GoldFactory: Cybercriminals Are Stealing Your Face

This is precisely the method employed by GoldFactory – a cybercrime group first uncovered in October 2023 by experts at Group-IB – which targets and steals users’ biometric facial data. In 2024, Group-IB discovered that the group had begun using a new, sophisticated mobile Trojan called GoldPickaxe.iOS, specifically targeting iOS users. The GoldPickaxe Trojan harvests facial recognition data, ID documents and intercepts SMS messages – everything criminals need to gain access to victims’ bank accounts.

This year, the group was named among the top ten most active cybercrime groups shaping the global threat landscape, according to Group-IB. The list forms part of the comprehensive High-Tech Crime Trends report and is based on insights from over 1,550 high-tech crime investigations.

Who Are GoldFactory?

Group-IB has identified GoldFactory as a highly organised, Chinese-speaking cybercrime group with close ties to Gigabud – a notorious banking Trojan first discovered in 2022. The group is currently active in the Asia-Pacific region. Their distinctive gold-themed naming conventions, both for the group and its malware, originate from lines of code decrypted by Group-IB’s researchers.

To date, GoldFactory has targeted financial institutions and their customers, primarily in Vietnam and Thailand. However, it is believed that the group is preparing to expand its operations. Cybercriminals often test, validate, and scale up their methods over time. It is highly likely that we will see this group extend its reach once its tactics are refined – including beyond the Asia-Pacific region. The group steals biometric data and then carries out so-called cash-out attacks on bank accounts, using deepfakes of victims’ faces to bypass security systems.

What Is GoldPickaxe?

GoldPickaxe is one of a series of aggressive banking Trojans developed by GoldFactory. This sophisticated mobile malware has appeared in several variants for Android, typically aimed at stealing credentials or manipulating system settings – but GoldPickaxe is particularly notable. Not only does it exist for both Android and iOS – a rarity in the world of financial cybercrime – but it is also the first known case of a cybercrime group using AI-powered face-swapping technology to create deepfakes capable of defeating facial recognition systems.

How Are They Scaling Up?

The first known instances of this type of fraud were reported in Thailand, shortly after the Bank of Thailand introduced facial recognition for user verification. Soon after, a Vietnamese individual fell victim to a mobile app exhibiting all the hallmarks of GoldPickaxe. After completing the required facial recognition process, the criminals managed to steal over USD 40,000. According to Group-IB’s analysis, there is growing evidence that GoldFactory is expanding its operations beyond Vietnam and Thailand.

Although the group operates in Chinese, its development and operational teams are clearly divided and region-specific. Variants of the malware have already been discovered in several countries. In addition, the use of AI-based face-swapping technology allows for the scalable creation of deepfakes. With AI and deepfakes, criminals can expand their operations for greater financial gain.

– Sharmine Low is a malware analyst at Group-IB.