Reading view

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Blogs

Blog

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Our new guide explores how infostealers are fueling modern identity-based attacks and how organizations can build a proactive defense before stolen access is weaponized.

SHARE THIS:
Default Author Image
June 10, 2026

The New Reality of Identity-Based Threats

A publicly exposed database surfaced in early 2026 containing more than 149 million stolen login credentials. The records were not tied to a single breach or organization. Instead, they had been quietly collected over time from devices infected with information-stealing malware, with each record containing usernames, passwords, session data, and the context needed to use them.

Unlike traditional breach dumps, this data was structured, searchable, and immediately actionable. Credentials were mapped to specific services, session artifacts reflected active logins, and much of the information was recent enough to enable direct access without triggering traditional security controls.

This incident reflects a broader shift in the threat landscape.

More than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.

11.1 million infected hosts and devices
3.3 billion stolen credentials
Top 5 most prolific infostealers in 2025 (by infected hosts or devices):
Lumma
Acreed
Rhadamanthys
Vidar
StealC
Top 6 countries affected by information-stealing malware, 2025:
India
Brazil
Indonesia
Vietnam
Phillipines
United States

For security teams, the challenge is no longer simply detecting a breach after it occurs. It is understanding when access may already exist — where compromised credentials are circulating, how they are being used, and how quickly they can be weaponized.

That’s why Flashpoint created Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense.

Drawing on Flashpoint’s Primary Source Collection (PSC) and analyst-driven intelligence, this guide helps IT, Threat Intelligence, Fraud, and HUNT teams understand how infostealers operate, how stolen identity data fuels real-world attacks, and how organizations can move from reactive response to proactive defense.

The guide explores:

  • How today’s most active infostealers power modern attack chains
  • How threat actors weaponize stolen credentials, cookies, and session data
  • How organizations can operationalize infostealer intelligence for proactive defense
  • How to evaluate infostealer intelligence providers and detection capabilities

Why Identity Has Become the Preferred Attack Surface

For years, security teams focused on vulnerabilities, malware delivery, and network intrusion as the primary paths to compromise. Increasingly, however, threat actors are taking a different

Modern infostealers such as Lumma, StealC, Vidar, Acreed, and Rhadamanthys provide attackers with something more valuable than initial access: usable identity. These malware families collect credentials, browser artifacts, session cookies, application data, and host metadata that help threat actors understand how a victim authenticates and what systems they can access.

A single infected device can expose credentials, browser artifacts, session cookies, application data, host metadata, and access to enterprise SaaS platforms. Together, these artifacts create a detailed profile of how a user authenticates, what systems they access, and how those systems trust that identity.

This is what makes infostealer data so valuable.

For years, organizations have invested heavily in detecting malware, blocking exploits, and hardening infrastructure. Meanwhile, attackers have increasingly shifted to a simpler strategy: logging in with valid identities.

Infostealers have fundamentally changed the economics of access. Threat actors no longer need to compromise a network directly when billions of credentials, session cookies, and authentication artifacts are already circulating in underground ecosystems. The challenge for defenders has risen from preventing compromise to identifying where access already exists and how quickly it can be weaponized.

Ian Gray, Vice President of Intelligence at Flashpoint

Identity data is inherently reusable. A stolen credential can be tested across multiple services. A session cookie can potentially allow attackers to hijack authenticated sessions. Browser and host metadata can help threat actors recreate a victim’s environment and bypass security controls designed to detect suspicious logins.

What begins as a single infection can quickly evolve into access across multiple systems, applications, and organizations.

What Is an Identity-Based Attack?

Identity-based attacks occur when threat actors use legitimate credentials, session cookies, authentication tokens, or other identity artifacts to gain access to systems and applications. Rather than exploiting a vulnerability or deploying malware inside a target environment, attackers authenticate as trusted users using stolen identity data.

This shift is one of the primary reasons infostealers have become so valuable. Modern infostealer logs often contain far more than usernames and passwords. They may also include browser cookies, session information, host metadata, application data, and other artifacts that help attackers understand how a user authenticates and what systems they can access. When combined, this information enables account takeover, fraud, lateral movement, and other forms of identity-based abuse.

From Credential Theft to Identity Exploitation

The way threat actors operationalize stolen data is evolving just as rapidly as the data itself.

Historically, attackers often had to manually review stolen credentials and determine which accounts were worth pursuing. Today, that process is increasingly automated.

Infostealer logs can be aggregated, tested, and prioritized at scale, allowing threat actors to rapidly identify valid access across enterprise systems, SaaS platforms, VPNs, and cloud environments.

