Resistant AI’s Threat Intelligence Unit recently went beyond passive monitoring to test a live criminal market by purchasing a “verified bank account”.
The decision was simple: harvesting data and observing online chatter is useful, but to understand how fraud actually operates you sometimes need to experience the purchase flow yourself. What follows is a condensed, rewritten account of that investigation and why financial institutions should be alarmed, claimed Resistant AI.
Before describing the purchase, the team set out a clear conceptual grounding. As with all Threat Intelligence work, the investigation avoids naming specific victim institutions or exposing the true identities of actors involved. This protects victims from reputational harm and avoids amplifying a criminal service. The TIU instead focuses on patterns, services and ecosystem dynamics — and on the practical mechanics of how these account offerings are created, sold and delivered.
So what is a “verified account” offering? In short, vendors sell accounts that are already onboarded, active and have passed the required KYC checks. These offerings are typically produced by an “account farm” — a commercial operation where “account farmers” curate and distribute ready-made accounts via websites, messaging apps, social media pages and forum threads. Account farms dramatically lower the barrier for sophisticated financial crime. Instead of building mule networks or running complex onboarding fraud, buyers can scale illicit activity by purchasing accounts that appear legitimate.
The “verified account” package the TIU purchased illustrates why the menace is so scalable. Packages generally include the account logins, any associated infrastructure logins (for example the linked email), and the documentation used during onboarding — IDs, proofs of address, incorporation certificates and tax paperwork. All three components are essential: an account login without email access or supporting documents is far less useful. Where fraud enablers have adapted, they now often bundle services such as company formation, fake websites or merchant profiles to create a complete, plausible narrative for a bank or payments provider.
Over several months the TIU scoured the open web and Telegram channels to collect data on these offerings. Their findings show a sizable market already. From static account-farming websites they identified hundreds of offerings, but real-time messaging platforms proved far more active. In a one-month sample of 55 Telegram channels the team captured 120k+ messages, 150k+ individual account offerings and roughly 3k+ companies allegedly affected. Websites act as scalable storefronts, but the TIU found that buyers still prefer instant, direct communication — partly because an average account price of around $350 means trust matters and buyers demand quick, private exchanges rather than anonymous web checkout.
The TIU’s hands-on purchase started in a high-traffic channel and targeted a business account to secure the full package of logins and company documentation. Negotiation followed the expected pattern: an escrow suggestion, then a compromise of 50/50 payment. The team paid the first half, were briefly stalled, then received a mix of imagery and messages from the seller, and — after a few hours and an OTP-driven phone-number switch — the login handover occurred. The TIU confirmed account access via phone and email, completed the payment and later reviewed the supplied documents. The company registration did not exist in public records and the documents were forged — yet the account was live and controllable.
The consequences are chilling. The successful purchase validated that at least some portion of the market is delivering real, functional accounts rather than mere scams. If even a fraction of the activity observed is genuine, account farming is already a major vector for money laundering, fraud and other financial crime. The TIU emphasises that more documentation or tougher onboarding checklists are not guaranteed protections: once a fraudster discovers the formula that bypasses KYC, the attack can be replicated at scale. Criminals now exploit a palette of tools — forged templates, AI-generated content, shell company formation and professionalised marketplace services — to commercialise fraud-as-a-service.
For financial institutions the policy implications are clear. Detection strategies must shift from purely reactive rule-based flags to holistic, intelligence-driven approaches that map the ecosystem of enablers: template farms, account farms, messaging marketplaces, and the money flows that follow. Improving cross-industry information sharing, investing in behavioural detection and verifying the provenance of business registrations and linked infrastructures can reduce the attack surface. Above all, the investigation shows that financial crime is being industrialised — and defenders must respond with equally sophisticated, intelligence-led defences.
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
