This article summarises findings from a FinancialCrime.org investigation into the trade of verified cryptocurrency exchange and financial service accounts on the dark web and encrypted messaging platforms. Details of the threat actors, forums, channels, and listings identified during this investigation — including specific identifiers and infrastructure information — were provided to relevant law enforcement and regulatory authorities.
Investigation Summary
Between mid-2023 and late 2023, I spent several months monitoring cybercriminal forums and encrypted messaging channels where verified cryptocurrency exchange accounts, banking credentials, and identity kits are openly bought and sold. The goal was to understand the scale, structure, and pricing of this marketplace — to map the supply chain from identity acquisition to account sale — and to assess what it means for the KYC and AML controls that exchanges and financial institutions rely on.
What I found is not a fringe operation. It is a mature, structured, and surprisingly transparent marketplace where fully verified accounts at major platforms — Binance, Coinbase, Robinhood, CashApp, Wise, and dozens of others — are available to anyone willing to pay between $20 and $2,650, depending on the platform, the jurisdiction, and the completeness of the identity package.
The investigation covered four cybercriminal forums (Exploit.IN, XSS, Styx Innovation Marketplace, and several smaller venues) and multiple Telegram channels operated by vendors identified on those forums. The findings were cross-referenced against open-source threat intelligence, Russian-language media reporting on the dark web economy, and data from commercial threat intelligence providers.
The implications for financial crime compliance are severe. Every one of these accounts represents a real person’s identity — or a convincing synthetic facsimile — attached to a platform that believes it has completed KYC on a legitimate customer. When a criminal purchases one of these accounts, the platform’s compliance systems see a verified customer. The transaction monitoring, the sanctions screening, the risk scoring — all of it operates on the assumption that the person using the account is the person who was verified. That assumption is false, and the marketplace I investigated exists specifically to exploit it.
Background: The Market That KYC Built
The irony of the verified-account marketplace is that it exists because KYC works — at least in one narrow sense. Exchanges and financial platforms have implemented identity verification procedures that make it difficult for individuals to open accounts under their own names if those names appear on sanctions lists, are associated with high-risk jurisdictions, or are otherwise flagged. The controls are effective enough that criminals and sanctions-restricted individuals cannot simply open their own accounts.
The market’s response has been to create a supply chain that routes around the controls entirely. Rather than defeating KYC technically, the dark web marketplace defeats it commercially — by providing pre-verified accounts registered under clean identities that pass every check. The accounts are real. The identities are real (or persuasively synthetic). The only thing that is false is the relationship between the person who passed verification and the person who will use the account.
This is not a new phenomenon. As far back as 2021, CoinDesk reported that verified crypto exchange accounts were available on clear-web and dark-web marketplaces for as little as $150, and that vendors were offering custom verification services using stolen or purchased identity documents. CertiK’s research documented the same pattern in early 2023, identifying a thriving dark web market for KYC’d wallets used to launder proceeds from crypto heists.
What has changed since those earlier reports is the scale, the professionalisation, and the geopolitical drivers. The marketplace has grown from a cottage industry of opportunistic sellers into a structured, service-oriented economy with standardised pricing, product catalogues, customer support, and geographic specialisation.
How Accounts Are Sourced: The Identity Supply Chain
Before examining the specific listings I found, it is worth understanding how these accounts come into existence. My investigation, supplemented by open-source research and threat intelligence reporting, identified four primary sourcing methods.
Nominee recruitment
The most straightforward method involves recruiting real individuals — “nominees” or “drops” — who agree to complete KYC verification in their own names in exchange for a fee. The nominee provides their genuine identity documents, completes the verification selfie or video, and then hands over the account credentials to the vendor. The vendor sells the account onward. The nominee typically receives between $20 and $100 — a fraction of the account’s sale price.
This method produces the highest-quality accounts because the verification is genuine. The identity documents are real, the selfie matches the documents, and the biometric checks pass because a real human is performing them. The account will not be flagged by liveness detection, document authentication, or facial matching systems. It is, from the platform’s perspective, a perfectly legitimate verification.
Nominee recruitment is particularly prevalent in low-income regions and among populations that have limited use for the platforms in question. A December 2024 investigation by iProov, a biometric verification firm, uncovered organised dark web operations in Latin America and Eastern Europe that systematically recruited individuals willing to provide their identity documents and biometric data for payment. The researchers noted that these were not stolen identities — the individuals participated voluntarily, creating complete, genuine identity packages that were designed to defeat even sophisticated verification systems.