Flashpoint identifies this as a hybrid threat: the convergence of large-scale identity compromise and automated exploitation.

Once valid access is identified, attackers can move quickly. Credentials may be reused across services. Session data can be leveraged for account takeover. Access can be sold to ransomware operators, fraud actors, or other criminal groups. In many cases, exposure itself becomes part of the attack lifecycle rather than merely a precursor to it.

The result is a threat landscape where stolen identity data is not simply stored and sold. It is continuously tested, validated, reused, and operationalized.

Turning Exposure Into Actionable Intelligence

For defenders, prevention remains important. But prevention alone is no longer enough.

Organizations must also be able to identify when credentials, session cookies, and other identity artifacts have already been exposed and are circulating within underground ecosystems.

The earliest opportunity to intervene is often after data has been exfiltrated but before attackers have successfully operationalized it.

Achieving that visibility requires more than traditional breach feeds or aggregated datasets.

Flashpoint’s Primary Source Collection approach provides direct visibility into the forums, marketplaces, Telegram channels, malware repositories, and illicit communities where infostealer activity originates. Rather than relying solely on recycled breach data, Flashpoint continuously collects from the environments where stolen identity data is first shared, sold, and operationalized.

However, collection alone is not enough.

Raw infostealer logs are noisy, fragmented, and difficult to operationalize at scale. Flashpoint transforms these logs into structured intelligence through a multi-stage workflow that includes:

  • Source ingestion from underground ecosystems
  • Normalization and de-duplication of collected data
  • Automated parsing and enrichment of credentials, cookies, host metadata, and malware attribution
  • Structured output that supports alerts, investigations, and integrations across existing security workflows

This process helps defenders understand not only what was exposed, but who may be affected, how exposure occurred, what systems may be at risk, and how quickly action is required.

Building a Proactive Defense Across the Identity Layer

The rise of infostealers has fundamentally changed how organizations should think about attack surface management.

The attack surface is no longer limited to infrastructure, endpoints, or internet-facing applications. It now includes the digital identities of employees, partners, vendors, and customers.

Security teams need visibility into the identity layer itself — understanding where exposure exists, how attackers are leveraging stolen data, and what actions should be taken before access is exploited.

By combining direct visibility into underground ecosystems with structured, actionable intelligence, organizations can identify compromised accounts earlier, uncover infection trends, prioritize response efforts, and reduce the likelihood of downstream compromise.

Download Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense to learn how your organization can build a proactive defense program across the identity layer.

Key Infostealer Statistics

According to Flashpoint research:

  • More than 11.1 million devices were infected with infostealers in the last year.
  • Over 3.3 billion credentials, session cookies, cloud tokens, and identity artifacts are circulating across illicit markets.
  • Flashpoint analysts identified 30+ active infostealer strains being sold across underground ecosystems.
  • Flashpoint’s credential database contains 48+ billion credentials, including more than 1 billion tied to infostealer activity.
  • More than 4.2% of infostealer-exposed credentials include browser cookies that may support session hijacking.
  • Flashpoint can collect and parse some infostealer logs within one to two days of infection.

Frequently Asked Questions (FAQ)

FAQ: Infostealers and Identity-Based Threats

What is an infostealer?

An infostealer is a type of malware designed to collect sensitive information from an infected device. Depending on the strain, this can include usernames and passwords, browser cookies, session tokens, saved payment information, cryptocurrency wallets, system metadata, and other identity-related artifacts.

How do infostealers work?

Infostealers infect a victim’s device and collect information such as credentials, browser data, session cookies, autofill information, cryptocurrency wallet data, and system metadata. The stolen information is packaged into files known as infostealer logs, which can then be sold, shared, or operationalized by threat actors.

What information can infostealers steal?

Depending on the malware family, infostealers can collect usernames and passwords, session cookies, authentication tokens, browser history, saved payment information, cryptocurrency wallet data, system information, installed applications, and other identity-related artifacts. The goal is to provide attackers with enough information to access accounts and impersonate legitimate users.

What are the most common infostealers?

The infostealer ecosystem changes rapidly, but Flashpoint analysts currently track strains such as Lumma (also known as LummaC2/Remus), StealC, Vidar, Acreed, and Rhadamanthys among the most prominent malware families driving credential theft and identity-based attacks.

Why are infostealers so dangerous?

