think they're going to ajob.
They get there, their passportsare taken off them.
They're then pushed acrossborders, corralled in different
houses or places and effectivelyare forced labour committing
crime.
And we're seeing this modelevolving because, as we know,
there's a shortage of peoplewith online services and
(20:52):
criminals are the same.
So they are looking about howthey can sort of grow their
organized crime groups and growtheir franchise crime model as
well.
So when we look at the deepfakes and the AI side of this,
there's quite often a humanelement under this as well.
Nick Palmer (21:08):
Thanks a lot, Craig.
I guess I'm not a door kickerto arrest the bad guys.
But yeah, it's always apleasure to engage with law
enforcement and actually makesome disruption.
You know, that is really, Ithink, the driving factor for a
lot of people working with GroupIB is, you know, the mission to
fight against cybercrime.
And they're constantlyevolving.
And I think that's what's soexciting, you know, to research
(21:31):
cyber-enabled fraud is that thetactics and the techniques are
always changing, right?
And it's important to know whatthey're moving to so you can
help protect your business andthe customers that you're
working with.
And I think, you know, GoldFactory is a prime example of
that, you know, sophistication,implementation of new scalable
(21:53):
technology within their tacticsand their techniques.
And I'm excited to see whathappens next.
And we'll be here to researchthose bad guys as they start to
pop up.
Gary Ruddell (22:03):
Sure.
And like, you know, GoldFactory is just one example.
It's a frankly, terrifying usecase, in my opinion.
But that is the new realitywe're facing here as security
teams and law enforcement, andwe're going to have to keep up
with it.
You know, as we've discussedhere, the more you know, the
better prepared you are for thistype of threat.
So thanks for listening, andwe'll see you in the next one.
(22:23):
Your data is valuable and it'sunder attack.
Cyber espionage groups,financially motivated threat
actors, ransomware attackers,and other criminal enterprises
are on the rise.
Working in secrecy to dismantlesecurity perimeters, they
spread like a virus through theweb, stoking geopolitical
(22:46):
tensions, holding businesses toransom, and flooding criminal
marketplaces with sensitiveinformation.
These groups thrive in secrecy,now more than ever.
Knowing who your adversariesare is critical.
So join us as we ask who'sbehind the world's most prolific
cybercriminal groups.
(23:06):
What are their tactics, theirmotivations, and their impact?
Who are the world's maskedactors?
Masked Actors is an independentpodcast from Group IB, a
leading voice in the fightagainst cybercrime.
The threat landscape evolvesquickly, but all information was
correct at the time ofrecording and based on Group
(23:27):
IB's Thanks for listening.
See you next time as we uncovermore of the world's top masked
actors.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!