Skip to main content
Foil sits alongside your KYC vendor, not in place of it. The vendor checks whether the identity is valid; Foil checks whether a real human at a real device is operating the form. Stacking the two catches fraud that passes each layer individually - especially synthetic-identity farms, anti-detect browsers, and repeat submissions from one device under many identities.

The threat

KYC-gated flows (fintech onboarding, crypto exchanges, gambling, lending, payouts, any “high-limit” account upgrade) attract some of the most well-funded browser automation on the public internet. The rewards per account are large enough to justify real investment: stolen identity kits bought on dark markets, anti-detect browsers ($100–$500/month retail), residential proxy pools, and increasingly LLM-driven agents that can fill forms and respond to vendor prompts autonomously. Four abuse patterns dominate:
  • Synthetic identities. Fabricated or Frankenstein PII (real SSN, fake name; real name, fake DOB) submitted through automated browsers. Individual submissions may pass the KYC vendor’s checks because the underlying data points look plausible; the tell is the browser operating the form, which Foil sees.
  • Identity farming. Operator runs dozens or hundreds of accounts through KYC on one device using different PII each time, then resells the verified accounts. Every individual submission looks fine; the visitor fingerprint betrays the pattern.
  • Anti-detect browser fraud. Multilogin, GoLogin, Kameleo, and similar tools specifically exist to defeat device fingerprinting - the KYC fraud market is their primary customer base. These environments push Foil’s overall risk_score up even when the behavioral profile looks human, and the stored session’s runtime_integrity surface explicitly flags tampering and virtualization.
  • Liveness / video bypass. Virtual cameras, deepfakes, and face-swap tooling target the selfie/liveness step. This is primarily the KYC vendor’s problem, but the browser environment used to run the bypass often trips Foil’s virtualization and anti-tamper signals.
Against all four, Foil produces signal before the KYC vendor sees the request - cheap, high-precision, and useful in two ways: as a pre-check that stops obvious fraud before paying the vendor per-verification fee, and as an input to a layered decision for everything the vendor returns as “approved but we’re not sure.”

The flow

1

Start Foil when the KYC flow begins

This might be the “Upgrade your account” button or the start of a dedicated onboarding journey. Collection needs time - KYC is one of the rare surfaces where you can afford to wait for fingerprint readiness.
2

Gate form submission on waitForFingerprint()

Unlike a login page, KYC users expect friction. It’s fine to disable the final submit button until Foil’s fingerprint has frozen - this guarantees you’ll get a stable visitor_fingerprint.id for cross-session correlation.
3

Call getSession() at submit

Handoff travels with the KYC payload.
4

Pre-check the Foil verdict and risk score

Hard-block on bot. For human verdicts, apply a stricter risk_score threshold than you would on a lower-friction surface - a borderline score on a regulated flow usually warrants manual review.
5

Check the fingerprint's history

GET /v1/fingerprints/:visitorId - has this device run KYC before under a different identity?
6

Forward to the KYC vendor with Foil metadata attached

So the vendor’s own decision engine can incorporate the signal on their side.
7

Monitor post-KYC sessions

A verified account that starts behaving like automation later is a strong account-takeover or farming signal. Keep Foil on sensitive in-app actions.

Client integration

KYC is the one surface where waitForFingerprint() should block submission. False positives from slow fingerprinting are cheap here (the user will wait), and false negatives from submitting before fingerprint freeze are expensive (you lose the visitor ID that catches identity farming).

Server verification

The pattern below uses a generic kycVendor.verify(...) placeholder. Substitute Persona, Onfido, Veriff, Sumsub, Socure, Alloy, or your internal equivalent. The KYC_RISK_SCORE_THRESHOLD below is set at 30 as a starting point - well below Foil’s default bot verdict threshold (~70) but strict enough that genuinely suspicious sessions don’t auto-approve on a regulated flow. risk_score is an integer from 0 to 100; tune the threshold to your traffic.

Layered decision matrix

The decision you hand back to your own business logic (and record on the KYC row) should be the product of Foil and the vendor verdict, not either one alone. risk_score is an integer 0100; below the bot verdict threshold of ~70 there’s still a lot of useful gradient, and KYC is the surface where you should care about it. Two principles worth holding:
  • Never auto-approve on vendor-only signal for a KYC-gated flow. If Foil’s risk_score is elevated or the verdict is inconclusive, the vendor saying “approved” is not enough to promote an account to its full permission set.
  • Use a stricter risk_score threshold than you would on other surfaces. Foil’s default bot/human cutoff is tuned for broad use across signup, login, and content surfaces; KYC’s false-negative cost justifies treating anything above roughly 30 as worth a human look.

