The way financial institutions verify identity was built around three assumptions: that some information stays secret, that documents can be trusted, and that a face in a camera is a real face. June's research shows each of those assumptions under sustained, commercial-scale attack, with numbers to prove it.

Infostealers made "something you know" effectively public

Identity verification has always leaned hardest on knowledge: your Social Security number, your date of birth, your password, your account history. The infostealer economy spent 2025 systematically transferring that knowledge to the dark web.

New analysis from Shattered.io, drawing on research from Flashpoint and DeepStrike, reports that infostealer malware exfiltrated more than 1.8 billion credentials from 5.8 million infected devices in 2025 alone, an 800% surge over prior years. DeepStrike found that stolen passwords and session cookies now appear in 86% of data breaches. Stolen logs are bought, repackaged, and resold through dark web marketplaces that operate like subscription services.

The downstream effect is particularly damaging for financial services. A concurrent Kaspersky report from April 2026 found that over one million banking accounts at the world's 100 largest banks were compromised by infostealers in 2025, with credentials freely circulating on dark web forums. Perhaps most strikingly: 74% of the payment card numbers stolen by infostealers in 2025 remained valid as of March 2026. The shelf life of stolen identity data extends months past the breach.

The connection to ransomware makes this especially urgent. DeepStrike found that more than half of ransomware victims in 2024 and 2025 already had their credentials circulating in stealer logs before the attack occurred. The stolen credential is infrastructure. Every attack that follows — account takeover, synthetic identity fraud, ransomware — draws from the same supply chain.

Synthetic identity fraud is the defining threat of 2026

If infostealers harvest real identity data, synthetic identity fraud takes that data and builds something new from it. Fraudsters combine real SSNs, addresses, and birth dates with fabricated names and manufactured credit histories to create identities that have never existed, yet can pass onboarding checks. A new Mitek and Datos Insights report published June 10 named this "the defining strategic threat for financial institutions" in 2026.

The numbers back that language. U.S. unsecured credit losses tied to synthetic identity fraud are projected to exceed $3.1 billion in 2026, up from $1.8 billion in 2020. The threat is growing at roughly 16% annually, accelerated by generative AI enabling fraudsters to produce statistically plausible identity combinations and convincing falsified documents at scale. Four in ten financial institutions surveyed said they are already observing increased attack rates linked to AI. More than 84% of fraud-prevention leaders identified synthetic identity fraud as a high or moderate risk to their application processes.

What makes this harder to address than traditional fraud is the time dimension. As the Mitek report notes, synthetic identities are "cultivated over time to build credit histories before being used," then deployed across multiple products and channels simultaneously. By the time a synthetic identity executes fraud, it may have a year or more of clean transaction history behind it.

Trace Fooshée, Strategic Advisor at Datos Insights, put it plainly: "Synthetic identity fraud is a strategic control point for financial institutions because it increasingly serves as the foundation for a wide range of downstream fraud activity." The account opening is infrastructure. The fraud comes months later.

Deepfake-as-a-service put liveness checks on borrowed time

As financial institutions responded to credential theft and document forgery by adding biometric verification, attackers moved to the biometric layer. A January 2026 white paper from Group-IB documented what that attack surface looks like in practice.

Between January and August 2025, Group-IB recorded 8,065 attempts to bypass a single financial institution's liveness checks for digital KYC during loan applications, using AI-generated deepfake images injected through virtual cameras. That is nearly 1,000 attacks per month directed at one bank's biometric controls. The tooling behind those attacks is commercially available and priced for volume: deepfake image services run $10 to $50, ready-to-use synthetic identities sell for up to $15, and face-swap software is rented at $1,000 to $10,000 depending on scale. Voice cloning services cost less than $10 a month.

Group-IB identified over 300 dark web and Telegram posts advertising these tools between 2022 and September 2025. The Deepfake-as-a-Service market has a customer support channel, subscription tiers, and repeat buyers. Biometric injection attacks are straightforward commercial transactions.