Credential theft (logs)
The second method involves stealing existing verified accounts rather than creating new ones. Credentials are harvested through infostealer malware, phishing campaigns, credential-stuffing attacks, and data breaches. The term “logs” — widely used in the dark web marketplace — refers to packages of stolen credentials typically extracted by infostealer malware that captures browser-stored passwords, session cookies, and authentication tokens.
Stolen accounts are cheaper than nominee-sourced accounts because they carry higher risk. The legitimate account holder may notice unauthorised access and trigger a password reset, security review, or account freeze. The buyer has a limited window to use the account before it is recovered. This is reflected in the pricing: basic login credentials sell for as little as $20, while accounts with full access packages (email, phone, two-factor authentication) command $200–$300.
Synthetic identity creation
The third method involves constructing entirely fictitious identities using a combination of real and fabricated elements. A synthetic identity might use a real Social Security number (often belonging to a deceased person, a child, or an individual with no credit history) combined with a fabricated name, address, and date of birth. The identity is then used to create accounts, build a transaction history, and pass KYC verification.
Synthetic identity fraud is more common in the traditional banking system than in crypto exchanges, because many exchanges use document-based verification (requiring a photo of a government-issued ID) rather than database-based verification (checking names against credit bureau records). However, the availability of high-quality forged identity documents on the dark web — including AI-generated document images that pass automated authenticity checks — is narrowing this gap.
AI-enabled KYC bypass
The most recent and potentially most disruptive method involves using artificial intelligence to defeat the verification process itself. Deepfake technology can generate realistic video and images that pass liveness detection systems. AI tools can produce synthetic identity documents that are indistinguishable from genuine ones under automated review. And research published by Trend Micro in 2024 confirmed that open-source deepfake tools successfully defeated at least two major KYC providers in controlled testing.
This method is still emerging, but the trajectory is concerning. As deepfake technology improves and becomes more accessible, the cost of bypassing biometric verification will continue to fall. Forum discussions I monitored included threads where threat actors shared techniques for defeating specific platforms’ liveness checks — naming the providers by name and discussing which approaches worked and which did not.
The Scale of the Problem
The trade in verified crypto accounts has grown substantially over the past two years, driven by a combination of increased KYC enforcement by exchanges and geopolitical developments that have created new demand.
According to May 2023 data from Privacy Affairs, login credentials for verified crypto exchange accounts are available on the dark web for as little as $20, with some full-identity packages fetching as much as $2,650. U.S.-based Bittrex hosts some of the cheapest listings, while Germany’s N26 mobile banking platform commands the highest prices — reflecting both the regulatory difficulty of opening German banking accounts remotely and the value of a European IBAN in the criminal economy.
The Russia-Ukraine inflection point
The growth has been particularly acute in the Russian-language cybercriminal ecosystem. A January 2023 report by Kommersant, the Russian business daily, found that the volume of dark web solicitations for verified crypto exchange accounts had doubled compared to early 2022. Cybersecurity experts quoted by the newspaper attributed the growth directly to Western sanctions imposed on Russia following the invasion of Ukraine — sanctions that prompted many crypto exchanges to block Russian accounts or prohibit fiat withdrawals to Russian-issued bank cards.
Igor Sergienko, a director at Russian cybersecurity firm RTK-Solar, noted that these restrictions created immediate demand from ordinary Russian users who had been locked out of exchanges where they held assets. The sanctions did what they were designed to do — restrict Russian access to Western financial infrastructure — but they also created a commercial incentive for criminal entrepreneurs to bridge the gap.
Nikolay Chursin, a threat intelligence analyst at Positive Technologies, told Kommersant that the average price for basic login credentials is around $50, but that complete identity packages — including two-factor authentication codes, registered documents, email access, and browser cookies — average around $300.
Dmitry Bogachev of Jet Infosystems explained to Kommersant that pricing depends on several variables: the country of registration (Western accounts command higher prices), the age of the account (older accounts are more valuable because they have established transaction histories and higher trust scores), and the activity history (accounts with consistent trading patterns are worth more than freshly opened ones because they are less likely to trigger new-account monitoring rules).
The buyer profile splits into two categories with very different risk profiles: ordinary Russian crypto users seeking to circumvent sanctions-related restrictions in order to access their own assets, and criminals seeking clean identities through which to launder proceeds. This investigation focused on the supply side — the forums, channels, and threat actors that serve both categories without distinction.
