A Chinese television demonstration showing fingerprint data extracted from a peace sign selfie using AI tools has drawn formal warnings from cybersecurity researchers and privacy firms that biometric exposure in social media photos is an active attack vector, not a theoretical one.

Li Chang, a financial expert on a mainland Chinese workplace reality show, used a celebrity’s selfie and image-editing software to pull fingerprint ridge detail from a peace sign pose in April, stating that photos taken within 1.5 meters of the camera carry a high probability of yielding complete fingerprint data.

Jing Jiwu, a cryptography professor at the University of Chinese Academy of Sciences, confirmed to China Newsweek that high-definition cameras make it “technically possible to reconstruct detailed fingerprint information” from the ‘V’ pose, with risk increasing when attackers hold multiple images of the same subject.

The broadcast followed a formal Europol report from April 2025, identifying AI-generated synthetic fingerprints, deepfakes, and cloned voices as active tools for bypassing biometric authentication systems. 

Group-IB research published in January 2026 documented 8,065 biometric injection attacks at a single financial institution over an eight-month window between January and August 2025, using AI-generated deepfakes, with attack tools available on criminal marketplaces for as little as $5.

Bryan Lopez, a cybersecurity and AI technology leader at Microsoft, told Newsweek that “what previously required forensic laboratory resources is now within reach of motivated, non-specialist actors,” adding that voice cloning tools and deepfakes have further expanded the biometric attack surface.

The 2015 breach of the U.S. Office of Personnel Management (OPM) exposed 5.6 million federal employee fingerprints. A 2019 breach of biometric security firm Suprema compromised over one million records. Unlike passwords, stolen biometric identifiers cannot be reset or reissued.

Bojan Simic, CEO of identity verification firm HYPR, told Newsweek that selfie-based extraction “is still a highly targeted and technically complex process,” but cautioned that “relying on any single factor of authentication alone is risky” in the current threat environment and advocated for passkey-based, device-bound authentication credentials.