Infostealers provide attackers with more than credentials. Modern infostealer logs often contain the context needed to use stolen data, including session information, browser artifacts, and device metadata. This allows threat actors to perform account takeovers, move laterally within environments, and gain access to business-critical systems. According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million devices were infected with infostealers last year, contributing to a pool of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts.

What is an infostealer log?

An infostealer log is a package of data collected from an infected device. Logs may contain credentials, cookies, browser data, application information, host metadata, and other artifacts that help attackers understand how a victim authenticates and what systems they can access.

Can infostealers bypass multi-factor authentication (MFA)?

In some cases, yes. While multifactor authentication remains a critical security control, stolen session cookies and authenticated session data can sometimes allow threat actors to hijack existing sessions without needing to complete the MFA process themselves. Flashpoint found that more than 4.2% of infostealer-exposed credentials in its dataset were associated with browser cookies, highlighting the growing importance of session-based risk.

How do threat actors obtain infostealer logs?

Infostealer logs are frequently bought and sold across illicit marketplaces, forums, Telegram channels, and other underground communities. Many are distributed through Malware-as-a-Service (MaaS) offerings that make infostealer capabilities accessible to a wide range of threat actors. Flashpoint analysts identified more than 30 unique infostealer strains actively offered for sale across underground ecosystems.

How can organizations detect credential exposure from infostealers?

Organizations can monitor underground sources where stolen data is shared and sold, identify exposed credentials associated with their domains, and investigate related artifacts such as cookies, host metadata, and malware attribution. The earlier exposure is identified, the greater the opportunity to remediate before attackers operationalize access. Flashpoint collects and parses some infostealer logs within one to two days of infection, helping organizations detect exposure closer to the point of compromise.

What should organizations do if employee credentials appear in an infostealer log?

Organizations should immediately assess the scope of exposure, reset affected credentials, invalidate active sessions, review authentication activity, investigate the infected device, and determine whether additional accounts or systems may have been impacted.

How is Flashpoint’s approach to infostealer intelligence different from traditional breach monitoring?

Many organizations rely on aggregated breach feeds or credential dumps that may be weeks or months old by the time they are discovered. Flashpoint’s Primary Source Collection (PSC) approach provides direct visibility into the forums, marketplaces, Telegram channels, and underground communities where stolen identity data is first shared, sold, and operationalized.

In addition to collecting raw infostealer logs, Flashpoint parses and enriches the data with context such as malware attribution, session cookies, host metadata, browser artifacts, and affected identities. Today, Flashpoint’s credential database contains more than 48 billion credentials, including over 1 billion tied to infostealer activity, providing organizations with actionable intelligence rather than raw exposure data.

Request a demo today.

The post Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk appeared first on Flashpoint.

  •  

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

Blogs

Blog

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

In this post, we examine how phishing-as-a-service (PhaaS) has evolved into a structured cybercrime ecosystem, how threat actors collaborate across infrastructure, delivery, and monetization layers, and why this model continues to drive large-scale financial fraud targeting global organizations.

SHARE THIS:
Default Author Image
April 10, 2026

Phishing is no longer a standalone tactic. It has matured into a service-based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash-out.

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

This shift has significantly lowered the barrier to entry for cybercriminals while increasing the scale, efficiency, and success rate of phishing campaigns.

From Phishing Kits to a Service-Based Fraud Economy

PhaaS emerged from early phishing kits into a full cybercrime-as-a-service model built on commercialization, modular tooling, and operational scalability.

Early phishing activity relied on standalone kits — basic login pages and scripts that allowed attackers to collect credentials. Over time, operators began centralizing these capabilities into subscription-based platforms offering hosting, domain management, campaign tooling, and ongoing support.

Modern PhaaS platforms now operate similarly to legitimate SaaS providers:

  • Subscription-based pricing models
  • Prebuilt templates for major brands and services
  • Integrated delivery mechanisms (email, SMS, QR phishing)
  • Real-time dashboards for campaign tracking and credential harvesting

This model has made sophisticated phishing accessible to low-skill actors. Kits can cost as little as US$10, while full platforms enable large-scale campaigns for relatively modest monthly fees.

MFA Bypass and AI Are Reshaping Phishing Capabilities

As organizations adopted multifactor authentication (MFA), PhaaS operators adapted.

Modern platforms increasingly rely on adversary-in-the-middle (AiTM) techniques, using reverse proxy infrastructure to intercept login sessions in real time. This allows attackers to capture not only credentials, but also MFA tokens and session cookies, effectively bypassing traditional authentication controls.

At the same time, AI is accelerating the scale and effectiveness of phishing campaigns.

