Masked Actors
True crime meets cybercrime. Discover the people behind the keyboard.
From Ransomware-as-a-Service (RaaS) gangs to global financial crime syndicates, the rise of sophisticated cyber threats is reshaping the world. These aren’t lone hackers — they’re organized groups running multi-million dollar operations in the shadows.
In the Masked Actors podcast, cyber threat expert and former soldier turned hacker Gary Ruddell joins forces with Nick Palmer, a seasoned financial crime fighter, to investigate the top 10 most dangerous cybercriminal groups of 2025 — drawn from Group-IB’s High-Tech Crime Trends Report.
Each episode explores the tactics, motivations, and impact of major cybercrime groups, uncovering their role in the latest cybercrime, RaaS, and financial crime trends. You’ll learn how these actors exploit vulnerabilities, fuel geopolitical tension, and affect businesses and consumers alike.
Tune in to Masked Actors — and stay one step ahead of cybercrime.
Masked Actors
GoldFactory: The cybercriminals who want to steal your face
If a cybercriminal steals your password, you can change it. But what happens if they steal your face?
Former soldier turned hacker, Gary Ruddell and financial crime veteran, Nick Palmer, explore the actors behind GoldFactory - a cybercriminal group stealing users' facial recognition data to clean out victims bank accounts.
Joined by Craig Jones, who spent five years at Interpol as the director of cybercrime, Group-IB's Gary and Nick explore how masked actors are exploiting AI and Deepfakes for financial gain.
In this episode, they dig into the novel tactics of this Chinese-speaking group who created a first of its kind iOS trojan to steal biometric data and bypass banking facial recognition security systems. Together they unpick how cybercriminals are adopting new technologies and franchising their efforts to manipulate more victims and increase their payoff.
By understanding who these actors are and how they operate, you can better anticipate threats and protect yourself in an increasingly hostile digital world.
Subscribe now to meet these Masked Actors — and stay one step ahead in the fight against cybercrime.
Episode links:
Group-IB's Top 10 Masked Actors
Face Off: Group-IB identifies first iOS trojan stealing facial recognition data
Gold Rush is back to APAC: Group-IB unveils first iOS trojan stealing your face
Meet Group-IB's top 10 Masked Actors here - and stay one step ahead in the fight against cybercrime.
In May of 2024, a new threat was uncovered, and with it, an entirely new method of theft. Part of a cluster of aggressive banking trojans, this sophisticated mobile malware dubbed Gold Pickaxe was a first. It was an iOS trojan, a sibling of its Android predecessor, and it had just one aim, to get access to users' facial recognition data. This threat cluster has been attributed to a single actor codenamed old factory. The cyber criminals that want to steal your face. I think we should probably start at the start. Let's talk about Trojans, Nick. Tell us what they are. How do they work?
Nick Palmer:Yeah, for sure. So a Trojan is basically a type of malware that's trying to hide itself, disguise itself as essentially legitimate software. Cybercriminals will develop this seemingly legitimate software to try to gain access to your mobile device or PC computer, etc. And it's interesting to maybe look at the history of where the word Trojan comes from. And if you go back to basically the Greek army infiltrating Troy, they basically tried to hide inside of a wooden horse and then eventually, surprise, surprise, entered into Troy and, you know, had their army inside the castle walls, if you will. So that's essentially what it is, what it does at a very simple level.
Gary Ruddell:Yeah, I'm trying to imagine were things easier or harder back then in the days of Troy compared to today? So, you know, these things have been around forever, basically, but what's new here from a technological perspective?
Nick Palmer:I think one of the most interesting discoveries in gold pickaxe from Gold Factory Cyber Criminal Group is really some of the tactics and techniques that this malware employs. I think with all of the advancements of artificial intelligence, you know, researchers have kind of been forecasting that threat actors will start to use this in their tactics and their techniques. And basically what this malware does after it gains accessibility services and access to your mobile phone is it will start to record video of an individual pretending to go through the KYC process with their driver's license and things like that. And after the malware essentially records this video, the threat actor can reproduce that with deep fake activities and register in their bank account, make a transaction, something like this. So that's really what's exciting to me anyway about this new malware.