Runtime integrity: deeper environment signal

When the sealed-token verdict isn’t enough - high-limit approvals, compliance-heavy jurisdictions, repeat-review queues - fetch the stored session and inspect runtime_integrity. These are discrete named flags computed server-side from the full observation stream, and they let you write precise rules instead of thresholding a single aggregated score.
Node.js
tampering_detected, emulation_suspected, and identity_spoofing_suspected deserve a manual-review route even when the sealed-token verdict is human and the risk_score is under threshold. They’re the signals most likely to be silent on the aggregated score when an attacker is specifically tuning against it. runtime_integrity is only available via GET /v1/sessions/:sessionId - it’s not on the sealed token. Two integration shapes work well:
  • Session readback on every KYC submission. One extra API call per verification; negligible next to the cost of the KYC vendor itself.
  • Session readback only on borderline cases. Fast path on clean human + low-score submissions; fetch the stored session for everything else, including the manual_review paths in the code above.

Identity farming: cross-session correlation

The visitor fingerprint is the axis that catches farms. One device running KYC under five identities over two weeks looks human on every individual submission - it is human, just a human engaged in fraud. The tell is in GET /v1/fingerprints/:visitorId.
Node.js
Practical thresholds for flagging:
  • 2+ distinct accounts from the same visitor fingerprint completing KYC → manual review. Real households exist, but KYC-gated flows rarely involve two adults on the same device.
  • Any prior verdict: "bot" on that fingerprint in the last 90 days → manual review. The device has failed Foil before.
  • lifecycle.seen_count > 50 with first-seen under 24 hours → auto-reject. That’s a headless browser being spun up repeatedly on one machine.
See Promo & trial abuse for a more general treatment of the cross-session correlation pattern; the KYC version is essentially that page with tighter thresholds and a manual-review default.

Attaching Foil signal to the vendor

Most KYC vendors expose a metadata or custom_fields parameter on their verification API. Putting Foil’s session ID and verdict there pays off in two ways:
  • Vendor-side rules. Modern KYC platforms (Alloy, Sardine, Socure, Sumsub rules engine) let you write decisioning on custom fields. “Decline if foil_risk_score >= 30 AND document score below 0.9” is a one-line rule that would otherwise require integrating Foil into the vendor’s system separately.
  • Post-hoc reconciliation. When a chargeback, SAR, or compliance audit surfaces a KYC approval months later, the Foil session ID stamped on the vendor record lets you pull GET /v1/sessions/:sessionId and recover the full device evidence - including runtime_integrity and signals_fired - from the time of submission.
Which fields to send:
foil_attribution_category pulls from attribution.bot.facets.category.value when present; on human verdicts it’s generally null, so you may want to store "human" for consistency.

Post-KYC monitoring

Getting a human verdict at KYC submission is necessary but not sufficient. Account takeover happens later - the KYC is clean, but six months on, someone logs in from a new device, hardens their settings, and starts draining the account or withdrawing funds. Keep Foil on:
  • Every login (see Login & credential stuffing).
  • Payout / withdrawal / transfer initiation.
  • Limit-increase requests (the typical next step after compromise).
  • Any sensitive setting change - email, password, 2FA, beneficiary.
A KYC-verified account that suddenly starts producing bot verdicts or an elevated risk_score on withdrawals is a very strong ATO signal, and the fact that the account is KYC-verified makes the response more important, not less - the attacker has done the work to look legitimate precisely to unlock high-limit actions.
KYC is a regulated flow in most jurisdictions. How long you retain Foil verdicts and visitor fingerprints on KYC records is a compliance question, not just an engineering one. Confirm retention requirements with your privacy/legal team before you ship. See Privacy & data for Foil’s side of the data picture.

What’s next

Signup protection

Stop automated account creation before KYC even starts.

Promo & trial abuse

The same cross-session correlation pattern, at lower stakes.

Verdicts & scoring

Deep-dive on verdict, risk_score, and where thresholds come from.

Privacy & data

What Foil stores and for how long.