Singapore, 23 Feburary 2026 – Threat Hunter, a global threat intelligence provider headquartered in Singapore, today released its KYC Attack Risk Landscape 2025, revealing that identity verification systems worldwide are facing a fundamental shift as KYC attacks evolve into a mature, industrialized underground economy.

Based on continuous monitoring of global dark web communities, black-market trading channels, and real-world attack cases, the report shows that 78.36% of observed KYC attacks in 2025 targeted financial platforms, including banks, digital wallets, payment tools, and cryptocurrency exchanges. E-commerce and content platforms also experienced sustained attack activity, highlighting that identity abuse is no longer confined to regulated financial services.

According to Threat Hunter’s research, KYC attacks are no longer driven by isolated actors or opportunistic fraud. Instead, they are executed through highly structured supply chains, mirroring legitimate SaaS business models with upstream material production, midstream technical services, and downstream monetization.

From Verification Bypass to Identity-as-a-Service

The report identifies a clear transformation in how KYC attacks are carried out.

Upstream suppliers now mass-produce identity materials using a combination of real stolen data and AI-generated synthetic identities. These include high-resolution ID documents, biometric selfies, liveness videos, and address proofs designed to meet platform freshness and verification requirements.

Midstream operators specialize in bypassing platform defenses through environment spoofing, device fingerprint evasion, protocol manipulation, and deepfake-based liveness attacks. Downstream services then package verified accounts or offer managed KYC bypass services, often advertising guaranteed pass rates and platform-specific expertise.

“This is no longer about stealing identities. It’s about manufacturing them at scale,” said Tim Bi, CEO of Threat Hunter.

Address Proofs and Corporate Identities Emerge as High-Risk Assets

Threat Hunter’s findings show that address proof documents are the most frequently traded KYC attack materials, driven by their low cost of fabrication and repeated reuse requirements imposed by platform policies.

At the same time, corporate KYC materials command the highest prices and show the greatest volatility, reflecting the complexity of bypassing corporate verification processes and the higher downstream value of corporate accounts. This trend signals where attackers see the strongest return on investment and where platforms face their greatest hidden exposure.

Global Reach, Local Exploitation

KYC attack activity spans multiple regions, with Europe, the Americas, Africa, and Southeast Asia accounting for over 80% of observed attack intelligence. The report highlights that attackers actively target regions with mature digital financial ecosystems, cross-border transaction flows, and fragmented identity verification standards.

Rather than exploiting regulatory gaps alone, attackers adapt to platform-specific workflows, verification logic, and enforcement timing, allowing them to scale attacks while minimizing detection.

Why Traditional KYC Models Are Failing

The research concludes that many identity verification frameworks remain built on outdated assumptions: that identity is static, risk is front-loaded at onboarding, and verification equals trust.

In practice, attackers optimize specifically to pass KYC checks, then exploit trusted access for fraud, laundering, arbitrage, or resale. This creates a widening gap between identity at verification and behavior after approval, leaving platforms exposed despite increasing compliance investment.

A Call for Identity Intelligence, Not Just Verification

Threat Hunter emphasizes that strengthening KYC controls alone will not close this gap.

“The core issue is not that KYC is poorly implemented. It’s that identity verification has become a solvable technical problem for attackers. This calls for a shift toward continuous identity intelligence, where risk is assessed dynamically based on behavior, network signals, and contextual intelligence rather than static documents and one-time checks.” Bi added.

About the KYC Attack Risk Landscape 2025

The KYC Attack Risk Landscape 2025 draws on large-scale threat intelligence monitoring, underground market analysis, and real attack cases across financial services, e-commerce, content platforms, and virtual asset ecosystems. It provides a detailed view of how identity abuse has evolved into a structured, commercialized industry and outlines the implications for platform trust, fraud exposure, and regulatory risk. Access the report here.

Read full report

For media queries, please contact marketing@threathunter.com.