The mechanism matters: these attacks route around biometric algorithms entirely, injecting pre-generated synthetic media directly into the video stream before verification occurs, so the system processes a manufactured image from the start. Group-IB's conclusion is that layered defenses combining biometric verification, device analysis, and behavioral risk scoring are now the baseline requirement. Traditional verification methods alone "may be undermined by deepfakes and synthetic identities."

These attacks work in combination, and they're being industrialized

Viewed separately, each attack vector looks like a discrete problem. Viewed together, they form a pipeline that is being run at industrial scale by organized criminal operations.

The infostealer economy supplies the raw identity data: real Social Security numbers, real addresses, real account numbers, real credentials, all sourced from the 1.8 billion credentials extracted in 2025. Generative AI takes that real data and manufactures synthetic identities that pass document-based verification, growing the loss figure by 16% each year toward $3.1 billion. Deepfake tools add a biometric layer on top for the systems that require one, at $10 to $50 per use. And because synthetic accounts are cultivated over months across multiple financial products, velocity-based fraud detection registers clean traffic where it should register a threat.

Kaspersky's Polina Tretyak, a Digital Footprint Intelligence analyst, described the broader ecosystem: "The dark web has become a central hub for financial cybercrime. Stolen credentials and bank cards that have been harvested by infostealers are aggregated, repackaged, and sold there, while phishing kits targeted at users of financial products are offered as ready-to-use services. This creates a self-sustaining ecosystem where data theft and fraud operations reinforce each other, making attacks scalable and easy to carry out by fraudsters with minimal experience."

The Mitek report uses the same framing: "AI-enabled tactics, organized criminal operations, and scalable identity manipulation are changing the economics of fraud." The cost curve for executing identity fraud has dropped. The volume curve has risen proportionally.

The industry is reaching the same conclusion: static attributes can't anchor identity

Each of these attack patterns works because it targets a system built on the wrong foundation. Knowledge-based authentication relies on information that is now bought and sold in bulk. Document verification relies on a trusted origination process that AI has made trivially reproducible. Biometric liveness checks verify the presence of a face, with no mechanism to confirm the face is real or that the person behind it authorized the transaction.

The research published this month is explicit about where this leads. Datos Insights advises that "organizations that invest early in modern verification, behavioral analysis, and lifecycle monitoring capabilities will be significantly better positioned to disrupt fraud before it scales across the broader financial ecosystem." Group-IB recommends moving beyond any single verification layer to combinations of biometric verification, device analysis, and behavioral scoring. The Mitek report's subtitle frames what's coming directly: "Detection, Prevention, and the AI Arms Race."

The problem with all of these responses is that they are still operating on the assumption that you can determine who someone is by checking what they know, what they have, or what they look like. When all three of those signals can be fabricated or harvested at commercial scale, the foundation shifts. The question is what replaces it.

Proof Digital ID is built for the world these headlines describe

Proof Digital ID is a cryptographic digital identity built to answer the question that knowledge, documents, and biometrics can no longer reliably answer: is this a verified real person, and did they actually authorize this action?

The credential is issued after IAL2 identity proofing, signed by Proof's WebTrust-audited Certificate Authority, and bound to a key the user holds. It is a W3C Verifiable Credential in SD-JWT format. It supports selective disclosure, so the user shares only what a transaction requires without exposing underlying attributes. It is a cryptographic proof tied to a verified individual's key, which is why it cannot be guessed, scraped, purchased, or deepfaked.

When a financial institution, merchant, or agentic workflow needs to verify identity, Proof Digital ID returns a signed attestation of who authorized the action, at what time, and within what scope. The chain is independently verifiable. Each credential is scoped to a specific context, so a stolen credential has no utility outside the transaction it authorized.

The fraud economy June's headlines describe runs on static data that leaks, documents that can be generated, and biometrics that can be synthesized. 

Proof Digital ID offers none of those attack surfaces. Learn more >