On Telegram channels and dark web forums, operators trade phishing kits like SaaS subscriptions, sell stolen identities by the bundle, and rent OTP-bot platforms by the hour. What used to require skill, infrastructure, and patience is now a checkout flow. The barrier to running a sophisticated scam against a major bank has collapsed to a few hundred dollars and a willing buyer with some free time. We’ve spent time inside these operator networks and wanted to share a snapshot of what we saw over the past 6 weeks.
Where the signal comes from
FALKIN monitors the infrastructure that fraud operators use to organise their work. We watch channels where phishing kits are sold and rooms where OTP bots relay live SMS codes in seconds. We’re also in forums where stealer logs, card dumps and identity bundles trade hands.
Over the last six weeks, FALKIN has collected 22,661 bank-tagged signals across Telegram channels, dark web forums, and live attack infrastructure. Each signal represents a discrete, classified operator action:
- a phishing kit listed for sale,
- a stealer log posted with bank-specific customer data,
- an OTP bot active against a named institution, or
- a fullz bundle advertised with routing details.
Signals were classified by typology and attributed to operator region where confidence was high enough to assign. The numbers below reflect what operators were doing, not just what they were advertising
What operators are actually trading
Of the 22,000 signals, account takeover and credential harvesting is by far the largest category, at 69.2% of classified signals. OTP interception sits in second place at 17.3%. Card and CVV trade accounts for 7.3%, identity theft and fullz 5.1% and APP mule infrastructure 1.1%. (Definitions at end of article)
This breakdown is a direct reflection of where operators are spending most of their collaborative efforts based on the financial opportunity. The overwhelming majority of the visible trade is in stolen credentials and the live interception of authentication codes that are meant to protect the credentials.
Overall typology distribution across 22,661 bank-tagged signals collected in March 2026.
US, UK, and Neobanks are attacked differently
As you unpack the data, you see that the attack vectors across markets are structurally different and therefore the defence strategies should not be copy-pasted across segments.
US banks are credential-dominated. Account takeover and credentials account for roughly 72% of classified US signals, with OTP interception a significant secondary vector at 19%. US banks remain heavily exposed because SMS OTP is still the dominant second factor, and real-time phishing panels and OTP-bot-as-a-service platforms have industrialised the interception of those codes.
The defensive implication is equally direct. Continuing to rely on SMS OTP as a second factor while OTP-bot-as-a-service platforms operate at industrial scale is not a neutral choice, it's an active subsidy to the attack. The path forward is device-bound authentication, the same transition UK banking has already made. The US market knows this. The gap is execution speed.
UK banks are identity-dominated. The UK picture is the most strategically interesting finding in this dataset, and the most underappreciated risk in the market. Identity theft and fullz is the single largest UK typology at 57% of classified signals, with account takeover at 27% and card trade at 16%. UK banking has largely solved the OTP problem with device-bound authentication and biometric second factors have made SMS interception nearly unviable, which is why OTP signals in the UK dataset are effectively zero.
But operators don't retire. They adapt. When you remove the second factor as an attack surface, the fraud pressure migrates upstream to the first factor: identity itself. Synthetic identity construction, blending a genuine ID from a low-activity victim (a child, an elderly person, a recent immigrant) with fabricated supporting details is now the primary UK operator investment. The goal is fraudulent account opening: passing KYC not by stealing access to an existing account, but by manufacturing a convincing new person.
The defensive implication is direct. If your institution has invested heavily in authentication security and seen credential-based fraud fall, don't read that as a solved problem. Read it as displacement. The attack surface didn't disappear, it moved to onboarding.
Neobanks are card-heavy. Card and CVV trade is the top neobank typology at 46%, with credentials at 41% and identity at 13%. The OTP signal that shows up in the neobank surface is payment-authorisation SMS codes intercepted via malware on compromised devices, which is a card fraud vector rather than an account takeover vector.
