NEWYou can now listen to Fox News articles!
A wire transfer originates at a bank in the United Arab Emirates, routes through a correspondent bank in Europe and lands at an American financial institution as what appears to be a routine commercial payment. The compliance team at the receiving bank sees a company with clean corporate filings, a beneficial owner whose documents check out, and a payment from a jurisdiction that carries no sanctions risk. Nothing triggers a flag. On the other end of that transaction is the Iranian government, and the identity documents underpinning the shell company that sent it were assembled from stolen Social Security numbers purchased on a dark web market six weeks earlier.
I spend my days inside the fraud networks that make operations like this possible, monitoring dark web markets, Telegram channels, document forgery platforms and the facilitator networks that handle logistics on the ground. Iran, North Korea, Russia, and China are all running operations working to overcome the defenses of American institutions right now. The machinery they rely on is more visible than most people assume, if you know where to look.
Every one of these operations starts in the same place: underground markets selling stolen identity components. Social Security numbers, dates of birth, address histories, account credentials, all harvested from data breaches, packaged, and priced by freshness and geographic origin. Russia supplies more of this raw material than any other country, through infostealer malware that captures everything typed or stored on a victim’s computer and quietly sends it to collection servers for sorting and resale.
STOLEN IDS SOLD FOR ‘HAPPY MEAL’ PRICES FUEL BILLIONS IN US BENEFIT FRAUD
One of the marketplaces I monitor, a Telegram channel called “Karma Fullz,” is run by Russian-speaking actors and sells the identities of former legal immigrants to the United States, bundled with associated bank accounts and established credit histories. Buyers use them to incorporate shell businesses and defraud financial institutions and government programs.
Rim Jong Hyok is wanted by the FBI. Federal prosecutors announced on July 25, 2024, that they have indicted the North Korean national in a conspiracy to hack hospitals, military bases and NASA, in Kansas City, Kansas. (AP Photo/Nick Ingram)
Another market I tracked, “South Park BA Logs,” sells compromised U.S. bank account credentials bundled with session cookies, browser fingerprints and linked email access. Between March 2023 and January 2026, in a paper I recently published, I identified 1,210 listings on that single channel, representing an estimated $152 million in accessible financial exposure.
China’s contribution to this supply came in a single, devastating operation. In 2015, Chinese state hackers breached the Office of Personnel Management and walked out with 21.5 million federal employee records: security clearance files, psychological evaluations, financial histories, foreign contacts. An identity built from OPM material can do more than open a bank account. It can clear a background check, survive a hiring process at a sensitive institution, and accumulate access quietly for years. That data is still circulating more than a decade later.
WHY LAST YEAR’S BREACH IS THIS YEAR’S IDENTITY FRAUD
This is the foundation that everything else rests on. What each government builds on top of it varies, but the raw material is shared.
The wire transfer I opened with illustrates a vulnerability that runs through the entire correspondent banking system. Each institution in a multi-bank chain sees only its own segment of the transaction, and Iran has engineered a sanctions evasion architecture around that structural blind spot.
IRAN MOVES HUNDREDS OF MILLIONS IN CRYPTO DURING NATIONWIDE INTERNET BLACKOUT, REPORT REVEALS
The front companies populating these chains carry nominee directors on their corporate filings and beneficial owners whose identities were fabricated from the same dark web supply described above. Every time a new sanctions designation lands, the structure reconstitutes: different shell companies, different names, different routing that pushes the Iranian connection one layer further from view.
The same technique defeats investment screening. The Committee on Foreign Investment in the United States (CFIUS) reviews foreign acquisitions for national security risks, but its process depends on accurate disclosure of who is behind a transaction. When the beneficial owners are concealed behind shell companies staffed with synthetic identities, the Chinese state affiliation that would trigger scrutiny never surfaces in the filing, and the investment clears while the access it provides compounds over time.
The Anzu Robotics case illustrates how this logic extends beyond finance: according to court filings, Anzu marketed itself as an independent American drone company while relying on hardware, firmware and software tied to the Chinese manufacturer DJI, with the foreign affiliations layered beneath intermediary corporate structures.
NORTH KOREAN HACKERS USE AI TO FORGE MILITARY IDS
The most significant operational shift I have tracked over the past two years is the growth of facilitator networks based inside the United States, particularly those supporting North Korea’s IT worker program.
In 2015, Chinese state hackers breached the Office of Personnel Management and walked out with 21.5 million federal employee records: security clearance files, psychological evaluations, financial histories, foreign contacts.
North Korean operatives apply for remote positions at American companies using identities stitched together from stolen Social Security numbers and credentials pulled from breached databases. They pass technical interviews, start on time, draw legitimate salaries. In one case reported by the Department of Justice, an overseas IT worker landed a remote software engineering job with falsified documents and funneled more than $58,000 in wages through intermediary accounts before the fraud was discovered.
THEY WERE FORCED TO SCAM OTHERS WORLDWIDE; NOW THOUSANDS ARE DETAINED ON THE BURMESE BORDER
In another, conspirators used a single stolen identity to manufacture fraudulent driver’s licenses and Social Security cards, placed workers at two separate U.S. companies, and routed over $150,000 in combined wages to co-conspirators.
After a wave of federal indictments raised awareness of the program, the operation adapted. The regime shifted toward American intermediaries who receive company-issued laptops at their home addresses, manage the technical infrastructure that makes an overseas worker appear to be logging in locally, and route salary payments through accounts they control. Federal prosecutors have begun charging these facilitators, but the networks they serve continue to operate.
What makes the facilitator layer so consequential is that it converts a foreign intelligence operation into a domestic insider threat, one that moves through the same hiring pipelines every American company uses for its remote workforce.
AI DEEPFAKE ROMANCE SCAM STEALS WOMAN’S HOME AND LIFE SAVINGS
Iran-linked networks have developed their own form of domestic reach through “pig butchering” scams, cultivating fraudulent romantic and investment relationships on dating apps and social media, then using AI-powered chatbots and fake cryptocurrency platforms to drain their victims’ savings. Some proceeds from these schemes are believed to fund Iranian state-aligned activities.
CLICK HERE FOR MORE FOX NEWS OPINION
The operational methods described here expose the depths and sophistication state actors will go to in efforts to leverage the American financial system for illicit purposes. Sanctions screening catches known names, but a nominee director whose identity was purchased and assembled last month has never appeared on any watchlist.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Employment verification checks documents, but a forged driver’s license from the same production pipeline that made the last one an employer flagged six months ago is indistinguishable from the real thing. Investment screening depends on disclosure, but a beneficial owner, hiding behind three layers of shell companies, has no intention of volunteering the foreign government standing behind the transaction.
The machinery I watch operate every day exists to make it as hard as possible for financial systems and processes to detect. The longer this fraudulent infrastructure can stay in the shadows, the more likely it is that funds will be offshored, paychecks clear, or access to sensitive systems has been secured.
Discount Applied Successfully!
Your savings have been added to the cart.