Hello Fraud Fighters!

Welcome back to This Week in Fraud, Newsletter #4. This week, the identity verification layer (you know, the thing that's supposed to catch fraud before it starts) is itself under attack. AI bots are manufacturing fake selfies with stolen IDs by the thousands. 

In other shocking (yet highly predictable) fraud and security news, a third-party identity vendor left one billion records unsecured on the open internet, 41% of organizations have unknowingly hired a fraudulent candidate, and a Ukrainian national just got five years for helping North Korean IT workers infiltrate U.S. companies

The theme this week is simple: fraud has found the weak spot in your front door. It’s your face. 

Let's talk about it…

Nick Holland

Big Story: The KYC Factory

You know that robust facial biometric security check you built your onboarding process around and were promised was the next level of authentication security? Well, it’s being defeated at scale by a fully automated bot pipeline that requires zero human involvement.

In Frank McKenna’s excellent “FrankonFraud” newsletter, OCR Studio CTO Konstantin Bulatov details exactly how it works, and it's actually pretty elegant.  

• Step one: AI bots harvest stolen identity documents — passports, driver's licenses, national ID cards — from dark web forums and breach dumps, and the dark web is replete with raw materials. 
• Step two: for each stolen document, the AI searches social media for a look-alike — someone with similar enough facial features to fool a biometric comparison check. It doesn't need a perfect match, just close enough.
• Step three: the bot stitches the look-alike photo together with the stolen ID into a composite "selfie with ID" image.
• Step four: it fires these composites at verification systems by the thousands. At a false acceptance rate of just 0.1%, submitting 10,000 fakes yields roughly 10 successful fraudulent account openings per run. 

Aaand… repeat. Often. The pipeline runs continuously, without human involvement, across multiple targets simultaneously. 

What makes this particularly insidious is the constantly updating pool of resources to tap into. Every major breach that includes government ID images (and there have been dozens) feeds directly into this attack pipeline. The criminals aren't even paying for their raw materials; they're harvesting them from the wreckage of other people's security failures.

For fraud teams, this means passive document verification and facial comparison alone are no longer sufficient. Liveness detection needs to be real liveness detection, not just "is this a video" but "is-this-a-live-human-being-in-front-of-a-camera-right-now-in-this-session-under-conditions-we-control." The days of checking a document and a face are becoming about as reliable as a signature on the back of a credit card. 

A sliver of silver lining for the good guys — one perpetrator has been caught. On February 27th, Yurii Nazarenko, 27, pleaded guilty in Manhattan federal court to running OnlyFake, a website that generated more than 10,000 fake government ID images, including U.S. driver's licenses from all 50 states, passports, passport cards, and Social Security cards. Customers paid in crypto and could buy bulk packages of hundreds of IDs at a time.

Nazarenko has agreed to forfeit $1.2 million and faces up to 15 years at sentencing in June. OnlyFake was purpose-built infrastructure for exactly the bot pipeline described above, and it’s fair to predict that this won’t be the end of this particularly “zeitgeisty” form of fraud. 

AI is changing how fraud shows up and how quickly it can scale. Signals that once worked are easier to spoof, forcing teams to choose between higher losses or more friction.

This new white paper explores why traditional identity approaches are breaking down in the AI era and how financial behavior and broader context help teams catch more fraud earlier while maintaining seamless user experiences.

Quick Hit #1: The Vendor That Knew Too Much (And Secured Too Little)

On the subject of the supply chain for stolen identity documents — IDMerit, a global digital identity verification company whose services power KYC and AML onboarding across financial services, fintech, telecom, and insurance, left a database containing an estimated one billion sensitive identity records exposed on the open internet.

It’s a truly shocking security lapse; a terabyte of personal data — full names, dates of birth, addresses, phone numbers, email addresses, national ID numbers, and structured KYC verification logs — sitting in an unsecured cloud instance across 26 countries.

The irony of a KYC vendor becoming the world's largest unguarded ID repository would be solid schadenfreude material if the stakes weren't so high. The exposed records weren't from a bank breach, but from the vendor layer — the infrastructure that exists specifically to reduce fraud risk for its clients. And because identity verification vendors aggregate data from hundreds of clients across industries, a single misconfiguration can expose data from millions of people who have never heard of IDMerit but submitted their documents through a platform that used it.

