This Week in Fraud (3/17)

Hello Fraud Fighters!

Welcome back to This Week in Fraud, Edition #5. This week, Nasdaq Verafin dropped a whopper of a statistic: financial crime is now a $4.4 trillion annual problem, growing at nearly 20% a year. Meanwhile, Congress is arguing about who should pay for America's $16.6 billion scam epidemic, the UK dropped a £250 million fraud strategy, Treasury sanctioned North Korea's IT worker network, and JPMorgan is being sued for allegedly banking a $328 million Ponzi scheme.

Let's get into it.

Nick

Since this week we’re all collectively been looking at the cost of gas ($4.60 in Vermont on Sunday BTW!), let’s put that $4.4 trillion stat next to something familiar: the global oil and gas industry generates roughly $7 trillion in annual revenue. Financial crime is as much as half of that.

Nasdaq Verafin's 2026 Global Financial Crime Report, published March 11 and based on a model synthesizing nearly 500 global studies alongside a survey of more than 500 financial crime professionals, puts total illicit financial activity at $4.4 trillion in 2025 — a $1.3 trillion increase since 2023, compounding at 19.2% annually. As we would say back home… “flippin Nora!”

The numbers break down in ways that matter directly for bank and fintech fraud teams. Of the $4.4 trillion total, $579.4 billion came from bank fraud and scams — an 8.2% increase over two years — with $62 billion of that attributable to scams specifically, up 19.3%. Cyber-assisted and AI-enabled scams accounted for $14.3 billion, growing 19.6% over the same period.

The AI throughline runs everywhere. 90% of financial crime professionals surveyed said they saw an increase in AI-driven attacks over the past two years. And the problem is getting harder to detect. Traditional “tells” such as spelling errors, awkward phrasing, and obvious templates are a thing of the past and the iterations are getting more sophisticated daily —

Nasdaq Verafin's response to its own findings is a proactive one: the firm is pledging to mobilize private sector collaboration through a partnership with the UN Office on Drugs and Crime (UNODC), beginning with an in-person summit on October 20 at the Nasdaq MarketSite in New York. The underlying argument — that no single institution can solve a $4.4 trillion problem alone, and that network effects are the only credible counter to networked crime.

It’s a start. The industry's information-sharing infrastructure still badly lags the threat and really needs to address the magnitude of the problem.

Our friends at Safeguard are hosting their inaugural AI Deepdive Retreat for leaders working in fraud, compliance, and identity from May 3–6 at The Broadmoor in Colorado Springs.

Practitioners who qualify get a complimentary ticket and $1,500 travel reimbursement. Registration closes April 10th.

That's the AI paradox hiding in your CX stack. Tickets close. Customers leave. And most teams don't see it coming because they're measuring the wrong things.

Efficiency metrics look great on paper. Handle time down. Containment rate up. But customer loyalty? That's a different story — and it's one your current dashboards probably aren't telling you.

Gladly's 2026 Customer Expectations Report surveyed thousands of real consumers to find out exactly where AI-powered service breaks trust, and what separates the platforms that drive retention from the ones that quietly erode it.

If you're architecting the CX stack, this is the data you need to build it right. Not just fast. Not just cheap. Built to last.

See the data

The House Financial Services Subcommittee on Financial Institutions held a hearing last week on America's fraud crisis — and the central fight is over liability. The FBI puts 2024 cybercrime losses at $16.6 billion, up 33% year-over-year. The FTC tallied $12.5 billion in consumer fraud losses in the same period. Both are undercounts.

Democrats are pushing the Protecting Consumers from Payment Scams Act — a 50/50 liability split between sending and receiving FIs, modeled on the UK's APP fraud reimbursement regime. Republicans say it punishes banks for fraud that originated on social media. There's more bipartisan appetite for the TRACE Act, which would create safe harbors for cross-institutional fraud data sharing without triggering FCRA or BSA exposure. The STOP Fraud Act — allowing extended holds on suspected fraudulent transactions — was also previewed.

The operational ask from industry witnesses was pointed: modernize Regulation CC's funds availability rules, create a real-time fraud signal report to replace the lagging SAR narrative process, and give institutions clear safe harbors to share device fingerprints and behavioral risk scores. None of that requires partisan consensus — and all of it would move the needle.