The defensive implication here is about card controls and compromise velocity, not authentication. Neobanks with real-time card freeze, granular merchant controls, and low-friction dispute flows are compressing the window between compromise and cashout. Those without are absorbing losses that are structurally preventable.
Same underlying fraud economy, three very different attack profiles.
Operator geography is specialised
Different operator regions specialise in different attack patterns, and each region’s specialism tells you something about how that ecosystem evolved.
West African operators are social engineering and OTP specialists. Account takeover and OTP interception make up roughly 80% of their combined activity. OTP interception requires live English-language phone calls impersonating bank fraud teams, and this region has that capability at scale.
Russia/CIS operators are infrastructure vendors. Their activity clusters around card and CVV trade (61%) and credential marketplaces (28%). These operators function primarily as wholesalers, selling stealer logs, phishing kits, and card bundles to downstream operators globally. Direct victim-interaction activity is markedly lower.
South East Asian operators run the most diversified mix. Card trade, credentials, OTP interception, APP mule infrastructure, and a notable crypto drainer presence all appear at meaningful share. This reflects the rise of scam compound operations in Myanmar, Cambodia, and Laos, where trafficked workers run multi-typology fraud under coercion.
Put differently: the operator region your institution is facing is a function of what kind of attack surface you expose. A bank fighting OTP-bot pressure is likely looking at West African threat actor infrastructure. A bank seeing coordinated card trade is almost certainly looking at Russia/CIS. A fintech with a mixed threat profile is likely in the South East Asian crosshairs.
Each operator region has a distinct specialism that reflects how that ecosystem evolved.
Why this is a growing problem for banks
For the last decade, the industry has spent its fraud budget in two places: the device layer (fingerprinting, device trust, malware signals) and the transaction layer (rules engines, anomaly detection). These are necessary. They are also increasingly insufficient as AI has changed the unit economics of running scams and the technical bar to do so. The layer that's now most exposed is the one that sits between the device and the transaction: the human.
The change we're observing in operator channels isn't primarily about volume, it’s about the collapse of the skill floor. The volume numbers are already striking: since ChatGPT launched, malicious phishing volume has surged by over 4,000% (SlashNext, 2024). But that statistic understates the real shift. A year ago, running a convincing English-language OTP-bot call against a US bank customer required an operator who could improvise, handle objections, and hold a plausible conversation under pressure. That's a scarce human skill.
Today, the call script is AI-generated, the voice is cloned from a short public audio sample for under $20 a month, and the objection handling is templated. The operator on the other end of that call can be anywhere in the world and barely speaks English. Adversary-in-the-middle attacks that once required specialist infrastructure can now be assembled in an afternoon with a cloned replica website, a Telegram channel for live coordination, and a voice bot handling the call. The attack surface this exposes isn't the device or the transaction. It's the phone call itself. Banks that still engage customers primarily via inbound and outbound calls, rather than authenticated in-app communication, are handing operators a channel they can't secure. We're not citing external statistics here, we're describing what we watched being built and sold in the channels we monitor. The infrastructure for AI-assisted social engineering is now a commodity product in the same marketplaces where phishing kits and stealer logs trade.
Why we publish this
The operators in this dataset don't work in isolation. The West African OTP specialist buys his phishing kit from a Russia/CIS vendor. The South East Asian compound worker runs scripts built by someone else entirely. The fraud economy is integrated and the supply chain is functional.
The defensive side is not. Banks share fraud data bilaterally when they have to, rarely proactively, and almost never across institution types. A neobank absorbing card fraud pressure from the same operator network hitting a high-street bank has no mechanism to know that.
That's the gap this report is trying to close, one month at a time. If you want to see how your institution appears in the operator signals we're monitoring, get in touch at partner@falkin.com
You can read the full March 2026 Trends report below.
About the Author
Boaz is CEO and Co-Founder of FALKIN, an embedded digital safety company working with banks and other financial institutions to stop scams before they happen. FALKIN combines threat intelligence and AI to offer a variety of customer facing prevention products.
