Oct 29, 2025
Synthetic Identities Are the New Advanced Persistent Threats
Synthetic Identities Are the New Advanced Persistent Threats
Synthetic Identities Are the New Advanced Persistent Threats
AI-powered synthetic identities now operate like advanced, networked APTs, infiltrating systems to "season" accounts before cashing out. Effective defense requires fusing identity, device, and payment signals and using networked intelligence to disrupt the fraud kill chain early.
Author
Prasanna Venkat
Table of Contents
Having spent twenty years in information security with the last five being focused on fintech security and compliance, I’ve seen a steady shift in how fraudsters have adopted genuine cyber tradecraft from automated identity builds, device and network spoofing, fake documents and coordinated mule networks.
The scams that used to be blunt and visible are now quiet, patient and highly engineered. Whether it’s a dating scam, a “digital arrest” extortion, KYC spoofing or a courier con, the mechanics are the same: digital-first, networked, and designed to evade point-in-time checks.
This also brings about the question of how organizations are dealing with it?
Traditionally, organizations have fraud and security teams operating in silos with the former being aligned with their compliance teams. This approach has often resulted in inadequate research and investigation in closure of fraudulent activities.
Modern fraud rings behave more like advanced persistent threats (APTs) than smash-and-grab scammers. They operate as disciplined crews, share tooling through fraud-as-a-service (FaaS) marketplaces, and reside inside financial ecosystems for months, sometimes years, until the payoff is maximized.
To fight them, businesses must treat fraud like an APT. Map the kill chain, fuse signals across onboarding, devices, and payments, and break the cycle early, before the “quiet” accounts turn into a synchronized cash-out.
Before diving deep, let’s understand what a Synthetic ID is. It is a composite persona, stitched together from some real and fabricated PII, that looks legitimate to onboarding systems but represents no actual human being.
And with generative AI allowing criminals to autogenerate selfies, documents, and even live-video KYC sessions, the cost of mass fabrication gets reduced significantly.
Bureau’s ongoing research into fraudulent ecosystems and their operational patterns indicates the need for a dedicated kill-chain model. Adopting a MITRE ATT&CK like framework would allow mapping synthetic-identity actors, their exploitation of mule networks, and the pathways of fraud execution. The industry must evolve beyond KYC-centric defenses toward a threat-intelligence-driven framework that systematically categorizes and disrupts these attacks.
Why Synthetic ID Fraud Mirrors Nation-State APTs
The Fraud Kill Chain
The fraud kill chain typically involves recon, initial access, and lateral payment movement before busting out. Here’s how it works and its potential impact:
Recon
Tactics and Tools | APT Analogy |
Data harvesting from credential breaches, dark-web dumps and credit bureaus | Open-source INT (OSINT) collection |
Probe rules: testing KYC thresholds with low-risk data (DOB tweaks, address typos) | Target profiling / port scans |
Read More: Bureau Fraud Forum insight - Fraudsters “exchange toolkits, share tactics, and operate across devices, platforms, and accounts in unison.”
Initial Access
Goal: Create accounts or credit lines that will later act as money-movement rails.
Read More: How FaaS commoditizes these steps (“underground marketplaces where criminals sell phishing kits, malware, stolen identities…”) and gives even low-skill actors enterprise-grade scale.
Lateral Payment Movement
Once seasoned, synthetic accounts become mule nodes:
Bust-out loans and card advances funnel into newly opened “retail” accounts.
Instant P2P hops wash funds through multiple banks/fintechs in seconds.
Crypto ramps or prepaid gift cards act as exit exchanges.
Mule networks are the backbone of modern fraud; short-lived accounts opened with stolen or synthetic IDs “move money before being abandoned or shut down.”
Insights From the Bureau Fraud Forum
Fraud is no longer a work of individuals; it has evolved into a co-ordinated effort where syndicates share tools and operate seamlessly across devices. Fighting these networked threats requires more than point solutions. As emphasized during the Bureau Fraud Forum, it requires a network to fight a network with businesses sharing threat intelligence.
Coordination > Lone-Wolf: Leaders noted a shift from isolated actors to syndicates who exchange toolkits and operate across devices in unison.