Threat actors are using AI to:

  • Generate convincing, localized phishing lures
  • Clone brand interfaces with high fidelity
  • Optimize campaigns through automated testing and iteration

This combination of MFA bypass and AI-driven automation has transformed phishing from a volume-based tactic into a precision-driven access vector.

The PhaaS Pipeline: How the Ecosystem Operates

What distinguishes modern phishing operations is not just tooling, but coordination.

A typical PhaaS campaign follows a structured lifecycle:

This pipeline is supported by a network of specialized providers, each responsible for a different stage of the attack lifecycle.

Infrastructure, Delivery, and Exfiltration Are Increasingly Specialized

Flashpoint analysis highlights how different actors focus on distinct parts of the ecosystem.

Infrastructure and Kit Development

Phishing kit developers provide increasingly sophisticated tooling, including:

  • Reverse proxy (AiTM) capabilities for MFA bypass
  • Anti-bot protections to evade researchers
  • “Live panels” enabling real-time interaction with victims

Platforms such as GhostFrame, Rapid Pages, and MUH Pro Admin illustrate how these tools are being productized and distributed at scale.

SMS Delivery and Spoofing

Smishing has become a critical delivery vector.

Threat actors operate dedicated SMS gateway services capable of sending large volumes of messages via APIs or bulk uploads. Others actively seek advanced spoofing capabilities to bypass authentication controls such as SPF, DKIM, and DMARC, enabling phishing messages to appear legitimate at the protocol level.

Credential Exfiltration and Telegram Integration

Credential collection is increasingly automated and centralized.

Many campaigns exfiltrate stolen credentials directly to Telegram bots or channels, enabling real-time access to victim data. This infrastructure also allows for rapid scaling and coordination across actors participating in the same campaign or ecosystem.

From Credential Theft to Financial Monetization

The ultimate goal of PhaaS operations is monetization.

Stolen credentials are used to enable account takeover (ATO), which allows attackers to:

  • Access financial accounts
  • Lock out legitimate users
  • Initiate fraudulent transactions
  • Launch follow-on scams

Flashpoint analysis of actors such as “JUN JUN,” associated with the Squirtle group, illustrates how these operations extend into structured financial fraud and laundering.

Observed activity shows a progression from acquiring phishing logs (“fish material”) to targeting high-value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds.

This highlights how phishing is only the entry point into a broader fraud pipeline.

A Distributed Ecosystem of Threat Actors

The PhaaS landscape is not controlled by a single group, but by a network of loosely connected actors and clusters.

Examples include:

  • Fluffy Spider: Focused on large-scale infrastructure deployment and domain generation
  • IVAN: A more exclusive, high-tier operation leveraging SEO poisoning and advanced evasion techniques
  • Smishing Triad: A highly coordinated group conducting global SMS phishing campaigns
  • System Bot: A modular phishing toolkit with credential harvesting and OTP bypass capabilities

These actors operate across different regions and languages but demonstrate comparable levels of technical capability and operational maturity.

Many of these groups function with enterprise-like structures, including support teams, affiliate models, and performance-based operations, further reinforcing the industrialization of phishing-driven fraud.

Law Enforcement Pressure Is Increasing, but the Model Persists

Recent takedowns, including operations targeting platforms such as Tycoon 2FA, demonstrate growing coordination between public and private sector defenders.

These efforts have:

  • Disrupted infrastructure
  • Increased operational costs for threat actors
  • Accelerated collaboration between intelligence providers and law enforcement

However, the underlying PhaaS model remains resilient.

Even as major platforms are dismantled, operators frequently rebrand, migrate infrastructure, or fragment into smaller services. The demand for scalable, low-cost phishing capabilities continues to sustain the ecosystem.

What This Means for Security Teams

Phishing-as-a-service has evolved from a tactic to an ecosystem that industrializes fraud.

Flashpoint assesses that the increasing coordination between phishing kit developers, infrastructure providers, and financial fraud actors will continue to drive large-scale credential harvesting and account takeover activity targeting global organizations.

For defenders, this means that effective mitigation requires more than user awareness and traditional controls. Organizations must account for:

  • MFA bypass techniques such as AiTM
  • Rapid infrastructure rotation and evasion
  • The integration of phishing into broader fraud and access broker pipelines

Protecting Your Organization from the PhaaS Ecosystem

Understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud.

Flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, and detect compromised credentials in real time. By correlating activity across the full attack lifecycle, security teams can better anticipate threats and respond before they escalate.

