Learn more about the latest security and privacy threats
Back

Synthetic Identity Fraud and Fullz in 2026: How Stolen Identity Packages Beat KYC

Michelangelo FrigoMichelangelo Frigo(Co-Founder at Zyphe)Published June 30, 2026Updated June 30, 2026
Diagram showing fullz data fields flowing from a breached central database into a synthetic Frankenstein identity that passes a KYC check.

What is fullz? How fraudsters use stolen identity packages and synthetic IDs to beat KYC in 2026, what they cost on the dark web, and how to stop the fraud.

Table of contents
  • Fullz is fraudster slang for a complete stolen-identity package: a real person's name, address, date of birth and Social Security number, often with card or bank credentials and identity-document scans.
  • Synthetic identity fraud stitches a real fragment, usually a genuine Social Security number, onto invented details to build a person with no single victim. The Federal Reserve called it the fastest-growing financial crime in its 2019 to 2020 white-paper series.
  • Reported dark-web prices are low, not high: Comparitech's index put a basic fullz package at roughly 20 to 100 dollars, with United States records averaging about 8 dollars, on 2021 to 2023 data.
  • Document-and-data-matching checks confirm that a record is consistent, not that a unique human exists, so a clean stolen package can pass standard onboarding.
  • The uncomfortable supply chain: centralised identity-verification databases are themselves breached and resold. The IDMerit leak that Cybernews reported in November 2025 exposed the exact fields that make up a stolen-identity package.

Fullz is fraudster slang for a complete stolen-identity package, typically a victim's full name, address, date of birth and Social Security number, often with bank or card credentials and identity-document scans. Sold on dark-web markets for roughly 20 to 100 dollars, fullz feed account takeover, new-account fraud and synthetic identities stitched together to pass KYC checks.

TL;DR

This article is for fraud, risk and compliance teams at banks, fintechs, crypto exchanges and lenders who onboard customers and want to understand why clean stolen-identity packages pass standard KYC, and what actually shrinks the supply.

Fullz is a complete package of one real person's identity data, sold cheap on dark-web markets because breaches have flooded the supply. Criminals use these packages for account takeover, new-account fraud and, most damagingly, synthetic identities that blend a genuine Social Security number with invented details. Standard KYC checks confirm that the data matches, not that a real, unique human is applying, so a clean package passes. Detection helps but loses ground to AI-generated documents and selfies. The structural point this guide makes: the verification industry's own centralised identity databases are an upstream source of this stolen data, so the durable fix is to verify identity without warehousing the raw records that become the next breach.

What is fullz?

Fullz means "full information". It is carding-forum slang, born on the same fraud marketplaces that trade stolen card numbers, and although it is plural in form, sellers talk about buying "a fullz" as a single unit. One package is everything a criminal needs to impersonate a real person on paper. The richer the bundle, the higher the asking price.

What sits inside such a package usually includes:

  • Full legal name, current and former addresses, and date of birth.
  • Social Security number or another national identifier.
  • Bank account or payment-card details, sometimes with the card verification value (CVV), the short security code printed on a payment card.
  • Scans or photographs of a driving licence or passport.
  • Occasionally email logins, phone numbers, or medical and employment records.

It is raw material. On its own a Social Security number is, in Comparitech's words, "not particularly useful". Bundled into a full package with a matching name, address and date of birth, it becomes a key that opens accounts. Our know your customer (KYC) glossary entry gives the bare definition of the check itself; this guide is the deeper map of how these packages move through the fraud economy and past identity verification.

How are fullz and synthetic identity fraud connected?

People conflate these two terms, so it helps to separate them cleanly. A fullz package is stolen data about a real person who exists and can, in principle, notice the theft. Synthetic identity fraud takes fragments, often a single genuine Social Security number drawn from such a package, and fuses them with a fabricated name, address or date of birth to manufacture a person who never existed. That hybrid earns its nickname: the Frankenstein identity.

The Federal Reserve's industry-recommended definition, published in its payments-fraud white-paper series across 2019 and 2020, frames synthetic identity fraud as "the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain". The stolen packages are the parts; the synthetic identity is the assembled body.