Network vs. Point Solution: The group’s mantra: “It takes a network to fight a network”, echoes modern cyber-threat-intel models, urging shared fraud telemetry across industries.
AI, Double Edged Sword: Gen-AI deepfakes pose new KYC risks, but the same ML can surface cross-journey anomalies humans miss.
Disrupting the Kill Chain
Stopping synthetic identity fraud requires strategic intervention at every stage of the kill chain. Businesses must identify high-risk behaviors, such as bulk PII purchases, low-cost KYC probing, or co-ordinated mule activity, to be able to break the cycle before incurring any losses. This requires layered controls, automation, and analytics working together to detect, deny, and disrupt fraud before it escalates.
Read More: How unified risk decisioning that merges onboarding, device, session and payment signals into one graph can reveal hidden links quickly.
Bottom line
Synthetic identities have matured from opportunistic trickery to persistent, networked campaigns. Businesses must treat them for what they are: APTs. Study their kill chain, share intelligence, and orchestrate layered controls that deny, detect, and disrupt at every stage.
Executive Takeaways
Think in chains, not checkpoints: Auditing only the KYC forms, can result in missing the six-month “seasoning” phase that precedes the heist.
Collapse data silos: Fraud sits at the intersection of identity, device, and payment telemetry; the controls must too.
Invest in graph analytics: Tabular rule engines miss cross-entity patterns; graphs don’t. Bureau’s Graph Identity Network (GIN) is a great tool to uncover intricate connections between various fraud actors.
Partner up: APT-style fraud is networked crime; solo defenses are doomed. Join industry intel exchanges or form bilateral data-sharing pacts.
Invest in kill-chain breaks: Early-stage disruption (device-biometrics, synthetic-identity detection) is exponentially cheaper than claw-backs after money mules disperse funds.
Collaborate: It is imperative to collaborate with internal and external teams as well as stakeholders to combat networked fraud. Industry-wide participation is inevitable in fighting cyber frauds at scale.
Having spent twenty years in information security with the last five being focused on fintech security and compliance, I’ve seen a steady shift in how fraudsters have adopted genuine cyber tradecraft from automated identity builds, device and network spoofing, fake documents and coordinated mule networks.
The scams that used to be blunt and visible are now quiet, patient and highly engineered. Whether it’s a dating scam, a “digital arrest” extortion, KYC spoofing or a courier con, the mechanics are the same: digital-first, networked, and designed to evade point-in-time checks.
This also brings about the question of how organizations are dealing with it?
Traditionally, organizations have fraud and security teams operating in silos with the former being aligned with their compliance teams. This approach has often resulted in inadequate research and investigation in closure of fraudulent activities.
Modern fraud rings behave more like advanced persistent threats (APTs) than smash-and-grab scammers. They operate as disciplined crews, share tooling through fraud-as-a-service (FaaS) marketplaces, and reside inside financial ecosystems for months, sometimes years, until the payoff is maximized.
To fight them, businesses must treat fraud like an APT. Map the kill chain, fuse signals across onboarding, devices, and payments, and break the cycle early, before the “quiet” accounts turn into a synchronized cash-out.
Before diving deep, let’s understand what a Synthetic ID is. It is a composite persona, stitched together from some real and fabricated PII, that looks legitimate to onboarding systems but represents no actual human being.
And with generative AI allowing criminals to autogenerate selfies, documents, and even live-video KYC sessions, the cost of mass fabrication gets reduced significantly.
Bureau’s ongoing research into fraudulent ecosystems and their operational patterns indicates the need for a dedicated kill-chain model. Adopting a MITRE ATT&CK like framework would allow mapping synthetic-identity actors, their exploitation of mule networks, and the pathways of fraud execution. The industry must evolve beyond KYC-centric defenses toward a threat-intelligence-driven framework that systematically categorizes and disrupts these attacks.