Typology definitions
For reference, the seven categories used across the report are defined below.
|
TYPOLOGY |
DEFINITION |
|
Account Takeover & Credentials |
Phishing kits, scam pages, harvested logins, browser cookies, and stealer-malware output (Redline, Lumma, Vidar, Raccoon). Also includes smishing infrastructure. The largest single category across the dataset. |
|
OTP Interception |
Two primary vectors. (1) Voice bots: Telegram-controlled bots that call victims impersonating bank fraud teams to extract live SMS one-time passcodes. (2) Real-time phishing panels: victim enters OTP on a scam page, operator replays it to complete the session hijack in seconds. Both target SMS-based second factors during active authentication flows. |
|
Card & CVV Trade |
Stolen card data (PAN + CVV), BIN lookups, and 3DS challenger tools used for high-value merchant abuse. |
|
Identity Theft & Fullz |
Complete real identity bundles (name, DOB, SSN or NIN, address, mother’s maiden name, sort code) used for two primary purposes: (1) fraudulent account opening, impersonating a real person to pass KYC, and (2) KBA bypass, answering knowledge-based authentication challenges to recover or take over existing accounts. Also includes synthetic identities: fabricated profiles blending real data (a genuine SSN from a child, elderly, or immigrant victim) with fictional details, engineered to pass automated KYC at banks and fintechs. |
|
APP Fraud & Mules |
Authorised Push Payment cashout layer: drop accounts, mule recruitment, and beneficiary routing infrastructure. |
|
Business Email Compromise |
Employee phishing, payroll diversion, W-2 theft, and executive impersonation infrastructure. |
|
Crypto Drainers |
Wallet draining kits, seed-phrase harvesting, and approval-exploit infrastructure targeting retail crypto holders. |
A note on coverage Investment, purchase, and romance scams feature minimally in this dataset. These are heavy APP fraud use cases, but they rely on long-form one-to-one victim grooming and operate primarily through social media, messaging apps, and scam compound operations, outside the commodity-tooling marketplaces that form our collection surface. Their absence here is a collection-surface artefact, not evidence of low prevalence.
What 22,000 Fraud & Cyber Crime Operator Signals Reveal About the State of Bank Attacks
Falkin's analysis of 22,661 fraud operator signals shows how bank attacks are evolving across regions, typologies, and AI-driven scam infrastructure.
Reinventing Fraud Detection Through Digital Fingerprinting and Link Analysis
A Microsoft white paper examines how digital fingerprinting and link analysis shift fraud detection from isolated events to connected, network-level intelligence.
On the Frontlines: Fighting AI-Powered Scams & Fraud
Experts from Microsoft, OpenAI, Google and C4ADS share how AI is shaping scams and how to fight back.
Telecoms on the Front Line: GASA at the Stimson Center Dialogue on Combating Scams
According to GASA’s Global State of Scams Report, telecommunications channels—voice and SMS in particular—remain a predominant “front door” for scams.
What Really Works in Preventing Fraud Against Older Adults? Insights from Frontline Practitioners
Expert insights on preventing fraud against older adults, highlighting the role of technology, targeted education, bank intervention, and coordinated partnerships.
Brazil’s BC Protege+ Blocks Fake Bank Accounts Before They Can Be Opened
Brazil’s Central Bank launched BC Protege+, allowing individuals and businesses to block bank account openings in their name. With over 1 million activations, the tool offers a structural model for reducing identity-based fraud.
-1.jpeg)
From Vienna to Global Action: Key Takeaways from the UN Global Fraud Summit
Explore key insights from our participation at the UNODC's Global Fraud Summit in Vienna. Discover how AI is changing the scam landscape, the power of national anti-scam centres, and the introduction of the Public-Private Partnership Framework to protect communities from fraud.
League of Protectors: Women Fighting Against Scams
Explore key insights from our International Women’s Month webinar on combating scams. Discover how women leaders are driving cross-border collaboration, digital literacy, and collective action to protect communities from fraud.