Pricing Analysis: What Drives Value in the Criminal Marketplace
One of the most revealing aspects of this investigation was the pricing structure across different platforms and product tiers. The prices are not random. They reflect a rational assessment of the value and risk associated with each type of account.
The cheapest accounts — basic exchange logins at $20–$50 — offer limited utility. They provide access to a verified platform, but without control over the associated email, phone, or two-factor authentication, the buyer’s access is precarious. The legitimate account holder could regain control at any time.
Mid-range accounts at $200–$300 include the full access package: email credentials, phone number (typically a virtual number or SIM), two-factor authentication codes or backup keys, and sometimes a scan of the identity document used for verification. These accounts are operationally useful for a period of weeks or months, until the platform’s ongoing monitoring detects behavioural anomalies or the nominal holder notices unusual activity.
Premium accounts at $500–$900+ include everything in the mid-range tier plus physical elements: a plastic card (debit or crypto card) that has been issued and received at a physical address, an IBAN number, and in some cases access to additional services within the platform (crypto buy/sell, virtual card creation, cross-border transfers). These accounts are designed for sustained use and are priced accordingly.
The most expensive tier — accounts at $1,000–$2,650 — typically involves established banking or fintech accounts at European institutions with high verification standards (N26, Revolut, Wise). These accounts are valuable because they provide access to the European banking infrastructure: SEPA transfers, IBAN-based payments, and integration with the broader financial system. For a criminal seeking to move funds from crypto to fiat within Europe, a verified N26 or Revolut account with a working debit card is an extraordinarily valuable asset.
The pricing logic is consistent with the economics I have observed in other financial crime investigations: the value of a laundering channel is proportional to the difficulty of replicating it through legitimate means.
What I Found: Forums, Channels, and Threat Actors
Exploit.IN: BullFrogService
My first significant finding was a May 2023 posting on Exploit.IN, one of the most established Russian-language cybercriminal forums. Exploit.IN has operated since the mid-2000s and hosts a sophisticated user base that includes malware developers, access brokers, and financial fraud specialists. The forum requires registration and vetting, and its marketplace operates with an escrow system and reputation scoring — infrastructure that mirrors legitimate e-commerce.
A threat actor operating under the handle “BullFrogService” posted a solicitation for verified accounts across a wide range of financial platforms: exchanges, banks, crypto cards, and virtual cards across the CIS and Europe — specifically naming Binance, BUNQ, Stripe, iCard, Paysera, BitPay, Wise, and others.
The forum posting directed prospective buyers to a dedicated Telegram channel — a common pattern I observed across multiple vendors. The forums serve as the credibility layer (where the threat actor’s reputation score and transaction history are visible), while Telegram serves as the sales channel (where individual listings are posted and transactions are conducted). This separation is deliberate: it limits the information exposed on any single platform and provides operational resilience if either the forum or the channel is compromised.
When I accessed BullFrogService’s Telegram channel, I found structured product listings with specific pricing, platform details, and feature descriptions. The listings were updated regularly, with new accounts posted every few days — suggesting a steady supply pipeline rather than one-off inventory.
Two listings from June 12 illustrate the sophistication of the offerings.
The first was a verified IBAN account for an EU drop held through the BlackCat online banking service. The product description read: “verified account for the EU drop. MT IBAN, you can create virtual cards (unlimited). There are crypto-services inside the application (deposit/buy/sell/withdraw). Virtual number and documents are attached.” Price: $500.
This listing deserves close attention. What is being sold is not just an exchange account — it is a full banking identity within the European financial system. The MT IBAN (Maltese International Bank Account Number) provides access to SEPA transfers across the EU. The ability to create unlimited virtual cards means the buyer can generate disposable card numbers for online transactions. The integrated crypto services mean the buyer can convert between crypto and fiat within the same platform. And the included virtual number and documents mean the buyer has everything needed to maintain control of the account and defeat security challenges. For $500, a criminal acquires a complete, operationally ready European financial identity.
The second listing was a Binance exchange card: “fully verified account for the EU drop. Binance VISA plastic card issued and received. The card can only be sent to Europe, South Caucasus, Belarus and Moldova by state mail. Documents and number included.” Price: $900.
The $900 price point for a Binance card reflects the additional value of a physical card — it can be used at ATMs and point-of-sale terminals, providing a direct crypto-to-cash conversion channel that does not require an intermediary bank transfer.
