Dark web sells UK ID packs to bypass bank biometrics

Criminals on dark web marketplaces are buying complete identity packages for about USD $30 and using them to defeat biometric checks at UK banks and fintechs, according to new analysis by AMLTRIX.

The researchers reviewed 25 active markets and forums over a five-day period. They focused on vendors with established reputations and excluded likely phishing sites and law-enforcement traps.

The study found that UK identity profiles are among the cheaper options. Vendors typically list UK packages for between USD $30 and USD $35. Prices for US identities range from USD $45 to USD $100. Polish and Danish profiles usually cost USD $30 to USD $40, while Russian, French and Australian profiles sit in the USD $20 to USD $30 band.

These prices apply to what sellers describe as "full identity packages". The bundles usually contain a high-resolution scan of an ID document, a selfie that matches the document, and a set of personal details.

AMLTRIX analysts say criminals use this content as input for camera emulators. The tools feed static images into systems that expect live video checks during remote onboarding.

"A full identity pack with ID scan and selfie is now cheap enough and accessible for criminals to buy in bulk, and if that is not enough, the dark web offers other, more reliable, although more expensive options," said Gabrielius Erikas Bilkštys, Co-founder, AMLTRIX. "That reflects how often the same personal data is stolen and resold, and how industrialised this market has become."

Once a criminal gains access to an identity, they can reuse it across multiple services. The same profile might support applications for bank accounts, crypto wallets and payment app accounts. The original owner often remains unaware until they receive demands from debt collectors or contact from law enforcement.

Victims can face more severe outcomes than missed payments on fraudulent loans. AMLTRIX says these packages are widely used to operate "mule" accounts that move illicit funds through regular financial channels. Investigators may therefore associate victims' names and faces with money laundering flows.

The analysis cites a September 2025 report by the UN Office on Drugs and Crime. That report states that in organised fraud schemes, "bank accounts are commonly registered to fake, stolen, or borrowed identities". AMLTRIX links this pattern with the ready availability of identity bundles at low prices.

Premium for 'verified'

The researchers found a sharp price difference between raw identity data and fully verified accounts. A simple identity bundle might cost USD $30. By contrast, some vendors sell pre-verified cryptocurrency accounts for USD $200 to USD $400.

These premium listings often advertise accounts that have already passed biometric and document checks. The seller takes on the initial onboarding process and then hands over access to the buyer.

AMLTRIX says the steep markup implies that many criminals struggle with verification. Buyers appear willing to pay others who specialise in navigating biometric and KYC controls.

The group notes that this model shifts risk within the criminal ecosystem. One set of actors steals and compiles data. Another group handles onboarding and verification. End buyers then use the accounts mainly as tools in laundering schemes.

Analysts also observed listings for physical documents. These include offers of an Irish passport for about USD $2,500 and a UK "frequent traveller" passport for around USD $2,600. The listings suggest that some vendors claim to supply documents that can be presented at borders.

However, AMLTRIX says many high-priced offers appear unreliable. Some advertisements likely operate as scams against other criminals. Others may be run by law enforcement.

This backdrop has pushed much of the trade toward low-cost digital items. Sellers focus on data and account packages that they can distribute at scale with less exposure.

Linked to everyday crime

AMLTRIX frames the dark web trade as a downstream consequence of routine cybercrime. Phishing campaigns, credential theft, account takeovers and major data breaches all feed material into these markets.

"Many organisations still think of the dark web as a distant, exotic threat," said Bilkštys. "In reality, it is tightly connected to everyday phishing campaigns, large data breaches, account takeovers, and money laundering cases that compliance teams are already dealing with."

The group argues that financial institutions need to reassess how they validate customer identities over time. Static checks at onboarding do not address account behaviour that may indicate control by a criminal network.

AMLTRIX says institutions should assess whether identity details remain plausible when examined alongside transaction history and device patterns. The frameworks describe this as a move towards behavioural analysis rather than reliance on document and selfie uploads.

The project classifies these observed techniques under its "Identity Impersonation" category. This sits within what AMLTRIX labels its "Access Facilitation" tactic, which covers how adversaries obtain or fabricate customer records.

The team plans to expand its taxonomy of money laundering methods and maintain its coverage of identity abuse patterns on the dark web.