DimensionFullzSynthetic identity
Data sourceStolen data on a real personReal fragment plus fabricated details
Does a victim exist?Yes, one identifiable victimNo single victim; often a child's idle Social Security number
Typical fraudAccount takeover, instant card or loan fraudCultivated credit lines, then a planned bust-out (drawing every line to its limit at once, then vanishing)
Why detection is hardVictim may notice and disputeNo one disputes; losses look like ordinary bad debt

The practical link is the supply chain. The stolen packages are the wholesale input; synthetic identities are one of the products fraudsters build from them, and the one that does the quiet, long-running damage.

How do fraudsters use fullz to beat KYC?

Understanding how fraudsters use fullz to beat KYC means following the package through its full lifecycle. The chain is methodical, and each step is designed to look ordinary to an automated check.

  1. Acquire the package. A buyer purchases a stolen-identity bundle on a dark-web market, often selecting by country and credit profile.
  2. Test and validate. The fraudster checks which credentials are live, sometimes using small transactions or free-trial signups to confirm a card or login still works.
  3. Take over or open accounts. With clean, internally consistent data, the attacker either seizes the victim's existing accounts or opens new ones in their name, where name, address and identifier all match.
  4. Cultivate, for synthetic cases. When a synthetic identity is the goal, the fraudster nurtures it: opening a starter line, making on-time payments, and letting credit bureaus build a history around a person who is not real.
  5. Bust out. Once the cultivated identity holds meaningful credit, the fraudster draws every line to its limit and disappears. Because no genuine person complains, the lender often books the hit as a charge-off rather than fraud.

The Federal Reserve's white paper estimates synthetic identity fraud has cost United States lenders up to 6 billion dollars and accounts for 10 to 15 percent of charge-offs in a typical unsecured lending portfolio. That last figure is the tell: a large slice of what lenders write off as bad debt is, in fact, fraud they never recognised. To see the same chain from the attacker's seat, our decentralised KYC explainer walks through where document-centric checks let these applications through.

How much does fullz cost on the dark web?

Stolen-identity packages are cheap, and the reason matters more than the number. Comparitech's "Dark Web Prices" index, last updated in August 2023, reported a basic package, name, address, Social Security number and date of birth, selling for roughly 20 to 100 dollars. United States records averaged about 8 dollars each, while records from Japan, the United Arab Emirates and parts of Europe averaged closer to 25 dollars. These are reported ranges on 2021 to 2023 data, not a live 2026 quote, and prices drift as supply shifts.

Item (reported, 2021 to 2023)Typical price
Basic fullz package (name, address, SSN, DOB)About 20 to 100 dollars
United States fullz record (average)About 8 dollars
Card details with card verification value (CVV)About 17 dollars
Physical cloned cardAbout 171 dollars

The headline is the floor, not the ceiling. Prices are this low because the supply is enormous: every corporate breach restocks the shelves. Comparitech notes that a Social Security number alone is "not particularly useful", which is why complete packages command a premium over loose identifiers. When a single resource sells for the price of a sandwich, no amount of buyer-side friction will starve the market. That economics is the hinge for everything that follows in this guide.

Where do fullz come from?

Most stolen-identity packages do not come from picking one person's pocket. They come from corporate and institutional data breaches, including, uncomfortably, breaches at the identity-verification vendors that exist to fight fraud. Every database that stockpiles raw identity data is a future fullz supplier, and 2025 and 2026 produced a clear pattern of named incidents.

The strongest example is the IDMerit leak. On 11 November 2025, Cybernews researchers reported finding an unprotected MongoDB database, with no password, exposing roughly 1 billion identity records across 26 countries, including about 204 million in the United States, the single largest national share. Cybernews disclosed the find to IDMerit the same day, and the database was secured the next day, on 12 November 2025. The exposed fields, full names, addresses, dates of birth, national identifier numbers, phone numbers and email, are almost exactly the contents of one such package. IDMerit disputes the findings, stating that it does not store the underlying source data and that its own environment was not compromised. The dispute is worth stating plainly, but the shape of the exposure illustrates the risk that any centralised identity store carries.

It was not isolated. In January 2026, the verification vendor Sumsub disclosed an intrusion that began in July 2024 through a malicious attachment to a third-party support platform and went undetected for about 18 months; Sumsub says the exposure was primarily names, confined to a support environment, and that production verification systems were not affected. Separately, a breach disclosed in October 2025 and tied to the vendor 5CA exposed roughly 70,000 government-ID photos that Discord users had submitted for age-verification appeals, a figure NBC News confirmed; 5CA denied the data came from its infrastructure. Each company contests part of the framing, and that is fair to note. The pattern across all three is the lesson: the more raw identity data a vendor concentrates, the larger the target it becomes. We unpack the same dynamic in our analysis of why your KYC vendor is your biggest data-breach risk.