Telegram: Rega inc
A separate Telegram channel operating under the name “Rega inc” offered a more standardised catalogue of verified accounts across a dozen or more platforms. The pricing structure revealed which platforms are most valued in the criminal marketplace.
The price hierarchy is instructive. CashApp BTC accounts top the list at $270, followed by Robinhood at $250, Coinzoom and Moon Pay at $230 each, and Coinbase, Binance, Gemini, and others at $200.
CashApp’s premium pricing likely reflects its unique position in the U.S. market as a platform that combines person-to-person payments, direct deposit, a debit card, and Bitcoin trading in a single interface — making it exceptionally versatile for layering funds through what appears to be routine consumer activity. Robinhood’s premium reflects its stock and options trading capability, which enables a different kind of laundering: converting crypto proceeds to equities, holding them briefly, and then withdrawing as apparently legitimate investment gains.
The standardised pricing and catalogue format — with uniform product descriptions and consistent pricing across account types — suggest this is not a one-off seller but an ongoing operation with volume supply and established fulfilment processes. The channel functions, operationally, like any other e-commerce catalogue. The product just happens to be identity fraud.
XSS Forum: M666 and the Full-Service Model
The XSS forum — widely regarded as the largest active cybercriminal forum in the Russian-language space, and arguably the most important cybercrime forum in operation globally — yielded several significant findings.
A February 2023 posting by threat actor “M666” advertised what amounts to a full-service identity-as-a-service operation, covering verified accounts for crypto exchanges, banks, casinos, digital wallets, fintech platforms, merchant accounts, and brokers.
M666’s pitch was notably professional: “We can deliver a fully verified solution for any type of use. You just have to use your imagination and we can help you with regard to payment systems. Any kind of service you need validation. (Decade of business experience).”
The claim of a “decade of business experience” is notable. If accurate, it places M666’s operation well before the current sanctions-driven demand surge, suggesting that the verified-account market existed as a mature criminal enterprise before the Ukraine conflict accelerated it. The invasion did not create this market. It poured fuel on a fire that was already burning.
The geographic coverage was extensive. M666 claimed to provide nominee accounts registered in Hungary, Malta, Romania, Cyprus, Estonia, Latvia, Lithuania, Switzerland, Belgium, the UK, and across the Americas — the US, Ecuador, Colombia, Mexico, Peru, Chile, Argentina, Dominican Republic, Brazil, Belize, and Panama.
The jurisdictional range is deliberate. It includes EU countries with relatively permissive corporate registration regimes (Malta, Cyprus, Estonia), offshore financial centres (Belize, Panama, BVI), Latin American jurisdictions where nominee recruitment is presumably easier and cheaper, and major financial centres (UK, Switzerland, US) where accounts carry the highest value but are hardest to obtain.
This is not a hobbyist operation. The breadth of jurisdictional coverage, the variety of platform types, the professional marketing, and the claimed longevity suggest an established criminal enterprise with access to a pipeline of nominee identities across multiple countries and continents.
XSS Forum: whitenet and NFT-Adjacent Identity Fraud
A separate XSS posting from August 2023, attributed to threat actor “whitenet,” revealed an adjacent market that I had not anticipated finding: verified social media accounts specifically tailored for NFT and crypto community infiltration.
Whitenet offered Twitter accounts “with Twitter Blue, more than 500 tweets of various NFT / Crypto communities, more than 5k subscribers, registration until 2013” for $60 each.
The term “warmed” is significant in the threat actor lexicon. It refers to accounts that have been aged, populated with realistic activity, and built up with follower networks so that they appear to be genuine community participants rather than freshly created sock puppets. A Twitter account registered in 2013 with 5,000 followers and hundreds of crypto-related tweets looks, to a casual observer, like an established community member. It does not look like a tool purchased on a cybercriminal forum.
These accounts serve a fundamentally different function from verified exchange accounts, but they are part of the same criminal supply chain. Exchange accounts enable financial transactions under a false identity. Social media accounts enable social engineering — building credibility within crypto communities before executing scams, promoting fraudulent tokens, manipulating NFT floor prices, or infiltrating project teams to gain insider access.
The existence of a commercial supply chain for these accounts should concern anyone who evaluates the trustworthiness of crypto influencers, NFT project promoters, or community moderators. The barriers to fabricating a credible online presence are financial, not technical — and at $60 per account, they are not high.