To learn how Flashpoint can support your team with actionable intelligence on phishing and fraud ecosystems, schedule a demo.

Begin your free trial today.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.

  •  

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

Blogs

Blog

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

In this post, we examine how threat actors are executing tax refund fraud schemes, from sourcing identity data to bypassing verification and cashing out fraudulent returns, and what these patterns reveal about evolving fraud ecosystems.

SHARE THIS:
Default Author Image
April 9, 2026

Tax refund fraud remains a persistent and evolving threat within cybercrime and fraud communities. Threat actors actively advertise and refine schemes designed to file fraudulent returns and intercept refund payments from legitimate taxpayers.

Across illicit forums, Telegram channels, and marketplaces, discussions point to a structured ecosystem built around identity data, social engineering, verification bypass, and increasingly sophisticated cash-out methods.

For intelligence teams, these conversations provide insight into how fraud operations are scaling and where defenses are being tested and adapted.

The Structure of Modern Tax Refund Fraud Schemes

At a high level, most tax refund fraud schemes follow a consistent model: obtain identity data, file a fraudulent return, bypass verification, and extract funds.

Flashpoint analysis shows that threat actors focus on several key stages:

  • Sourcing victims or identity “fullz” (complete PII packages)
  • Obtaining or bypassing identity and return verification
  • Leveraging social engineering to support fraud workflows
  • Using tutorials and shared methods to maximize refund amounts
  • Converting refunds into cash or cryptocurrency

These stages are not isolated. They are supported by overlapping communities that specialize in identity theft, financial fraud, and account access.

Identity Data as the Foundation of Fraud

The success of tax refund fraud depends heavily on access to high-quality identity data.

Threat actors typically rely on “fullz,” which include a victim’s name, date of birth, address, and Social Security number. In some cases, fraudsters also recruit “clients” or “tax heads” — individuals who knowingly or unknowingly provide accurate tax documents and assist in bypassing verification steps.

This distinction is important. While fullz can be purchased or harvested at scale, clients often provide more reliable and current information, increasing the likelihood that a fraudulent return will be accepted.

A threat actor shares a screenshot of a text exchange with a client in which they obtain access to their TurboTax account and tax forms accessible through the account. (Source: Telegram, Flashpoint Collections).

Threat actors also seek additional data points to legitimize filings, including:

  • Identity Protection (IP) PINs
  • Adjusted Gross Income (AGI) from previous tax years
  • Access to tax preparation accounts or IRS records

These elements are frequently obtained through compromised accounts, social engineering, or access to verified identity platforms.

Verification Bypass as a Critical Enabler

Filing a fraudulent return is only part of the process. Successfully passing identity and return verification is often the deciding factor.

Threat actors place significant emphasis on accessing or creating verified accounts tied to identity systems used by government agencies. These accounts allow fraudsters to:

  • Retrieve tax transcripts and historical data
  • Respond to IRS verification requests
  • Validate identity during filing and follow-up processes

In many cases, fraudsters rely on social engineering to obtain this access. Common approaches include:

  • Creating fake job postings or tax preparation services to collect documents
  • Running romance or employment scams to gather personal information
  • Coercing victims into creating or sharing verified accounts

Threat actors also prepare for additional verification steps, such as responding to IRS letters or completing phone and in-person identity checks. These workflows often involve scripts, impersonation tactics, and coordination with cooperating “clients.”

Fraud Tactics Are Increasingly Systematic

Beyond basic filing, threat actors share detailed tutorials and playbooks designed to maximize refunds and improve success rates.

These often include:

  • Using real or falsified income data to inflate returns
  • Targeting specific tax credits, such as the Child Tax Credit (CTC), Earned Income Tax Credit (EITC), or Employer Retention Credit (ERC)
  • Claiming dependents or benefits that increase refund amounts
  • Adapting methods based on state-specific programs or eligibility requirements

A notable development is the use of fraudulent income submission schemes, where threat actors pre-populate tax records with inflated income and withholding data before filing a return.

This process typically involves:

  1. Submitting false wage data to the IRS or Social Security Administration using employer identifiers
  2. Waiting for the data to appear on official tax transcripts
  3. Filing a return that matches the fabricated figures

By aligning submitted data with filed returns, fraudsters increase the likelihood that filings will appear legitimate during verification.

Social Engineering Extends Beyond Victims

Social engineering plays a central role throughout the fraud lifecycle—and not just at the initial data collection stage.

