Hidden internet identity markets support sanction evasion efforts by Iran, China, and North Korea

May 18, 2026

Understanding Illicit Financial Networks

Wire transfers often start from banks in the UAE, pass through European correspondent banks, and end up in U.S. financial institutions, resembling standard commercial transactions. The compliance teams at beneficiary banks tend to approve transactions from companies with clean records, where the beneficiaries’ documents check out, and the payments come from low-risk jurisdictions. In one notable case, the Iranian government was involved, with a shell company’s identity traced back to stolen Social Security numbers bought on the dark web just weeks earlier.

I find myself immersed in the fraud networks that facilitate these operations — monitoring dark web marketplaces, Telegram channels, and document forgery sites. Countries like Iran, North Korea, Russia, and China are actively seeking ways to breach U.S. defenses. It’s interesting, really; the tools they use are often more visible than you might think — if you just know where to look.

The Underbelly of Identity Theft

All these operations stem from underground markets that trade in stolen identities. They gather personal information like social security numbers and dates of birth from data breaches, package this data, and sell it based on factors like freshness and geographic region. Russia is a major player in this market, flooding it with raw data acquired through malware that captures keystrokes and other information from infected computers.

For instance, there’s a Telegram channel I keep an eye on, called “Karma Fullz.” It’s operated by a Russian speaker who sells identities of former legal immigrants in the U.S., often bundled with bank accounts and credit histories. These identities are then used to set up fake businesses, effectively swindling financial institutions and government programs.

Another platform I’ve tracked, known as South Park BA Logs, offers compromised U.S. bank credentials complete with session cookies and browser fingerprints. From March 2023 to January 2026, I found over 1,200 listings there, translating to an estimated financial exposure of around $152 million.

China’s role in this ecosystem was magnified by a massive breach in 2015, where state hackers infiltrated the Office of Personnel Management, stealing 21.5 million records, including sensitive information that remains valuable years later.

Deficiencies in Transaction Oversight

The wire transfers I scrutinized reflect vulnerabilities in the correspondent banking system. Each bank along the way understands only its part of the transaction, making it easier for countries like Iran to navigate through the cracks. They create front companies with fake identities drawn from the dark web, constantly rearranging their structure to sidestep new sanctions.

Interestingly, this method allows them to bypass investment scrutiny, as foreign acquisitions are typically reviewed for national security risks only when the true beneficiaries are revealed. However, when shell companies mask their actual owners, it complicates matters — making it seem like a transparent investment when it’s anything but.

The case of Anzu Robotics exemplifies this; presented as an independent American drone company, it relied on a Chinese manufacturer for its technology while hiding its affiliations behind layers of ownership.

Domestic Facilitators in the Mix

In recent years, I’ve noticed a surge in U.S.-based facilitator networks, particularly aiding North Korean operatives working from abroad. These individuals often apply for remote jobs using identities constructed from stolen data. They can successfully navigate technical interviews and earn a decent wage. One reported case involved a remote IT worker using false documents to earn over $58,000 before the fraud was uncovered.

Moreover, another scheme involved co-conspirators using a stolen identity to generate fake driver’s licenses, securing positions at multiple U.S. companies, ultimately diverting more than $150,000 in salaries.

After federal indictments revealed these operations, adaptations were swift. Now, American intermediaries are managing everything from logistics to technology to ensure these overseas workers appear as local employees. While federal prosecutions are underway against these intermediaries, the networks themselves are still thriving.

This facilitator layer is crucial because it turns foreign intelligence into domestic threats, integrating seamlessly into American remote work recruitment pipelines.

What the Machinery Discloses

The tactics outlined here underscore the sophistication behind state-sponsored efforts to exploit the U.S. financial system. Although well-known entities are often scrutinized during sanctions reviews, the individuals whose identities were recently assembled are typically not on any watchlists.

Employment verification checks can fail to catch fabricated identities from the same pipeline, making them indistinguishable from legitimate documents. While investment screenings depend on transparency, the true beneficiaries remain cleverly concealed within layers of shell companies, festering a lack of cooperation with any overseeing governments.

The systems I engage with daily are designed to make detection difficult for financial institutions. As long as this rogue infrastructure operates in the shadows, the chances of funds being laundered or salaries being disbursed without detection remain high.