Styx Innovation Marketplace: VeriffDzen
The final significant finding came from the Styx Innovation Marketplace, a cybercriminal forum that caters specifically to financially motivated threat actors and has been profiled by threat intelligence firms as a growing hub for banking fraud, crypto fraud, and identity theft services.
A Russian-language threat actor operating as “VeriffDzen” maintained a series of listings for verified crypto accounts.
The handle “VeriffDzen” is itself analytically significant. Veriff is the name of a well-known and widely used identity verification company employed by numerous exchanges and fintech platforms to perform document verification and biometric checks. The threat actor’s choice to incorporate the name of a legitimate verification provider into their handle suggests one of two things: either they are claiming the ability to defeat Veriff’s specific verification process, or they are trading on the brand recognition to signal to buyers that their accounts will pass the verification checks that platforms use. Either interpretation is concerning.
The Styx marketplace’s focus on financial fraud means that VeriffDzen’s listings exist alongside complementary criminal services: forged identity documents, SIM-swap services, phishing kits targeting specific exchanges, and cash-out guides. The co-location of these services on a single platform creates a one-stop shop for financially motivated criminals — a complete operational toolkit, from identity acquisition to money laundering, available in a single marketplace.
How These Accounts Are Used: Laundering Typologies
Understanding why criminals buy these accounts requires understanding how they are used. My investigation, combined with case analysis from published enforcement actions and blockchain forensic reports, identifies several primary use cases.
Sanctions evasion
The most straightforward use case, and the one that appears to be driving the current demand surge, is sanctions evasion. Russian nationals and entities blocked from accessing Western crypto exchanges use purchased accounts to continue trading, converting rubles to crypto, and moving funds internationally. The verified account — registered under a nominee in a non-sanctioned jurisdiction — passes the exchange’s sanctions screening because the nominal account holder is not sanctioned. The actual user is.
This use case spans both legitimate and criminal activity. Some buyers are ordinary Russian citizens attempting to access assets they accumulated before the sanctions. Others are Russian entities, oligarch-adjacent networks, or state-linked actors using crypto to circumvent financial restrictions that were imposed for reasons of international security.
Layering and structuring
Purchased accounts are used as intermediary nodes in layering schemes — the second stage of the classic money laundering process. Criminal proceeds are deposited into one purchased account, traded across multiple platforms (each with its own purchased identity), and withdrawn from a different account in a different jurisdiction. The goal is to create enough transactions across enough platforms that the link between the criminal source and the eventual clean withdrawal is effectively broken.
This is the crypto equivalent of the traditional bank-account layering that AML investigators have been tracing for decades. The difference is speed — crypto transactions settle in minutes, not days — and scale. A criminal with ten purchased accounts across five exchanges can execute a layering sequence in hours that would take weeks through traditional banking channels.
Cash-out from cybercrime proceeds
Ransomware operators, darknet market vendors, and hackers who hold stolen cryptocurrency need a pathway from their tainted wallet to usable fiat currency. Purchased verified accounts provide that pathway. The criminal deposits stolen crypto into a purchased account, trades it for a different cryptocurrency or fiat, and withdraws through a bank transfer or ATM.
This use case is directly connected to the mixer ecosystem I have written about elsewhere. Mixers like ChipMixer and Tornado Cash obfuscate the on-chain trail. Purchased accounts provide the identity layer for the final cash-out. Together, they form a complete laundering pipeline: mix the coins to break the blockchain trail, then deposit into a verified account under a clean identity to convert to fiat.
Our companion investigation into dark web manuals for withdrawing crypto that fails AML checks documents specific techniques recommended in these guides, many of which explicitly presuppose access to purchased verified accounts.
Fraud facilitation
Purchased accounts also serve as operational infrastructure for fraud schemes. A crypto investment scam, for example, requires receiving victim deposits into wallets that appear to belong to a legitimate entity. Verified exchange accounts — particularly those with established trading histories — provide the appearance of legitimacy that scam operations depend on.
Similarly, pump-and-dump schemes targeting low-capitalisation tokens require multiple accounts to create the illusion of independent buying interest. Purchased accounts, each registered under a different identity, serve this purpose. The “warmed” social media accounts identified in the whitenet listing play a complementary role — promoting the token to crypto communities under what appear to be independent, established identities.