Gary Ruddell:Yeah, that's crazy because it's one thing to have your password stolen. I've got passwords stolen. There's probably some you can go and see on the dark web now of mine. But I can change those, right? I can go and do a password reset. I can have multi-factor authentication, but I can't change my face.
Nick Palmer:Unless you're Nicolas Cage, I guess, yeah?
Gary Ruddell:Face off. So Nick, the Gold Factory Group, what do we know about them so far?
Nick Palmer:Yeah, so there's actually not a lot of public information available. But what we do know is that the group is currently active in the Asia-Pacific region. And we believe them to be a well-organized Chinese-speaking cybercriminal groups with actually close connections to Gigabud, which was a disruptive banking Trojan that was first discovered in 2022. In fact, these sophisticated banking Trojan seemed to be the group's MO or modus operandi. And the flashy gold theme name comes from the lines of code that actually Group IB's researchers discovered in their first threads. So actually in October of 2023, this was when Group IB first released information about a previously unknown and Yeah, the iOS side of it is kind of terrifying for me because,
Gary Ruddell:you know. Historically, Android has always been the sort of weaker system and I've felt very secure using iOS because those exploits are harder to come by. Seeing things like this and hearing that it's possible on iOS is very interesting. So gold pickaxe then, how does that work?
Nick Palmer:Yeah, so like most schemes, malicious apps are really sent via links, right? So first, the threat actors are trying to communicate with potential victims through different messengers and encouraging them to install the malicious app via the links. So for Apple users, it was actually interesting that they were encouraged to download TestFlight. So Apple's kind of testing for different applications. And then Android users were encouraged to download mobile device management solution. With this successful installed on the user's device, the cybercriminals were able to then install their Trojan remotely. So they gained the necessary permissions on the device. And then the Trojan was basically encouraging different users to record a video of themselves with, you know, driver's license or other KYC documentation for a fake application. So that's where they got the video from. So the video was then used as raw material for the cybercriminal group to actually create their deep fakes and perform the final cash out procedures. They could install different banking applications on their own devices and use that raw material to actually bypass the preventative measures that the bank has.
Gary Ruddell:Yeah, that's wild. That is the last thing that you want to happen to your face. So Nick, the financial impact of the damage done by Gold Factory isn't really known yet, but do we know who the victims are?
Nick Palmer:Yeah, the victims are primarily finance companies and their customers. And predominantly, the group has been targeting the Asia-Pacific market with a focus on Vietnam and Thailand. What's interesting, I think, to note, though, is that, you know, with this new tactic and technique, cybercriminals often like to test, to validate and to be ready to scale, right? So it's very likely that we'll see this group expand their operations once they've perfected their craft, if you will, and expand this operation outside of just Asia-Pacific markets.
Gary Ruddell:And are they going after regular people or are they going after people who work in businesses or is it a mix? What's the target profile?
Nick Palmer:Yeah, I think most importantly is they're going after people, right? They want to get access to people that have specifically bank accounts, right? So the ability for a Trojan to review what applications are on a specific device is important and then target those individuals that have, yeah, bank account access, right? So ultimately, this is a financially motivated cybercriminal group. So they want to target people, capture their likeness, their face, application process, and then perform the cash out procedures once they've done that.
Gary Ruddell:Okay, so let's talk about the victims. Nick, you've been at Group IB for a long time. You've got a wealth of experience working with businesses and people who have been victims of cyber attacks. What type of impact does an attack like this have on people?