Why Synthetic ID Fraud Mirrors Nation-State APTs
The Fraud Kill Chain
The fraud kill chain typically involves recon, initial access, and lateral payment movement before busting out. Here’s how it works and its potential impact:
Recon
Tactics and Tools | APT Analogy |
Data harvesting from credential breaches, dark-web dumps and credit bureaus | Open-source INT (OSINT) collection |
Probe rules: testing KYC thresholds with low-risk data (DOB tweaks, address typos) | Target profiling / port scans |
Read More: Bureau Fraud Forum insight - Fraudsters “exchange toolkits, share tactics, and operate across devices, platforms, and accounts in unison.”
Initial Access
Goal: Create accounts or credit lines that will later act as money-movement rails.
Read More: How FaaS commoditizes these steps (“underground marketplaces where criminals sell phishing kits, malware, stolen identities…”) and gives even low-skill actors enterprise-grade scale.
Lateral Payment Movement
Once seasoned, synthetic accounts become mule nodes:
Bust-out loans and card advances funnel into newly opened “retail” accounts.
Instant P2P hops wash funds through multiple banks/fintechs in seconds.
Crypto ramps or prepaid gift cards act as exit exchanges.
Mule networks are the backbone of modern fraud; short-lived accounts opened with stolen or synthetic IDs “move money before being abandoned or shut down.”
Insights From the Bureau Fraud Forum
Fraud is no longer a work of individuals; it has evolved into a co-ordinated effort where syndicates share tools and operate seamlessly across devices. Fighting these networked threats requires more than point solutions. As emphasized during the Bureau Fraud Forum, it requires a network to fight a network with businesses sharing threat intelligence.
Coordination > Lone-Wolf: Leaders noted a shift from isolated actors to syndicates who exchange toolkits and operate across devices in unison.
Network vs. Point Solution: The group’s mantra: “It takes a network to fight a network”, echoes modern cyber-threat-intel models, urging shared fraud telemetry across industries.
AI, Double Edged Sword: Gen-AI deepfakes pose new KYC risks, but the same ML can surface cross-journey anomalies humans miss.
Disrupting the Kill Chain
Stopping synthetic identity fraud requires strategic intervention at every stage of the kill chain. Businesses must identify high-risk behaviors, such as bulk PII purchases, low-cost KYC probing, or co-ordinated mule activity, to be able to break the cycle before incurring any losses. This requires layered controls, automation, and analytics working together to detect, deny, and disrupt fraud before it escalates.
Read More: How unified risk decisioning that merges onboarding, device, session and payment signals into one graph can reveal hidden links quickly.
Bottom line
Synthetic identities have matured from opportunistic trickery to persistent, networked campaigns. Businesses must treat them for what they are: APTs. Study their kill chain, share intelligence, and orchestrate layered controls that deny, detect, and disrupt at every stage.
Executive Takeaways
Think in chains, not checkpoints: Auditing only the KYC forms, can result in missing the six-month “seasoning” phase that precedes the heist.
Collapse data silos: Fraud sits at the intersection of identity, device, and payment telemetry; the controls must too.
Invest in graph analytics: Tabular rule engines miss cross-entity patterns; graphs don’t. Bureau’s Graph Identity Network (GIN) is a great tool to uncover intricate connections between various fraud actors.
Partner up: APT-style fraud is networked crime; solo defenses are doomed. Join industry intel exchanges or form bilateral data-sharing pacts.
Invest in kill-chain breaks: Early-stage disruption (device-biometrics, synthetic-identity detection) is exponentially cheaper than claw-backs after money mules disperse funds.
Collaborate: It is imperative to collaborate with internal and external teams as well as stakeholders to combat networked fraud. Industry-wide participation is inevitable in fighting cyber frauds at scale.
Solutions
Solutions
Industries
Industries
Resources
Resources
Company
Company
Solutions
Solutions
Industries
Industries
Resources
Resources
Company
Company
© 2025 Bureau . All rights reserved. Privacy Policy. Terms of Service.
© 2025 Bureau . All rights reserved.
Privacy Policy. Terms of Service.
Follow Us
Leave behind fragmented tools. Stop fraud rings, cut false declines, and deliver secure digital journeys at scale
Leave behind fragmented tools. Stop fraud rings, cut false declines, and deliver secure digital journeys at scale