Threat actors also target:

  • IRS representatives, attempting to verify fraudulent returns over the phone
  • Clients, persuading them to attend verification appointments or share official correspondence
  • Government offices, including outreach to congressional staff to resolve refund holds

In some cases, fraudsters use AI-generated communications to scale these efforts, including drafting messages designed to appear legitimate and urgent.

These tactics highlight how fraud operations extend into real-world processes and human interactions, not just digital systems.

Cash-Out Methods Continue to Evolve

Once a fraudulent refund is secured, the focus shifts to converting funds into usable, untraceable assets.

Common cash-out methods include:

  • Direct deposits into accounts controlled by the fraudster
  • Accounts opened by “clients” on behalf of the operation
  • Digital banking platforms and payment apps
  • Prepaid cards and alternative financial instruments

Increasingly, threat actors are moving funds into cryptocurrency to reduce traceability. This often involves:

  • Using verified exchange accounts to pass KYC requirements
  • Converting refunds into Bitcoin or other assets
  • Transferring funds to wallets controlled by the fraudster

In some workflows, the entire process — from filing to conversion — can occur within a single mobile or digital ecosystem.

Fraud Communities Enable Scale and Adaptation

Tax refund fraud does not operate in isolation. It is embedded within broader fraud ecosystems where identity data, tools, and tutorials are continuously shared.

Telegram remains a central hub for this activity, with large channels distributing:

  • Screenshots of successful refunds
  • Tutorials and “sauce” (paid or free methods)
  • Listings for identity data and services

Dark web forums also host discussions, though typically with lower volume and higher signal.

The structure of these communities allows fraud techniques to spread quickly, adapt to changing controls, and persist across multiple platforms.

What This Means for Threat Intelligence Teams

Tax refund fraud reflects a broader shift toward operationally mature, community-driven fraud ecosystems.

Flashpoint analysts assess that these schemes are becoming more structured, with clearly defined workflows for identity acquisition, verification bypass, and monetization.

For security and intelligence teams, this has several implications:

  • Identity data remains a critical point of exposure across multiple fraud types
  • Verification systems are actively targeted and tested by threat actors
  • Social engineering continues to bridge technical and human vulnerabilities
  • Fraud techniques are rapidly shared, refined, and scaled across communities

Understanding how these components connect is essential for identifying emerging fraud patterns and anticipating how threat actors will adapt.

Supporting Security Teams with Threat Intelligence During Tax Season and Beyond

Understanding how tax fraud schemes are executed from identity sourcing to verification bypass and cash-out provides critical context for detecting and disrupting fraudulent activity.

Flashpoint delivers leading intelligence that helps organizations monitor fraud communities, track evolving tactics, and identify emerging schemes before they scale. By combining primary source collection with contextual analysis, security teams can move from reactive detection to proactive defense.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Frequently Asked Questions About Tax Refund Fraud

What is tax refund fraud?

Tax refund fraud is a form of identity-based financial crime in which threat actors file fraudulent tax returns using stolen or manipulated personal information to obtain refund payments before the legitimate taxpayer files.

How do threat actors obtain the information needed to commit tax fraud?

Threat actors typically rely on stolen identity data, often referred to as “fullz,” which includes a victim’s name, date of birth, address, and Social Security number. This information is sourced from infostealer malware logs, phishing campaigns, data breaches, social engineering, and illicit marketplaces.

In some cases, fraudsters also recruit “clients” who provide real tax documents or assist in verification processes.

How do fraudsters bypass identity verification for tax returns?

Fraudsters use a combination of tactics to bypass identity and return verification, including:

  • Accessing or creating verified identity accounts used for tax authentication
  • Obtaining prior-year tax data such as adjusted gross income (AGI)
  • Using stolen or socially engineered identity protection (IP) PINs
  • Responding to IRS verification requests using scripts, impersonation, or cooperating individuals

These methods allow fraudulent returns to appear legitimate during processing.

What are common tax fraud tactics used by threat actors?

Common tactics include:

  • Filing returns using stolen personal information
  • Inflating income or tax withholding amounts to increase refunds
  • Claiming fraudulent dependents or tax credits
  • Submitting false wage data to government systems before filing
  • Using real tax forms combined with manipulated data

These approaches are often shared and refined within fraud communities.

What is a “fullz” in tax fraud?

A “fullz” refers to a complete set of personally identifiable information (PII) about an individual, typically including name, date of birth, address, and Social Security number. Fullz are used by fraudsters to file tax returns, open accounts, and conduct other identity-based financial crimes.

How do fraudsters cash out fraudulent tax refunds?

