The dark web is lowering the barrier to entry for fraud, enabling individuals with sufficient IT skills to access tools and expertise to target consumers and businesses.
This is according to LexisNexis Risk Solutions in its report: "Fraud for sale: Untangling the dark web’, part of its Global State of Fraud and Identity Report 2026. The findings draw on a proprietary dark web study commissioned in 2025.
Jason Lane-Sellers, director of fraud and identity for EMEA at LexisNexis Risk Solutions, said criminal syndicates now operate like sophisticated, multi-layered enterprises.
He cited romance scams as an example. In such schemes, one party may be responsible for setting up WhatsApp accounts used to initiate contact with targets, while other groups manage separate elements of the operation. These activities are co-ordinated through centralised hubs described as fraud as a service “superstores”.
“In South Africa, a police raid uncovered thousands of SIM cards used to set up WhatsApp accounts. These accounts are then sold to another group to converse with their victims,” said Lane-Sellers.
These superstores function like legitimate businesses, operating around the clock, using scripts and structured workflows, and allocating resources to specific tasks such as building fake websites or banking portals, he noted.
AI tools create new friction
While AI and deepfake technology have become widely used in fraud, the report found growing frustration among cyber criminals over AI-driven detection systems deployed by financial institutions.
Dark web forums contain complaints about technologies capable of detecting blood flow and micro muscle movements during identity verification.
Such systems present significant obstacles, with one user writing: “There is no bypass.” Researchers also identified discussions of attempts to circumvent checks using methods such as latex masks.
Marketplaces were found offering established e-mail accounts, devices designed to pass basic fraud checks and so-called “fraud-ready” bank accounts complete with login credentials and pre-completed identity verification.
Kimberly Sutherland, global head of fraud and identity at LexisNexis Risk Solutions, said: “Our research reveals the dark web to be a de-facto fraud superstore, giving bad actors easy access to the knowledge and tools to conduct all manner of criminal acts. With these tools, they can apply for bank accounts, overdrafts and credit, set up retail accounts and make purchases without fear of consequences.
“It’s also worrying that many of the solicitations come complete with tutorial videos, showing ‘newbie’ scammers how it’s done, thereby creating a new cottage industry of amateur fraudsters across the globe.”
The report states that criminals can “shop around” for services, including know your customer-ready bank accounts, “fraud for beginners” tutorials and plug-and-play fraud kits.
Lane-Sellers said they can also buy tools to create fake web pages, adverts, conversations and deepfake video overlays.
The company said it is aware of scripted scam operations emerging in countries such as Myanmar and the Philippines, with similar activity now being detected in parts of Africa.
Lane-Sellers said these operations are rarely executed by a single individual.
“It's very rare that one scammer is doing all stages of the attack. You know, they'll buy the data, they'll buy the access, they'll buy the phone numbers, they'll buy the web page interactions, etc.”
No safe haven
The study also found that, ironically, the dark web offers limited protection for criminals themselves. Exit scams – where marketplace administrators shut down operations and abscond with customer funds – are common.
In response, some marketplaces attempt to signal legitimacy by policing users, banning the sale of items deemed worthless and publicly calling out bad behaviour.
However, the report identified evidence that simplified versions of dark web marketplaces are increasingly appearing on mainstream social platforms, offering similar illicit products with easier access.
“Fraud is always an arms race,” Lane-Sellers said. “AI is just that latest angle of the arms race, to actually commit the attacks. If you go back 30 years, you’d receive an e-mail from Nigeria with spelling mistakes… now AI and LLMs are being used to initiate multi-language scripts that are hard to pick up.”
He argued that the underlying tactics have not fundamentally changed. “I haven’t seen any new fraud in 20 years. What I do see is the same fraud but utilising new technology, making it more efficient and more effective.”
Lane-Sellers added that individuals are increasingly being targeted directly, rather than targeting organisations.
“They’ve worked out that the weakest link in the cyber security chain is you and I. Companies have organised their network infrastructure and are implementing defences, so it’s harder to hack into systems because people are putting in controls. But it's easier for me to get the data from a person, especially using AI; can that individual really figure out what is real and what is not?”
LexisNexis Risk Solutions said real-time liveness checks, account activity, phone and e-mail analysis and device fingerprinting are being used to thwart attacks.
Share