For law-abiding cryptocurrency users, getting verified to trade on an exchange is a painstaking process. They must give out a wealth of personal data, including their home addresses, scans of government-issued ID, and photo or video selfies.

For criminals, it’s easier. They can pay as little as $150 on the black market for a ready-to-use, verified account in someone else’s name at Coinbase Pro, Binance.US, Kraken or numerous other exchanges, a CoinDesk investigation found.

To be clear: “verified” in this context does not mean legitimate. Underground vendors create these accounts with other people’s identities or under made-up names, tricking the exchanges into verifying them as valid users. They then advertise these verified accounts for sale on internet forums and on Telegram.

Besides crypto exchanges, the vendors also offer fraudulently created accounts for use with mainstream payment providers such as Square’s Cash App and Transferwise.

“We are producing from 1,500 to 2,000 synthetic verified accounts each month,” an operator of one such service told CoinDesk in an interview via the Telegram messaging app.

This service has multiple employees and even “departments” within the business, said the person, who refused to give a name. And it has no shortage of competitors, CoinDesk’s investigation found.

A CoinDesk reporter reviewed a sample of crypto and payment accounts that had been purchased from several black-market vendors. The exercise revealed these vendors are, in many cases, trafficking in sensitive information about people who likely have no idea their names are on the accounts.

It also showed how people who, for whatever reason, don’t want to expose their real identities or fear they wouldn’t be approved for an account can skirt the industry’s customer-vetting processes – at least, up to a point.

While it’s difficult to gauge the size of this market – criminals don’t typically publicize their revenue, after all – it appears to be flourishing.

“We’ve observed a staggering amount of threat actors advertising and brokering fraudulent accounts for both crypto exchanges and payment services,” said Andrew Gunn, senior threat intelligence analyst at ZeroFox, a cybersecurity firm based in Baltimore.

Over the past 12 months, ZeroFox found over one million posts on forums and Telegram messaging-app groups advertising accounts for sale, Gunn said.

The fact that you can buy a fake digital identity for around $200 raises fresh questions about the effectiveness of “know your customer” (KYC) policies implemented by crypto businesses around the world. While everyday users often have to submit the same information multiple times for reverification and wait for weeks or months to withdraw their money (even Martha Stewart reportedly waited two weeks to get verified), bad actors can sneak in easily.

In plain sight

Black markets thrive both on the so-called dark web, which is accessible through the anonymizing Tor browser, and on the clear web or surface web – the part of the internet most of us browse every day.

Here, in plain sight, are live forums populated by professional hackers, scammers of all sorts and sellers of illegal goods. To name some, Russian-speaking forums such as Ver.sc (short for “Verified”) and CCCC.sb are focused on illegal identity-related services such as “carding” (trafficking in stolen or counterfeit credit card numbers).

On these platforms, one can easily find for sale accounts for use on a diverse range of crypto exchanges and payment services, from peer-to-peer trading platform Localbitcoins to professional trading venue Coinbase Pro to mainstream payment services CashApp, Transferwise and Revolut.

Prices, ranging from $150 to $500, are disclosed to a prospective buyer in a personal chat or posted on a price list like the one on this web page. To buy an account, one needs to get in touch with a vendor (often via Telegram), pay in crypto (usually bitcoin) and get the requested account data.

Sometimes the accounts originally were registered by legitimate customers and have been hijacked by hackers. (For a buyer of such an account, there is always the risk that its actual owner will notice something weird is going on and flag it to the platform administrator.) Sometimes vendors create accounts from scratch using stolen or fake data. Sometimes users register accounts in their own names and then turn them over to vendors to sell.

According to posts on the forums and conversations with some of the vendors, they go through the exchanges’ verification process to open accounts, and control the accounts until they are sold. People whose information is used for registering with the services might not even know the accounts exist.

On the same forums where some vendors offer these fraudulent accounts, others look to hire “drops,” or individuals willing to lend their identities for account registration. Meanwhile, people willing to fill this role search for…

www.coindesk.com