Inside the billion-dollar identity fraud ecosystem

Identity theft has evolved rapidly into a high-stakes battlefield, one where criminals operate like well-funded startups with R&D budgets, strategic playbooks, and sophisticated technology. What was once dominated by lone hackers has now evolved to a multi-billion-dollar ecosystem that continues to adapt and outsmart even the most robust security systems.

According to recent Federal Trade Commission (FTC) data, American consumers reported losing more than $12.5 billion to fraud in 2024, a sobering 25% increase from the previous year. As digital transactions and AI-driven technology become more embedded in our daily lives, more entry points are created for malicious hackers.

These bad actors are no longer simply scammers in a basement, but employees of a structured organization with goals that extend far beyond just stealing credit card numbers.

How Identity Fraud Organizations Operate

Today’s identity fraud groups operate with the same precision as modern tech companies. Their objectives can vary from financial gain or data exploitation to influence and control, and each member has a clearly defined role – either acquiring data, laundering stolen funds, or developing new tools to evade detection.

Their first step is to decide whether to steal, buy or create the identity data they need. This is usually influenced by cost, risk level, and the quality of data required. Professional fraudsters prefer to use real data, but some large-scale outfits like Nigerian fraud ring Scattered Canary also utilize sophisticated synthetic IDs created through methods like credit‑building or “Frankenstein” PII. Credit building involves gradually establishing a fake identity’s legitimacy by opening and managing accounts over time, while “Frankenstein” PII refers to synthetic identities stitched together from pieces of real and fake PII.

Once they have the information they need, their targets typically fall into three categories:

• Weak targets, including organizations and individuals with lax security and identity verification (IDV) systems. Americans 30 to 39 years old are most likely to fall victim to identity theft, with younger and older generations least likely.
• Trending markets such as cryptocurrency, which attract many users and make it easier to remain anonymous
• Industry insiders with inside knowledge of business operations, an approach that enables fraudsters to evade detection systems

Some real-world case studies of successful fraud organizations include Lazarus Group, FIN7, Scattered Canary, Wizard Spider, and Evilnum. Lazarus, believed to be backed by the North Korean government, targets financial institutions and global cryptocurrency exchanges, conducting cyber espionage and financial theft to fund state objectives. Their attack on cryptocurrency firm Bybit resulted in a staggering $1.5B theft, making it the largest digital currency heist in history.

Other fraud groups, such as FIN7, operate more like a criminal conglomerate targeting enterprises in the U.S. hospitality and retail sectors. Their specialty is selling stolen payment card data on the dark web for financial gain.

How They Acquire Stolen Identities and Evade Detection

Credit card fraud remains the most common type of identity theft in 2024, but professional fraud organizations have an entire toolkit for gathering personal information, relying on tactics that include:

• Social media harvesting: Collecting information from public profiles, including names, birthdays, locations, and voice recordings
• Data leaks and breaches: Exposing sensitive data, which is frequently traded on dark web forums and encrypted channels
• Phishing and social engineering attacks: Using fake emails, texts, and calls to trick individuals into revealing sensitive information

However, more advanced tactics used by professional groups have become “the norm”:

• Card skimming: Installing devices on ATMs or point-of-sale systems to steal payment card information
• Account takeover services: Purchasing verified accounts from illegal marketplaces
• Insider theft: Hiring or bribing employees at financial institutions and retailers to leak customer data

Professional fraud organizations continuously adapt their techniques and avoid detection by using VPNs, injection tools, and methods to erase file markers– such as deleting logs and altering timestamps and metadata. By understanding the mechanics of fraud detection systems, malicious actors can find ways to evade capture.

The Startup Model of Organized Crime

Modern fraud organizations have embraced a startup mentality. They invest in R&D, rapidly adapt their attack methods, and even offer Fraud-as-a-Service (FaaS) solutions, bundling open-source tools for criminals who want to launch automated identity scams.

Some popular darknet fraud tools include phishing kits, Remote Access Trojans (RATs), keyloggers, identity spoofing kits, real-time injection tools for ID fraud, and deepfake databases with synthetic faces. Essentially, fraud organizations now resemble lean, agile startups capable of shifting direction quickly and scaling efforts as needed.

Deepfakes and Generative AI: A New Era of Deception

The global deepfake market is expected to reach $13.89 billion by 2032, and fraudsters are already heavily using the technology to their advantage. Initially, cybercriminals used deepfake tools during onboarding processes to fool verification systems. Now, deepfakes are increasingly used at points of access– impersonating real customers using fake faces or voices, often injected in real time during video verifications. These “live-session attacks” are on the rise, with deepfake-driven cybercrime growing over 700% in a single year. Some organizations even create deepfake-generated identity databases full of hyper-realistic digital personas ready to be used in fraud attempts.

Generative AI is another modern technology that is increasingly being used by bad actors to develop fraudulent documents, scripts for bots, and fake behaviors that mimic humans, making it difficult to determine what’s real and what’s not. Companies’ use of genAI in business automation can inadvertently open pathways for fraudsters, as well.

Organizational Risks and Resistance

The implications for businesses are far-reaching; financial losses are only the beginning. Reputational damage, erosion of customer trust, and regulatory scrutiny follow closely behind.

Current defenses such as real-time liveness detection, biometric verification (such as facial recognition and injection detection) and AI-powered fraud detection are generally reactive and designed to detect individual cases of fraud at the user level. But modern fraud organizations focus on creating a single, perfect fake ID -- one that will fool case-level detection -- and use it in automated mass attacks against hundreds or thousands of businesses simultaneously.

One proven way to detect this type of sophisticated mega-attack is through traffic-level detection, which uses advanced algorithms and machine learning to detect suspicious patterns and anomalies based on incoming and historical traffic patterns. On the individual level, these IDs are indistinguishable from the real thing, but through a macro view, the fraud can be identified and intercepted.

Other viable detection methods include:

• Risk Signals: Assessing the likelihood of fraud based on multiple factors, including IP geolocation, login patterns, and transaction anomalies
• Device Reputation: Evaluating the trustworthiness of a device based on its fraud history
• Behavioral Analytics: Tracking user behavior such as typing speed, mouse movement, and search habits to detect anomalies
• Shared Consortium Intelligence: Pooling anonymized fraud data across organizations to identify and proactively stop attacks

The Evolving Battle Against Fraud: What Organizations Must Do Now

The fight against identity fraud is no longer about catching individuals, but staying one step ahead of enterprise-level adversaries. Raising awareness on common tactics used by cybercriminals is crucial to understanding how to strengthen identity security. As long as identity remains the key to access, cybercriminals will continue to pick the lock.

To keep up, businesses must shift from reactive, case-by-case detection to proactive, system-wide defense strategies. This means investing in traffic-level anomaly detection, behavioral analytics, and layered identity verification methods that can spot synthetic identities, deepfakes, and other fraud attempts before they can cause damage.

Also, just as fraud groups exchange tools and tactics with each other, organizations must counter by sharing intelligence and gathering threat data across industries. By adopting these methods, businesses can evolve as quickly as the threat landscape and outsmart their adversaries.

We list the best identity theft protection for families.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro