How Fraud-as-a-Service is changing the shape of cybercrime

Tycoon 2FA — currently the most prolific Phishing-as-a-Service kit on the market — sells for around $120 for ten days of access on Telegram. EvilProxy goes for $150 to $300 for the same period, $500 to $600 for a month. Both come with documentation, customer-support channels, and regular feature updates. That isn’t a market failure. That is the structure of a working B2B SaaS industry, except the product is fraud.

That’s the threat model my team and I defend against every day. Cybercrime no longer starts when money moves; it starts much earlier, with the industrial theft, creation, and weaponisation of identities. A single compromised or synthetic identity, once it passes a verification, becomes inventory: it gets passed across fintech, crypto, marketplace, and gig economy platforms, generating value at each stop. The earlier you intercept the identity, the more downstream fraud you prevent. That is the entire game.

This is the reality of Fraud-as-a-Service (FaaS): a booming underground industry where experienced operators sell pre-packaged fraud tools to anyone willing to pay. It democratises digital crime. The barrier to entry has effectively collapsed — you no longer need technical expertise to launch sophisticated attacks at scale. You need a few hundred dollars and a Telegram account.

Businesses defending against FaaS are no longer fighting isolated fraud attempts. You are up against industrialised fraud operations that share infrastructure, tactics, and even customer-success teams. This article walks through how FaaS is reshaping the threat landscape, why single-tenant defences fail against it, and what an architecturally honest response looks like.

The industrialization of fraud

In the past, running a large-scale identity theft operation required specialised technical knowledge — how to code, how to bypass security protocols, how to manipulate network infrastructure. FaaS removes all of that. Today, the raw materials of fraud are commodity inputs: compromised credentials and session tokens harvested through infostealer malware and adversary-in-the-middle phishing kits, identity documents fabricated through generative AI, device fingerprints simulated through commercial emulators. Credential stuffing is a use of these inputs, not a source — once attackers have credential dumps, automated tools test them in parallel against thousands of services until matches surface.

What FaaS adds to this commodity supply is packaging. Phishing kits, deepfake generation software, stolen credential databases, synthetic identity templates, banking-bypass tutorials — all available on the dark web or Telegram channels at price points that wouldn’t cover a single hour of a security analyst’s time. Many FaaS vendors run 24/7 technical support and have customer-success channels that resemble enterprise SaaS more than they resemble underground crime.

The capability gap between sophisticated and unsophisticated attackers has collapsed. The Scattered Spider arrests illustrate the same dynamic from a different angle: 19-year-old Thalha Jubair, allegedly involved in $115 million of extortion across 47 US entities, was recruited into a cybercrime collective as a teenager — the DOJ complaint alleges he was active from age 15 or 16. The skills used in those attacks (social engineering, help-desk impersonation, MFA reset abuse) were learned, not bought. But the same democratisation that produced FaaS produces the next generation of Scattered Spider operators: when the floor for entry collapses, the demographic of who attacks you broadens. Geographic decentralisation matters as much as age — FaaS kits sold in English-language Telegram channels are running in São Paulo, Lagos, Manila, Jakarta. The threat isn’t a single demographic; it is the global flattening of the capability gap.

The compromised-identity lifecycle

The traditional approach to fraud prevention treats every customer interaction as an isolated event. A registration attempt is evaluated against that single session: document presented, background check run, decision made. This worked when fraud was opportunistic. It does not work when fraud is industrial.

Organised fraud operations rarely confine an identity to a single use case. A compromised or synthetic identity that passes verification at one platform becomes inventory for the next. We see this pattern weekly: a synthetic identity that fails at a Brazilian neobank surfaces three weeks later at a US crypto exchange, then again at a European marketplace under a slightly different name. CrossLinks lets us recognise the second and third attempts as the same fraud ring, not three separate incidents — but only if the customers are within our network. Outside it, the same identity gets a fresh chance at every door.

I think of this as the compromised-identity lifecycle: the staged monetisation of a single passed verification across multiple industries and jurisdictions. Catching the identity at the first failed attempt is the highest-leverage moment in the entire fraud cycle. Catching it at the second saves the third, fourth, and four-hundredth platform downstream.

Against FaaS-driven multi-target campaigns, single-session evaluation isn’t a partial defence. It is an architectural mismatch.

How businesses can respond to the FaaS threat

Defeating industrialised fraud requires industrialised defence. The response needs to operate at the same scale as the attack, share signal at the same speed, and integrate the same kinds of inputs. Below are the three layers that actually move the needle.

Network-scale intelligence: the only response that matches FaaS scale

The most effective architectural answer to FaaS is collective defence. A spoofing technique used against a European fintech in the morning should be detectable at a North American marketplace by the afternoon. This is the premise of Veriff’s Fraud Intelligence Network and CrossLinks: when we detect a coordinated attack on one customer, the signals: shared devices, network patterns, document tampering methods, biometric embeddings, are propagated across our customer base in near real time.

This is where vendor architecture matters in practice. Most identity verification providers patch together fragmented solutions, relying on third-party APIs and external data processors. That fragmentation creates blind spots and dilutes accountability — when organised fraud slips through, it becomes difficult to determine where the failure occurred or to apply learnings forward. Veriff builds and owns its entire verification stack in-house, end-to-end, from capture to decision. That ownership is what allows the cross-customer signal-sharing to work coherently: when every check in the pipeline is ours, every signal feeds the same network.

A practical question worth asking any IDV vendor: if a fraud attempt slips through on Tuesday at customer A, can you tell me on Wednesday whether the same device fingerprint, document template, or biometric signature has appeared at any of your other customers? If the answer is no, single-tenant blindness is built into the architecture.

Layered biometric and document verification

Single document scans no longer suffice. FaaS-sold synthetic document templates pass basic visual inspection routinely. The defensive standard is now a multi-layered check that analyses thousands of data points in real time: document authenticity, biometric facial recognition, liveness detection, and signal coherence across the session. Behind the scenes, Veriff Fraud Intelligence analyses device, network, and behavioural signals at the moment of verification — datacentre and proxy IP flagging, device-attribute coherence, hardware attestation, timing patterns — and feeds findings back to the customer in real time.

The harder problem is not catching any single fraud attempt; it is catching the campaign. A residential-proxy-fronted attempt against one customer can look like a noisy false positive in isolation. The same device fingerprint appearing across three customers in two industries within 48 hours is unambiguous. CrossLinks turns that pattern from invisible to obvious.

Book a demo

Your community deserves a platform built on trust.

Book a demo with our experts.

Book a demo

AI-driven fraud detection: where benchmarks meet reality

The advance of generative AI has given attackers the ability to mass-produce hyper-realistic synthetic identities and deepfake-driven biometric attempts at marginal cost. The defensive response cannot rely on detection alone — it has to evolve at the same pace as the attacks.

In January 2026, Veriff published the results of independent benchmarking against IDNet, a DHS-sponsored dataset of over 837,000 identity document images covering face morphing, portrait swaps, text-field replacement, and other synthetic fraud techniques. Across a representative sample of nearly 30,000 documents, Veriff’s technology flagged 100% of synthetic documents as fraudulent — with a 99.5% automation rate, meaning the detections happened without manual review intervention. The combined metric is the one that matters: 100% detection at full manual review is unusable in production; 99.5% automation with 100% detection is operational.

What that benchmark proves is that the current generation of synthetic document attacks is solvable. What it doesn’t prove is that the next generation will be. AI-driven document fabrication is maturing at an exponential rate. The defensive edge — for us and for the industry — comes from continuous ingestion of new fraud patterns from live attack traffic, not from any single point-in-time accuracy number. The transition we’re racing is from “detectable” to “hyper-realistic” synthetics, and the only sustainable defence is data scale combined with architectural ownership of the model pipeline.

The regulatory layer

Identity verification is no longer an onboarding checkbox; in the EU it is increasingly treated as part of the regulated infrastructure of digital trust. Three frameworks are converging on the same threat model that drives FaaS:

• AMLR and AMLA. The EU Anti-Money Laundering Regulation and the new AML Authority harmonise customer due diligence requirements that previously varied across member-state transpositions of AMLD5/6. AMLR introduces specific expectations on the use of electronic identification means and on re-verification at trigger events — making the when of re-verification a compliance question, not just a fraud-prevention one.
• eIDAS 2.0 and the EUDI Wallet. As high-assurance digital identity wallets roll out across member states through 2026 and 2027, the floor for what counts as acceptable identity assurance is rising. FaaS-grade synthetic identities will face a much higher wall when wallet-bound verification becomes the default for regulated services.
• DORA. For EU financial services, the Digital Operational Resilience Act treats identity verification providers as part of the ICT third-party risk perimeter. Re-verification triggers, fallback flows, and incident response for fraud events are now examinable, not just operationally important.

Fraud teams that treat compliance and fraud defence as separate workstreams will struggle as these frameworks converge. The teams that build a single re-verification and identity-assurance policy satisfying both will be faster, cheaper, and more defensible to regulators.

Where FaaS-driven fraud goes next

A few predictions worth holding the next 12–18 months against.

FaaS and AI tooling converge into a single attack stack. Today, an attacker buys a phishing kit, a synthetic document generator, and a credential dump as separate products. Within a year, expect to see end-to-end “account opening as a service” toolkits that bundle synthetic identity generation, document fabrication, deepfake biometric replay, and target-platform-specific bypass tutorials into a single subscription. The price point will continue to fall.

Network-effect data becomes the defining vendor moat. Single-tenant device fingerprinting, behavioural analytics, and deepfake detection are converging in capability across IDV vendors. What doesn’t converge is cross-customer visibility. The vendors with that visibility — and the customers who insist on it — will define the next round of fraud defence. The rest will be selling marginally better point solutions to a problem that has already moved past their architecture.

Regulators catch up faster than the industry expects. eIDAS 2.0, AMLR/AMLA, DORA, and the gradual SMS-OTP phase-outs already underway in the UAE, India, and the Philippines are all pulling toward the same conclusion: identity verification is now part of the regulated infrastructure of digital trust. The next two years will favour vendors and customers who treat compliance and fraud as one problem, not two.

The line I’d leave you with, because it’s how I think about this job day to day: fraud is now a SaaS business, and the customers buying it are not who you imagine. Defending against it requires meeting it on the same terms — at scale, with shared signal, and with architectural ownership of every layer between the camera and the decision. The fraud rings already have a network. So should you.