After a fraudulent return is accepted, threat actors typically attempt to convert the refund into usable funds through:

  • Direct deposits into controlled or intermediary accounts
  • Accounts opened by recruited participants
  • Digital banking platforms or prepaid cards
  • Cryptocurrency conversion using verified exchange accounts

The goal is to move funds quickly and reduce traceability.

Why is tax refund fraud difficult to detect?

Tax refund fraud can be difficult to detect because it leverages legitimate systems and processes, including real identity data, authentic tax preparation services, and verified accounts. Fraudsters also adapt quickly by sharing new techniques and bypass methods across online communities.

How do fraud communities support tax refund fraud schemes?

Fraud communities, particularly on platforms like Telegram and dark web forums, enable threat actors to share tutorials, tools, and identity data. These communities accelerate the spread of techniques, allowing fraud schemes to scale and evolve rapidly.

What should security and fraud teams monitor to detect tax fraud activity?

Teams should monitor for:

  • Unusual access to identity data or tax-related accounts
  • Indicators of compromised credentials or identity verification systems
  • Discussions of tax fraud methods, tutorials, or cash-out techniques in illicit communities
  • Patterns in fraudulent filings or refund activity

Incorporating intelligence from fraud communities can provide early visibility into emerging tactics.

How does Flashpoint help organizations detect and prevent tax refund fraud?

Flashpoint helps organizations detect and respond to tax fraud by providing intelligence on how threat actors source identity data, bypass verification systems, and cash out fraudulent returns.

Through primary source collection across platforms like Telegram and dark web forums, Flashpoint enables teams to monitor fraud communities, identify emerging tactics, and understand how schemes are evolving. This intelligence helps organizations move from reactive detection to more proactive identification of fraud risk.

Begin your free trial today.

The post Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels appeared first on Flashpoint.

  •  

How to Combat Check Fraud: Leveraging Intelligence to Prevent Financial Loss

Blogs

Blog

How to Combat Check Fraud: Leveraging Intelligence to Prevent Financial Loss

Criminals increasingly steal checks and sell them on illicit online marketplaces, where check fraud-related services are common. Intelligence is helping the financial sector fight back

SHARE THIS:
Default Author Image
May 18, 2023

Stolen checks and the impact of Covid-19

Checks are one of the most vulnerable legacy payment methods. Check fraud can actively affect the bottom lines (and reputations) of banks, financial services organizations, government entities, and many other organizations that utilize checks. According to the Financial Crimes Enforcement Network (FinCEN), fraud—including check fraud—is “the largest source of illicit proceeds in the US” as well as “one of the most significant money laundering threats to the United States.” 

Targeting the mail

Criminals target the US mail system to steal a variety of checks. In fact, there is a nationwide surge in check fraud schemes targeting the US mail and shipping system, as threat actors continue to steal, alter, and sell checks through illicit means and channels. 

This includes personal checks and tax refund checks to government or government assistance-related checks (Social Security payments, e.g.). Business checks are also a primary target because they are often written for larger amounts and may take longer for the victim to identify fraudulent activity.

In 2022 alone, US banks filed 680,000 check fraud-related suspicious activity reports (SARs). This represents a nearly two-fold increase from 2021 (which itself represents a 23 percent YoY increase from 2020). This surge in check fraud has been exacerbated by Covid-19 Economic Impact Payments (EIPs) under the CARES Act, which presented threat actors with a new avenue to attempt to commit fraud.

Related Reading

This Is What Covid Fraud Looks Like: Targeting Government Relief Funding

Read now

Check fraud: A mini use case 

In order to mitigate and ultimately prevent check-fraud-related risks, it’s crucial for financial intelligence and fraud teams to understand what threat actors seek, how they work, and where they operate. 

This begins, as we detail below, with intelligence into the communities, forums, and marketplaces where check fraud occurs as well as the tools that enable deep understandings, timely insights, and measurable action. 

Below is an intelligence narrative, in three acts, that tells the story of how transactions involving some of the above examples could play out.

Act I: Obtain

Threat actors are known to remove mail from individuals’ mailboxes and parcel lockers using blue box “arrow” master keys. These arrow keys are often stolen from USPS employees, which has led to numerous incidents of harassment, threats, and even violence. Generally, arrow keys are sold within illicit community chats and/or the deep and dark web, often fetching upwards of $3,000 per key.