How did AI supercharge fullz and fake identities?

Generative AI changed the economics on the production side. A fraudster no longer needs to alter a stolen document; a model can generate a consistent utility bill, payslip, passport image or selfie in minutes. Because these artefacts are generated rather than tampered with, the forensic tells that document checks rely on, edited pixels, cloned fonts, mismatched compression, often are not present to find. The fake is internally clean from the first frame.

The selfie step is no safer. Deepfake video and injected camera feeds can defeat naive liveness checks that simply ask for a face on screen, which is why standards-grade verification matters more than a casual selfie prompt. A structural quirk compounds the problem: the Social Security Administration randomised how it issues Social Security numbers on 25 June 2011, removing the geographic and validation significance the first digits once carried. A side effect is that a number issued to a child cannot easily be validated against public patterns and stays untraceable until it is first used, which is exactly why synthetic-identity rings prize the Social Security numbers of minors. The fake-document problem connects directly to onboarding; our KYC for crypto exchanges guide covers the controls that AI-generated artefacts are designed to slip past.

Why is synthetic identity fraud so hard to detect?

The defining difficulty is the missing victim. With stolen-card fraud, a real person spots the charge and disputes it, which lights up the fraud signal. A synthetic identity has no one to raise a hand. The "person" pays on time for months, looks like a model customer, then vanishes, and the lender records the loss as a charge-off. Fraud that never gets labelled as fraud cannot be measured, modelled or stopped at the speed it spreads, which is a large part of why the Federal Reserve called synthetic identity fraud the fastest-growing financial crime in its 2019 to 2020 white-paper series.

The scale of identity crime overall is not in doubt. The Federal Trade Commission's Consumer Sentinel Network Data Book for 2024, released in March 2025, logged more than 1.1 million identity-theft reports and 12.5 billion dollars in reported fraud losses, a 25 percent rise on 2023. Against that volume, a document check and a selfie answer the wrong question. They test whether the artefacts look authentic, not whether the human behind them is real and unique. When the artefacts are AI-generated and the Social Security number is a genuine but idle one belonging to a child, both checks can pass while no real applicant exists.

How can you detect and prevent synthetic identity fraud?

There is a real defensive toolkit, and serious teams should run it. The honest framing is that each control catches data mismatches but none of them, on its own, proves a real, unique human is applying. That gap is the original asset of this guide: a defence checklist that states what each control does and does not catch.

ControlWhat it catchesWhat it does not catch
SSN-to-name-to-DOB consistency checksCrude mismatches and recycled fragmentsA clean, internally consistent fullz
eCBSV Social Security number verificationA name, DOB and SSN that do not match SSA recordsA real SSN paired with fabricated details and consent abuse
Device and velocity signalsBulk applications from one device or burst patternsA patient fraudster cultivating one identity slowly
Consortium and shared-data signalsIdentities already flagged across membersA brand-new synthetic with no prior footprint
Behavioural analyticsBot-like or anomalous session behaviourA careful human operator behaving normally
Perpetual or ongoing KYCRisk that emerges after onboardingThe core question of whether the applicant is one real person
Verify without centrally storing PIIRemoves the honeypot that supplies future fullzNot a fraud score; a structural change to the data you hold
Defence checklist mapping each synthetic-identity control to what it catches and what it does not catch, ending with verify-without-storing as the structural fix.
Each control catches data mismatches; none, on its own, proves a real, unique human is applying.

Download: the synthetic identity fraud defence checklist (PDF) is a one-page, print-ready version of this control map that you can keep beside your onboarding rules and share with fraud and risk teams.

Two practical points. First, eCBSV, the Social Security Administration's electronic Consent Based Social Security Number Verification service, returns only a yes or no on whether a name, date of birth and Social Security number match its records, and it requires the number holder's consent, so it narrows synthetic attacks but does not end them. Second, the last row is the contrarian move: detection alone is an arms race against AI-generated documents, and the only way to stop adding fuel is to stop creating the centralised stores that get breached and resold. Our decentralised KYC explainer and the KYC software page show how verification can run without that store.

Do centralised PII honeypots fuel the fullz economy?

