A newly discovered global phishing campaign weaponises artificial intelligence and your own browser to capture biometric data — no malware download required.
Beyond Passwords: A New Kind of Theft
Cybersecurity firm Cyble has uncovered a sophisticated, large-scale social engineering campaign that extends far beyond password theft. Researchers at Cyble’s Research & Intelligence Labs (CRIL) identified attackers exploiting native browser permissions — the same prompts that legitimate websites use to access your camera or microphone — to silently harvest live facial images, video recordings, and audio from victims’ devices.
AI Is Writing the Malware
What sets this campaign apart is its use of generative AI tools to build the attack infrastructure itself. Analysts found structured annotations and emoji-based code formatting within the malicious scripts — strong indicators that AI assisted in writing and organising the code at speed. Threat actors are also abusing low-cost hosting via edgeone.app and routing stolen data through Telegram Bot APIs, making their operations cheap, scalable, and difficult to trace.
Impersonated platforms include TikTok, Telegram, Instagram, and Google Chrome, using lures disguised as “ID Scanners” and “Health Fund AI” verification tools.
The Real-World Fallout
Collected biometric data, combined with contact lists, device telemetry, and approximate location, enables attackers to construct detailed victim profiles. The consequences for individuals and organisations are severe: stolen facial images can bypass Video-KYC (Know Your Customer) protocols and fuel deepfake creation; captured media can be used to extort or commit Business Email Compromise (BEC) scams; and the misuse of trusted brand identities steadily erodes public confidence in digital onboarding systems.
What You Should Do Right Now
Cyble urges users to deny camera and microphone access to any unrecognised website immediately. Organisations are advised to monitor for suspicious domain infrastructure and block unauthorised outbound traffic to messaging APIs such as Telegram within corporate environments.