In general, when it comes to check fraud, threat actors may sell or seek: 

  • Mailbox keys
  • Stolen checks
  • Check alteration services (physical and digital)
  • Synthetic identity provisioning
  • Drop account sharing
  • Counterfeit check creation
  • Writing a check with insufficient funds behind it
  • Insider access
A screenshot of Flashpoint’s Ignite platform, showing the results of an OCR-driven search for stolen checks.

Act II: Alter

Check alteration comes in two forms: “washing” and “cooking.” 

Washing refers to the process of altering a check by chemically removing ink and replacing the newly empty spaces with a different value, recipient name, or another fraud-enabling alteration. 

Cooking involves digitally scanning the check and altering text or values through digital means.

Act III: Monetize

Threat actors will deposit the fraudulent check and rapidly withdraw the funds from an ATM, or sell a stolen or altered check on an illicit marketplace or chat group, and then receive payment, often via cryptocurrency.

Four key elements of actionable check fraud intelligence

Financial institutions should rely on four essential intelligence-led technologies, tools, or capabilities to effectively combat check fraud.

1) Visibility and access to illicit communities and channels

To prevent check fraud, organizations should focus on a few key places. Financially motivated threat actors operate and share information on messaging apps like Telegram and other open-source channels, as well as illicit marketplaces on the deep and dark web. Therefore, it is imperative for financial intelligence and fraud teams to have access to the most relevant check fraud-related threats across the internet. 

Keep in mind, however, that accessing these communities is not always straightforward and, if done frivolously, can compromise an investigation.

2) Timeliness and curated alerting

Intelligence is often only as good as it is relevant. Flashpoint enables security and intelligence practitioners to bubble the most important, mission-critical intelligence through our real-time alerting capability, which allows users to receive notifications for keywords and phrases that relate to their mission, such as check fraud-related lingo and activity. 

Essential Reading

The Flashpoint Guide to Card Fraud for the Financial Services Sector

Read now

In addition to real-time alerts, analysts can rely on curated alerting and saved searches to track topics of long-term interest. Flashpoint Ignite enables analysts to research particular accounts and their recent activity and matches transactions to their respective ATM slips and institution address. This helps to ensure the accuracy of the information found within these communities and marketplaces before raising any alarms, as many scammers post false content. 

This approach is particularly valuable as check fraudsters often share crucial information such as preferred methodologies, social media handles, and geolocations that can aid in identifying malicious activities. In addition, by closely observing newly emerging trends, such as the evolution of pandemic relief fraud to refund fraud to check fraud, analysts can proactively develop robust preventative measures to mitigate risks before these tactics become widespread.

3) Actionable OCR and Video Search

In order to provide “material proof,” cyber threat actors will often tout and post an image of a check in a chat application or marketplace in hopes of increasing the likelihood of a successful transaction. Optical Character Recognition (OCR) technology can capture important information about check fraud attempts, since actors often share images of the fraudulent check or subsequent monetization transactions. OCR alerts are customizable with the financial institution’s name and common phrases used on checks to enhance accuracy.

Images of fraudulent checks provide valuable insights into the fraud attempt, including the check’s unique identifier, the account holder’s name, the bank’s name and address, and the endorsement signature. By analyzing these details, financial institutions and law enforcement agencies can identify patterns and leads that can help them track down the perpetrators and prevent future fraudulent activity.

Related Resource

The Risk-Reducing Power of Flashpoint Video Search

Read now

Moreover, ATM withdrawal slips can offer critical information about the transaction, such as the location of the ATM, the time of the deposit, and the type of account used. This data is useful when taking appropriate measures to prevent similar attempts and protect customers’ assets. With the help of advanced technologies like Flashpoint’s OCR, institutions can quickly extract and analyze this information to generate real-time alerts and take prompt action to prevent monetary losses.

An essential investigative component, Flashpoint’s industry-first video search technology, like its OCR capability, enables fraud and cyber threat intelligence (CTI) teams to surface logos, text, explicit content, and other critical intelligence to enhance investigations.

Combat check fraud with Flashpoint

Flashpoint delivers the intelligence that enables financial institutions to combat check fraud at scale. With timely, actionable, and accurate intelligence, financial institutions can mitigate and prevent financial loss, protect customer assets, and track down perpetrators. Get a free trial today to learn how:

  • A financial services customer detected more than $4M in illicitly marketed assets, including checks and compromised accounts, using Flashpoint’s OCR capabilities. 
  • A customer received 125 actionable alerts in a single month equated to over $15M in potentially averted losses.
  • An automated alert enabled a customer to identify a threat actor’s specific operations, saving them over $5M.

Request a demo today.

  •  
❌