This is the part most explainers skip, and it deserves a steelman of the other side first. The case for centralised identity databases is real: consortium data sharing really does catch synthetics that no single firm would see alone, and a well-run, encrypted store passes audits every day. Pooling identity data does make some fraud easier to spot. That benefit is true.

The cost is that the same pooled databases are an upstream source of the stolen packages that fraud teams then spend their budget fighting. The IDMerit exposure that Cybernews reported, contested as it is, leaked the precise fields that constitute a fullz record, at a vendor whose business is verifying identity. Every copy of a raw identity record is a copy that can be stolen, and the verification industry holds many of the largest copies. Detection sits downstream of a supply problem the industry partly creates.

The structural fix is to verify identity without becoming the place it accumulates. Privacy-first architecture shards verified data across a decentralised network of more than 60,000 nodes under a 29-of-100 threshold scheme, so no single node holds a complete record and there is no central honeypot to breach. The customer holds the key; there is no master key. A reusable credential, a KYC passport, lets a person verify once and re-present elsewhere, so fewer copies of raw data exist to steal in the first place. The identity check still happens; the standing target does not. The eIDAS-2 wallet direction points the same way, as our eIDAS 2 and KYC guide sets out. To map this to your own onboarding, see how it works or the KYC software page, and weigh the data you hold against the breach you would have to disclose.

The bottom line

Stolen-identity packages are cheap, AI makes the documents convincing, and synthetic identities hide inside ordinary bad-debt numbers. Each fact on its own is manageable; together they describe a fraud economy that back-end detection cannot win alone. The piece most explainers miss is that the identity-verification industry is both defender and supplier: every centralised store of raw identity data is a breach in waiting that restocks the dark web. Run the detection toolkit, by all means, but the move that actually shrinks the supply is to verify real, unique humans without warehousing the data that becomes the next fullz. Architecture, not more matching, breaks the chain.

Cited sources

Michelangelo FrigoMichelangelo Frigo(Co-Founder at Zyphe)Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

Fullz is fraudster slang for a complete stolen-identity package containing a victim's full name, address, date of birth and Social Security number, and often bank or card credentials and identity-document scans. It is sold on dark-web marketplaces and used for identity theft, account takeover and synthetic identity fraud against real people.

Synthetic identity fraud combines real stolen data, often a genuine Social Security number drawn from fullz, with fabricated details to create an identity with no single real victim, nicknamed the Frankenstein identity. The Federal Reserve called it the fastest-growing financial crime in its 2019 to 2020 payments-fraud white-paper series.

Fraudsters use fullz for account takeover, opening new credit or bank accounts, loan and benefits fraud, and for building then busting out cultivated synthetic credit lines, all in the victim's name. Because the data is internally consistent, these applications match standard checks and the fallout damages the real person's credit.

Comparitech's index, on 2021 to 2023 data, reported a basic fullz package selling for roughly 20 to 100 dollars, with United States records averaging about 8 dollars and card details with a verification value about 17 dollars. Prices are low because corporate breaches keep the supply oversized; these are reported ranges, not a live 2026 quote.

Teams use SSN-to-name-to-DOB consistency checks, eCBSV Social Security number verification, device and velocity signals, consortium data sharing and behavioural analytics. Detection stays hard because there is no direct victim to dispute the fraud, so losses are often misbooked as ordinary bad debt rather than recognised and modelled as fraud.

Most fullz originate from corporate and institutional data breaches at banks, insurers, healthcare providers and identity-verification vendors that centralise personally identifiable information, alongside phishing and infostealer malware. The IDMerit exposure that Cybernews reported in November 2025, which IDMerit disputes, illustrates how a verification vendor's store can leak the exact fields a fullz contains.

Yes. Document-and-data-matching KYC confirms that the data is internally consistent, not that the person is real and unique, so a clean fullz or an AI-generated document set can pass. The durable answer is architectural: verify a real, unique human and stop centrally storing the raw data, rather than adding more matching rules.

Combine perpetual KYC, cross-source verification and device and behavioural fraud signals with the structural fix: do not centralise raw personally identifiable information, because that store becomes the next breach and the next fullz supply. Privacy-first verification and reusable credentials mean fewer copies of identity data exist to steal in the first place.

Stop synthetic and deepfake fraud at the door

Zyphe combines liveness, document and AI checks with privacy-first storage.

Book a demo