Why it matters: This incident illustrates why third-party vendor risk management isn't optional anymore. When you outsource your KYC, you outsource your data custody. And when your vendor messes up, your customers are the ones exposed, even if your own systems are perfectly clean. Real monetary and reputational damage are on you.

Quick Hit #2: The North Korea IT Worker Problem Just Got Its First Conviction

Oleksandr Didenko, 29, of Kyiv, was sentenced to five years in federal prison this week for operating Upworksell, a website that let overseas workers — including North Koreans — purchase or rent stolen U.S. identities to fraudulently obtain employment at American companies. Didenko handled more than 870 stolen identities. The wages earned by the North Korean IT workers were funneled back to Pyongyang, where they contributed to the regime's internationally sanctioned nuclear weapons program.

He also organized "laptop farms" — rooms full of open laptops at U.S. residential addresses in California, Tennessee, and Virginia — so North Korean workers could appear to be physically located inside the country while actually operating remotely from overseas. The FBI seized Upworksell in 2024, Polish authorities arrested Didenko, and he was extradited and pleaded guilty.

The takeaway: The gap between the threat and the response is significant. The Didenko conviction is a warning shot and likely the tip of the iceberg. The scale of North Korean IT worker infiltration is far larger than one man's laptop farm operation.

Quick Hit #3: CNP Debit Fraud Uptick

The Kansas City Federal Reserve Bank published an analysis this week of the Fed Board's 2023 debit card data that makes for uncomfortable reading: card-not-present (CNP)fraud rates on non-prepaid debit cards have continued to climb between 2021 and 2023, and the numbers fall hardest on cardholders rather than issuers or merchants.

The CNP trend was expected. The in-person data is more interesting. EMV chip migration — the global rollout that was supposed to kill card-present fraud — has produced a split result. On dual-message networks like Visa, card-present fraud rates are declining. On single-message networks like Star and NYCE, they're rising. The same physical card technology is producing divergent outcomes depending on the rails underneath it.

There's also a distributional problem buried in the data reflecting an increasingly polarized US wealth landscape. The Fed's research found that fraud is most concentrated among financially vulnerable consumers — and those consumers are also the most likely to absorb the loss themselves rather than recover it.

Why it matters: This data lands in the middle of an active policy fight. The Fed's biennial debit report re-ignited debate last year over the debit interchange fee cap — a cap that partially exists to fund fraud prevention. If fraud costs are climbing while the cap constrains issuer economics, something has to give: either better prevention infrastructure, or the cardholder eats it. Right now, it's mostly the cardholder.

So, is it time to revisit the debit interchange fee cap? Drop me a comment below.

Quick Hit #4: Pig-Butchering's $370M January

CertiK reported that crypto scammers stole $370.3 million in January 2026 alone — the largest single-month total in nearly a year. Of that, roughly $311 million came from social engineering tactics, a category that includes pig-butchering operations.

Pig-butchering (sha zhu pan — "slaughter the pig" in Chinese) is the romance-and-trust scam model where fraudsters build weeks or months of emotional connection before introducing a "can't-miss" crypto investment platform. Unlike phishing, which depends on urgency, pig-butchering depends on patience. The victim genuinely believes they're investing alongside a friend. The platform shows real-looking profits. Small withdrawals succeed — until the big one doesn't.

In January 2026, a U.S. federal court sentenced Daren Li, a dual citizen of China and St. Kitts and Nevis, to 20 years in prison for leading a pig-butchering network that defrauded victims of more than $73 million. His operation set up fake websites and used front companies to launder the proceeds.

The enforcement picture is no longer just improving — it's accelerating. This week alone, two major seizures landed. The DOJ's Scam Center Strike Force — stood up just three months ago to target crypto investment fraud linked to Chinese transnational criminal organizations — announced it has frozen and seized more than $578 million in cryptocurrency, the largest pig-butchering enforcement action to date. Separately, federal agents in North Carolina seized $61 million in USDT from a romance-to-trading-platform scheme, with Tether cooperating directly to freeze the wallets. That's $639 million in a single week. The challenge remains scale: Chainalysis pegs crypto scam losses in 2025 at $17 billion, with AI-driven impersonation schemes growing 1,400% year-over-year. Enforcement is moving faster. The gap is still enormous.

This Week in Fraud is a publication for fintech operators, fraud teams, and risk professionals. Have a tip or story? Reply to this email.