OFAC sanctioned six individuals and two entities Thursday for their alleged roles in North Korea's IT worker fraud networks, which span Vietnam, Laos, Spain, and the DPRK itself. Among those sanctioned: Amnokgang Technology Development Company, a North Korean firm accused of managing overseas workers, and the CEO of a Vietnamese firm accused of laundering $2.5 million through cryptocurrency for the network. The action froze 21 cryptocurrency addresses across Ethereum and Tron.

Chainalysis noted that the targeting of addresses across multiple blockchain networks reflects North Korea's increasingly multi-chain approach to moving illicit funds, and warned that beyond generating fraudulent income, these workers have also been known to introduce malware into company networks to extract proprietary data. This is the sanctions layer on top of the criminal prosecution layer — the Didenko laptop-farm conviction covered in Edition #4 was the arrest; this is OFAC's financial isolation follow-through. Screen all counterparties against updated OFAC lists and don't assume the North Korea IT worker problem is someone else's AML headache.

Victims of the alleged Goliath Ventures crypto Ponzi scheme filed a proposed class action in federal court this week, alleging that JPMorgan Chase processed approximately $253 million through a single Chase account linked to Goliath between January 2023 and June 2025 — roughly $123 million of which was transferred on to Coinbase, and $50 million paid back to investors as purported returns — all while earning "substantial fees" and allegedly ignoring obvious red flags.

The lawsuit argues the scheme was "obvious" from the flow of funds alone and "cannot be run surreptitiously through one bank." Florida resident Christopher Delgado was arrested on wire fraud and money laundering charges last month in connection with the scheme, which allegedly affected over 2,000 investors.

The sardonic touch: plaintiffs specifically invoke Jamie Dimon's December 2023 Congressional testimony — where he told the Senate he'd "close it down" if he were the government — to argue it strains credibility that his bank didn't notice $253 million cycling through a single crypto-adjacent account. The "blind eye" liability theory — that processing obviously suspicious flows is itself actionable — is one to watch as APP fraud liability debates intensify in Washington.

South Korea's Financial Intelligence Unit handed Bithumb, the country's second-largest crypto exchange, a 36.8 billion won ($24.6 million) fine and a six-month partial suspension this week — the most severe administrative sanction against a major Korean crypto platform since the country's Special Financial Transactions Act took effect in 2021. The violations: 6.65 million AML and KYC failures, including inadequate customer identity verification, transaction reporting lapses, and — most pointedly — 45,772 crypto transfers routed through 18 unregistered overseas virtual asset service providers (VASPs), which regulators had previously and explicitly warned Bithumb to stop. The exchange's CEO received a formal reprimand while its reporting officer was suspended for six months.

The suspension runs from March 27 to September 26, restricting external crypto transfers for new customers only — existing users face no trading restrictions. The action is part of a coordinated sweep of South Korea's five largest exchanges: Upbit was fined $25M and hit with a three-month suspension in November; Korbit received a $1.9M fine in December. Bithumb's penalty is the largest of the three and the only one to include personnel sanctions at the executive level.

The lesson for compliance teams outside Korea is direct: unregistered VASP relationships are a specific, escalating enforcement target globally — not just in Seoul. If your platform routes transfers through overseas crypto counterparties, verify their registration status. Regulators have shown they will penalize institutions that ignore repeated warnings, and they will go after the individuals responsible, not just the entity.

Stripe published new analysis this week on first-party fraud across its network. 7.4% of sign-ups at AI companies involve suspected multi-account abuse, with bad actors spinning up accounts to harvest free tiers and compute resources. AI startups with direct API access see 10x more attempted abuse than enterprise AI solutions. On the refund side, Stripe estimates global refund abuse losses at approximately $100 billion annually — with "wardrobing" running at 49% among Gen Z returners, and bad actors routinely using 100+ email variations across multiple payment cards to exploit no-questions-asked refund policies.

The Cornerstone Advisors survey from Edition #2 flagged that first-party fraud now accounts for more than 40% of total bank fraud losses. Stripe's data confirms the same dynamic in commerce.