Nick Palmer:Well, I think the risks are really twofold, right? So one is the financial loss for the individual, the user, the citizens, etc. And the second is the risk for the business as well, right? So there can be a lot of reputational damage done to an organization if, you know, someone is applying for loans using their facial biometrical data and it's successful against a specific business. It also depends on how widespread it is. Obviously, I mentioned before that cyber criminals want to scale their operations. So if they're able to scale up loan applications or account takeover at financial institutions. The financial impact could be very large, but also the risk for the reputation of the business as well. It's really important, I think, to take note of a new tactic and technique being employed by these cybercriminals for financial gain, because while it may target the Asia Pacific market right now, it's important to understand that this tactic and technique, if successful, which it seems it has been, will be exported to other markets. So really understanding, you know, how are my KYC processes today? Can I understand as a business the entire user session? You know, do I know if it's actually my customer logging into the bank account or another Android device that the cyber criminal is performing these deepfake activities on to conduct account takeover? So, yeah, learning from what this is and, you know, take note and make adjustments so that you can defend against this attack for the future.
Gary Ruddell:Yeah, definitely. Don't just close your eyes and hope for the best. That won't help. Obviously, it's important that, you know, businesses report crimes and things to law enforcement because that helps in so many ways. We're very fortunate today to have Craig Jones with us, who spent over five years at Interpol as the director of cybercrime. Craig, great to have you here. What can you tell us about the role of deepfakes and AI in crimes like these? Is this common?
Craig Jones:Yeah. Hi, Gary. Hi, Nick. Thanks for inviting me on. Yeah, they're becoming more common, unfortunately. And I think this is where criminals are exploiting either vulnerabilities in systems or networks or people effectively. And they're using tools which we use for our everyday lives. life online to facilitate their ability to commit cybercrime. And they're testing these new methods and they're seeing how they can adapt the new methods, whether it's deepfake, whether it's AI. And the main purpose of this, I think you've already been discussing is, you know, from a criminal side of view, it's around that financial gain. It's how do they use what's available to them to commit criminal acts, but normally for financial gain. That's the motivation behind these crime groups, whether it's an individual, whether it's a group coming together online, whether it's a village coming together because they may not be able to have the economy there and the digitalization that's now available to them is opening up new opportunities not just for us to start new industries, but also for the criminals.
Gary Ruddell:Are we likely to see this type of thing for sale in the same way that we see ransomware as a service?
Craig Jones:Yeah, I think when we look at these businesses, they almost start to operate as franchises. So if it becomes successful, how do you grow any business? There is a certain volume amount that you can work to effectively. And the volume and scale of cybercrime we've seen increasing exponentially over the last 10, 15 years. We started with those denial of services attacks, which, you know, people used to do for fun or they would go on to or get into someone's network or systems because that was fun to do. But then they realized they could commodimize that so that that information, that data became valuable. And then as the online digitalizations increased, the way we're operating now and our finances are operating in the online space as well and the virtual currencies, that gives the criminals an opportunity to sort of, as I said already, to exploit that.
Gary Ruddell:And, you know, when this first launched, Gold Factory's iOS Trojan was available through TestFlight, as Nick said earlier. That obviously helped it appear legitimate. Thankfully, it didn't last long. But once that was removed, threat actors had to, you know, employ new techniques, particularly social engineering. Can we talk about that a little bit? You know, these schemes are designed to bring victim into install malicious software. What are the warning signs of social engineering?
Craig Jones:Yeah, I mean, that's on lots of different levels. So, you know, we can talk about, you know, you receive that email with, well done, you've won X or Y, or this is the latest update. You need to update this on your phone immediately because you're going to be at risk. So it plays on vulnerabilities. On the one hand, it can prey on people's insecurities online. So it could be an individual. Or it could be quite specifically targeted at a business, targeting maybe a chief financial officer within a company where someone's pretending to be a CEO or something like that. And the criminals will be using different scripts, whether they're automated scripts or they might seem quite innocuous to start with. You know, you just get that pop up on your phone saying, oh, hi, it's so and so. And you then respond to it and you start that dialogue. And what they try to do within that is gain your trust.
Gary Ruddell:How do we protect ourselves and our businesses from threat actors like Gold Factory?
Nick Palmer:Yeah, well, I think protecting ourselves is really all about awareness, right? So individuals need to be aware of how to actually protect themselves. I always think to my mother, actually, and I've even trained her using real world examples about how to use VirusTotal to scan a link to see if it's bad or not. So I I think user awareness and training just to make sure your customers know not to click on links that are sent to you from different messengers is very important or how to scan a link on VT. And the second thing really is, you know, on the business, right? So I want to bank with a bank who is serious about protecting my money. And I think, you know, user education can only go so far. And, you know, to really fight the bad guys and ensure that they don't have an impact to your organization, it's important to think about ways that you can counteract this threat. So I go back to what we do here at Group IB with fraud protection. And it's, you know, looking at the user session. Can you identify a if someone's video camera is being manipulated during the user session? Can you effectively and stickily fingerprint a device and a user based on their behavior and know that it's really your customer logging in or a new Android device that maybe is manipulating the camera? So I think it's important to look at from a business perspective, what is this threat? What are the tactics and techniques that are being employed now? And do I have the necessary measures in place to prevent it?
Craig Jones:So I think as Nick's just explained, there's quite a lot of technical stuff that can be done. But then we look at that sort of social engineering side, and we've touched on that briefly already. And that's about personal awareness. I remember many years ago when I was in law enforcement in the UK, we had this stranger danger program. And this was about that physical, you know, don't talk to strangers. And it was ingrained, but it was ingrained at a very, very early age of a school curriculum. And that comes back to that awareness. We have to start that as soon as the children get, you know, a device in their hand, three, four, five, six years old. parents should be educating them it's almost like those conversations you have with your children and you need to be having that online conversation with them as well and I think we're almost in this not twilight zone but moving across where you've got the digital natives coming in who got it from day one where maybe maybe talking to myself and when I was a child we didn't have these things so I've had to learn that and sometimes it can seem a little bit dull but you know that that Awareness is so important. Now, governments are picking up on this. They're doing a lot of work in different countries around that awareness training, not just for individuals, but small, medium enterprise companies and for major companies as well. And again, it comes back to that target hardening. It's at what level do you put those interventions in effect? Do you use the internet when you're online? What's your personal habits about where are you likely to go and look online? What sites are you like where you may download something that's then going to affect your computer or something like that.
Gary Ruddell:On a global level, Craig, what sort of progress has teams like Interpol made towards taking down groups like Gold Factory?
Craig Jones:Oh, well, I mean, it's almost night and day from when we started. So I sort of think when I started back in the UK about 2012, 13, leading a sort of regional cybercrime team, looking at the cases we were dealing with then, And, you know, it really was a whole new way of law enforcement working. You know, we're just used to working in our local environment, protecting our local communities and going after local criminals because we knew our community, we knew the criminals in our community, and we'd see trends and patterns. Fast forward to where we are now, we're still there to police the community. Prevention of crime, protection of life and property, it's really, really important. But what we don't see within that space is the criminal actors in the online space. And that's where companies such as Group IB and others, they have that information, they do that detection work, so they can detect. And then how do we share that information? So we look at many international companies now that are global companies, they can share that information very, very readily and very, very quickly. But in terms of how law enforcement operates, we have legislation within each country. So this might be a crime in one country, but it may not be a crime in another country. So what we have is sort of a regional desk model at Interpol where we have regional cybercrime officers effectively for example in Africa who dock directly into Interpol and use our tools and platforms and then share that data locally in Africa or in Asia and South Pacific or in Europe so it's still trying to get that that local policing model but it's about global to local or local to global. And we've got to make sure we can share that information. And Interpol channels are absolutely perfect for doing that with 196 countries. But then there's the prioritization of crime in countries as well. And if it's not reported, then there's not a problem. So it sometimes goes unseen in certain countries as well.
Gary Ruddell:So Interpol, how does that actually work? What does it look like? What's your sort of process for taking these groups down?
