This 'Gold Pickaxe' Is The First Trojan That Steals People's Faces For Banking Fraud

Trojan horse

Sensitive information is worth a lot, not because it's personal, but because of what it can unlock.

In the past, people secure their phones behind passwords, or PINs. Then, they can unlock them with biometric data, like their fingerprints. On more modern phones, biometrics also include facial recognition data.

This time, hackers have developed a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which they're then using to log into those victims' bank accounts.

The malware, dubbed the 'GoldPickaxe' is developed by a large, Chinese speaking hacker group codenamed GoldFactory.

Its variants infect various devices across iOS and Android devices, masquerading as a government service app in order to trick primarily elderly victims into scanning their faces.


To exploit the stolen biometric data, the threat actor utilizes AI face-swapping services to create deepfakes by replacing their faces with those of the victims.

The attackers can then use this to gain unauthorized access to the victim’s banking account, by bypassing banks' cutting-edge biometric security checks.

This previously unseen kind of attack, according to Group-IB researchers, target the Asia-Pacific region, specifically in Thailand and Vietnam.

In the report, researchers from Group-IB identified that at least one individual whom they believe to be an early victim.

They found that a citizen in Vietnam lost around $40,000 dollars because of this GoldPickaxe malware.

Besides the GoldPickaxe, the group is responsible for developing trojans, including the GoldDigger GoldDiggerPlus, GoldKefu, and GoldPickaxe for Android.

GoldPickaxe is built upon the foundations of a prior trojans, and was initially identified in November 2023 by Thailand's Banking Sector CERT, while disguised as "Digital Pension," a real app used by the elderly to receive pensions in digital format from Thailand's Comptroller General'.

Under the guise of a government service, the fake app requires victims to scan their faces, upload their government ID cards, and submit their phone numbers.


Putting diligent social engineering and powerful cross-platform malware, this method of attack is highly effective.

The first reason is because it uses deepfake, a technology which has apparently caught up with biometric authentication mechanisms. And making it worrying, many people have yet to realize the existence of such technology.

Face swaps using deepfake is highly effective because it gives threat actor a high level of power and control.

It's worth noting that GoldPickaxe is unlike some other banking trojans, in which it doesn't operate as a layer on top of a real financial app, or automatically leverage the data it collects.

Rather, it gathers only the necessary information from Accessibility Service for attackers to, later, pass through authentication checks and manually log into their victims' bank accounts.