Detection Indicators: What Compliance Teams Should Watch For
This investigation has practical implications for compliance teams at exchanges, fintech platforms, and financial institutions. The following indicators, derived from the patterns observed in this investigation, may help identify accounts that are being operated by someone other than the verified holder.
Behavioural discontinuity. The most reliable indicator is a sudden change in account behaviour that is inconsistent with the established profile. If a verified account that has been dormant for months suddenly begins high-volume trading, receives large deposits, or initiates cross-border withdrawals, the change may reflect a transfer of control rather than a change in the legitimate holder’s behaviour.
Geographic anomalies. If the IP address, device geolocation, or login timezone is inconsistent with the verified holder’s registered location, this may indicate third-party access. VPN usage is common among privacy-conscious users, but VPN usage combined with other indicators becomes more significant.
Device fingerprint changes. A change in the device used to access the account — different hardware, operating system, browser, or screen resolution — can indicate that a different person is operating the account.
Authentication pattern shifts. If the two-factor authentication method changes (for example, from the original phone number to a new device), and the change coincides with a behavioural shift, the account may have been sold or stolen.
Rapid asset conversion. Accounts that receive crypto deposits and immediately convert to fiat or withdraw to an external address — without the holding or trading behaviour typical of legitimate users — are consistent with laundering typologies.
Multi-account correlation. Multiple accounts that share device fingerprints, IP addresses, deposit sources, or behavioural patterns but are registered under different identities may be part of a network of purchased accounts operated by a single actor.
None of these indicators is individually conclusive. Legitimate users change devices, travel, and alter their trading behaviour. But the combination of multiple indicators — particularly when correlated across the platform’s user base — can identify accounts that warrant enhanced scrutiny.
What This Means for the Industry
The marketplace I investigated is not a hypothetical risk. It is an active, functioning supply chain that produces verified accounts at scale — accounts that will pass the KYC checks of the platforms they are registered on, because they were registered using real identity documents belonging to real people (or increasingly convincing synthetic alternatives).
This creates a fundamental challenge for the compliance model that the crypto industry — and increasingly the broader financial services industry — depends on. KYC is designed to establish a durable link between an account and a real, identifiable human being. When that link is severed at the point of sale — when the person who uses the account is not the person who was verified — the entire downstream compliance architecture operates on a false premise.
Transaction monitoring flags activity against a customer risk profile that belongs to a nominee, not the actual user. Sanctions screening checks names and jurisdictions that bear no relationship to the person actually transacting. Enhanced due diligence procedures that are triggered by account behaviour are applied to a file that describes someone who is not involved in the transactions under review.
For compliance officers and investigators, the practical implication is that static identity verification — the one-time KYC check at account opening — is necessary but no longer sufficient. The existence of this marketplace means that a verified account, by itself, is not evidence of a legitimate customer relationship.
The defence must shift toward continuous authentication and behavioural analytics: ongoing monitoring that assesses not just what transactions are occurring, but whether the person conducting them is consistent with the person who was verified. Device intelligence, session analysis, biometric re-verification, and pattern-based anomaly detection are no longer optional enhancements. They are the minimum viable defence against a marketplace that has learned to produce identities as a commodity.
For regulators, the marketplace raises a difficult strategic question. KYC as currently practised is an entry-point control. It verifies identity at the door. The dark web marketplace has found that the door, once opened, stays open. The question is whether the regulatory framework can evolve to require continuous verification — authentication that persists throughout the customer relationship — without imposing costs that drive users and platforms to unregulated alternatives.
For the exchanges and platforms whose accounts are being sold, the marketplace is a direct operational threat. Every sold account is a potential conduit for money laundering, sanctions evasion, or fraud — activity that will be attributed to the platform in any subsequent enforcement action. The platforms named in the listings I documented — Binance, Coinbase, CashApp, Robinhood, Wise, and others — each face the possibility that a proportion of their verified customer base consists of accounts that are not controlled by the people who passed verification.
The details of this investigation — including specific threat actor identifiers, forum URLs, Telegram channel information, and associated infrastructure — have been shared with relevant law enforcement and regulatory authorities. Findings from this investigation also informed a companion piece examining dark web manuals that provide step-by-step instructions for laundering crypto assets that fail AML verification checks.
If you have information about the trade in verified accounts, the recruitment of nominees for KYC verification, or the criminal use of purchased accounts, I would like to hear from you. Reach out at [email protected]. For more on how to submit information, see our tips page.