Craig Jones:So what Interpol is able to do with companies such as Group IB is do targeted operations. So we can, first of all, identify the victims. Now, last November to this February in 2025, Interpol ran an operation called Operation Red Card. We coordinated activities with the private sector of the countries and over 5,000 victims were identified. And from those 5,000 victims, we were then able to identify the criminals behind Those cybercrime acts and over 300 suspects were identified. That led to arrests and then devices being seized. This is where that cybercrime model is becoming quite challenging for law enforcement because we're then pulling in more data and more information. And it's not just about arresting that criminal and interviewing the criminal. We then have to look through those devices because what happens then is we can then see more victims. So it's this continuous loop. that law enforcement is going through, but the main aim is to sort of make our communities safer.
Gary Ruddell:Yeah, I can really see the advantages that the likes of law enforcement have when they collaborate with Group IB and other companies because Group IB has the technology, but law enforcement is law enforcement. Group IB isn't going to go and arrest anyone, but they can certainly give the data to law enforcement to make that happen, right?
Craig Jones:Absolutely. And I think another thing, and I suppose we back to 2019 when I first started Interpol, and we have our regional working groups, and we were in a classroom in Nairobi, and we probably had about 10 heads of cybercrime units from the African continent. So that's about 40 plus countries. We had 10. We had Group IB and others there. And, you know, it was really sobering listening to those officers from those countries describe the challenges they had. And I remember one that stuck out very clearly to me was I think it was, they'd gone in and raided a house where they thought human trafficking was taking place. So this is where, you know, people are sort of, you know, abducted and trafficked through different countries. And when law enforcement went through the door, they basically found, it'd be like a cyber crime factory. So there were people there in front of their laptops. You had one sort of gang master there controlling it all. And the people were going online and committing crime. Now they didn't know what they had at the time, And if we look where we are now, what we're seeing in sort of Southeast Asia, we're seeing people trafficked from one country into another country. They think they're going to a job. They get there, their passports are taken off them. They're then pushed across borders, corralled in different houses or places and effectively are forced labour committing crime. And we're seeing this model evolving because, as we know, there's a shortage of people with online services and criminals are the same. So they are looking about how they can sort of grow their organized crime groups and grow their franchise crime model as well. So when we look at the deep fakes and the AI side of this, there's quite often a human element under this as well.
Nick Palmer:Thanks a lot, Craig. I guess I'm not a door kicker to arrest the bad guys. But yeah, it's always a pleasure to engage with law enforcement and actually make some disruption. You know, that is really, I think, the driving factor for a lot of people working with Group IB is, you know, the mission to fight against cybercrime. And they're constantly evolving. And I think that's what's so exciting, you know, to research cyber-enabled fraud is that the tactics and the techniques are always changing, right? And it's important to know what they're moving to so you can help protect your business and the customers that you're working with. And I think, you know, Gold Factory is a prime example of that, you know, sophistication, implementation of new scalable technology within their tactics and their techniques. And I'm excited to see what happens next. And we'll be here to research those bad guys as they start to pop up.
Gary Ruddell:Sure. And like, you know, Gold Factory is just one example. It's a frankly, terrifying use case, in my opinion. But that is the new reality we're facing here as security teams and law enforcement, and we're going to have to keep up with it. You know, as we've discussed here, the more you know, the better prepared you are for this type of threat. So thanks for listening, and we'll see you in the next one. Your data is valuable and it's under attack. Cyber espionage groups, financially motivated threat actors, ransomware attackers, and other criminal enterprises are on the rise. Working in secrecy to dismantle security perimeters, they spread like a virus through the web, stoking geopolitical tensions, holding businesses to ransom, and flooding criminal marketplaces with sensitive information. These groups thrive in secrecy, now more than ever. Knowing who your adversaries are is critical. So join us as we ask who's behind the world's most prolific cybercriminal groups. What are their tactics, their motivations, and their impact? Who are the world's masked actors? Masked Actors is an independent podcast from Group IB, a leading voice in the fight against cybercrime. The threat landscape evolves quickly, but all information was correct at the time of recording and based on Group IB's Thanks for listening. See you next time as we uncover more of the world's top masked actors.
