Industrialized Automated Fraud in Digital Identity and Online Retail
Security researchers have observed a significant evolution in digital identity fraud, with threat actors increasingly leveraging automation, AI, and coordinated infrastructures to perpetrate large-scale attacks. Fraudulent activities now include the use of synthetic personas, credential replay, and high-speed onboarding attempts, all orchestrated through systems that learn and adapt over time. Deepfake experimentation and document spoofing have become part of connected ecosystems, where machine-driven agents iterate on attack methods using feedback from failed attempts. This shift means that fraud is less reliant on skilled human operators and more on scalable, automated workflows, making detection and prevention more challenging for security teams.
In parallel, the 2025 holiday shopping season has seen a surge in industrialized online retail fraud, with threat actors registering hundreds of fake domains to impersonate major brands and deceive consumers. These campaigns utilize automated tools to mass-produce convincing counterfeit websites, often promoted via social media, to harvest sensitive financial data and distribute malware. The infrastructure supporting these attacks is highly organized, allowing rapid deployment and evasion as domains are taken down. The convergence of these trends highlights the growing sophistication and scale of automated fraud, posing significant risks to both organizations and individuals.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers reveal structured OPSEC framework for carding operations
Flare researchers observed a threat actor document describing a three-tier operational security model for high-volume carding operations, separating public, operational, and extraction layers to improve longevity and evade attribution. The framework detailed tactics such as clean devices, rotated residential IPs, separate identities, encrypted storage, hardware-backed keys, isolated cashout channels, and resilience measures like delayed triggers and dead man's switches.
LexisNexis reports 8x rise in synthetic identity fraud during 2025
LexisNexis Risk Solutions said in its Cybercrime Report that synthetic identity fraud became the fastest-growing fraud category globally, rising eight-fold during 2025 and accounting for 11% of reported fraud cases. Based on analysis of 116 billion online transactions, the report also warned that AI-driven criminal activity contributed to a 450% increase in automated agent traffic targeting payments and logins.
AU10TIX warns identity fraud is becoming automated and self-improving
A December 2025 fraud report described digital identity fraud as a coordinated, machine-driven threat using shared infrastructure, open-source AI tools, synthetic personas, deepfakes, and document spoofing at scale. The report urged organizations to improve early detection, continuous monitoring, and adaptive identity defenses.
Researchers detail technical indicators of the retail phishing operation
By December 2025, reporting on the campaign disclosed technical links across the infrastructure, including shared JavaScript libraries, checkout URL patterns, and backend systems. The analysis also noted that the domains were primarily set up through Chinese infrastructure providers.
Fraudulent holiday shopping sites lure victims via social media
During the 2025 holiday shopping season, threat actors used fake online stores promoted on platforms such as TikTok and Facebook to target consumers. The sites were designed to steal payment and personal data or deliver malware, using urgency-themed lures and cross-branding tactics.
Bfore.ai identifies large fake shopping-domain campaign
Bfore.ai analysts identified an industrialized holiday-season campaign in November 2025 that used more than 200 newly registered domains impersonating major retail brands. The operation relied on privacy-protected WHOIS data and infrastructure that enabled rapid replacement of domains after takedowns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Cybercriminals adopt structured operational security to evade detection | brief | SC Media
scworld.com
Open sourceSynthetic ID fraud surges 8x as AI fuels deception | brief | SC Media
scworld.com
Open sourceIdentity risk is changing faster than most security teams expect
helpnetsecurity.com
Open sourceThreats Actors Registering Fake Shopping Domains to Attack Users in this Holiday Season
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Driven Cyber Threats and the Evolution of Fraud and Defense Tactics
Cybercriminals are increasingly leveraging artificial intelligence, automation, and stolen credentials to conduct large-scale, sophisticated attacks across multiple sectors. The 2025 holiday season is seeing a surge in fraud campaigns that begin earlier than ever, with attackers using AI to mimic legitimate consumer behavior, automate credential stuffing, and bypass traditional detection systems. Underground marketplaces now efficiently trade automation kits and malicious configurations, making fraud a continuous, data-driven threat rather than one limited to peak shopping periods. Security experts warn that organizations relying solely on heightened monitoring during traditional high-risk windows are at greater risk, as adversaries pre-position and refine their attack infrastructure well in advance. To counter these evolving threats, cybersecurity leaders emphasize the need for predictive and adaptive defense systems powered by AI. Rather than relying on reactive measures, organizations are urged to operationalize threat intelligence by integrating machine learning, behavioral analytics, and automation into their security operations. This approach enables real-time detection, contextual analysis, and rapid response, bridging the gap between intelligence collection and incident containment. However, experts caution that AI must be paired with human oversight and strong governance to ensure trust, transparency, and effective decision-making in the face of increasingly polymorphic and evasive attacks.
Mar 21, 2026
AI-Driven Online Fraud and Credential Theft Campaigns
Cybercriminals are increasingly leveraging advanced AI technologies, including large language models (LLMs) and agentic AI, to automate and scale online fraud, abuse, and credential theft campaigns. These AI-driven attacks enable adversaries to craft convincing phishing emails, create fake websites, and even execute deepfake voice or video calls, making it more difficult for organizations to detect and defend against malicious activity. The rise of agentic AI, which can autonomously gather inputs, evaluate options, and take actions such as infiltrating networks and stealing credentials, marks a significant escalation in attacker sophistication and persistence. Recent research highlights a 300% increase in AI-powered bot traffic, complicating the application and API threat landscape and lowering the barrier to entry for cybercriminals through fraud-as-a-service (FaaS) offerings. These developments have led to a surge in digital fraud and abuse, impacting key industries and regions globally. Organizations are advised to adopt AI-driven defenses and maintain regulatory compliance to counteract the growing threat posed by malicious AI bots and automated credential theft campaigns.
Mar 21, 2026
AI-Driven Scams and Deepfake Threats to Identity Security
AI technologies are rapidly transforming the landscape of cybercrime, enabling scammers to create highly convincing deepfakes and personalized attacks that are increasingly difficult for individuals and organizations to detect. Recent research and industry reports highlight a surge in AI-powered scams, with over 70% of consumers encountering scams in the past year and deepfake audio and video emerging as top concerns. Attackers are leveraging social media as a primary channel to target victims, exploiting the widespread use of mobile devices, which often lack adequate security protections. The sophistication of these attacks is exemplified by incidents such as the $25 million fraud at Arup, where a deepfaked videoconference deceived an employee into transferring company funds. The growing threat of deepfakes and synthetic media is driving a cybersecurity arms race, as organizations struggle to keep pace with evolving attack techniques. Security leaders are increasingly focused on strengthening identity controls, as insurers now scrutinize the maturity and enforcement of identity and access management practices before offering coverage. Research also reveals that current identity document verification systems are hampered by limited and non-diverse training data, making them vulnerable to advanced fraud tactics. As AI continues to lower the barrier for attackers, both technical and human-centric defenses must adapt to counter the risks posed by synthetic identities and technology-enhanced social engineering.
Mar 21, 2026