Finance & Banking,
Fraud Management & Cybercrime,
Fraud Risk Management
Telegram-Driven Marketplace Exploits US Gaps in Tracking Former Visa Holders
A Russian-operated darknet marketplace is taking advantage of significant vulnerabilities within U.S. financial institutions by trafficking in identities of former legal immigrants who have returned to their home countries after holding work visas in the U.S.
According to a report released by fraud prevention firm SentiLink, the Russian-speaking criminal group, Karma Fullz, has developed a lucrative business model that offers convincing synthetic identities of past U.S. visa holders. These identities come complete with Social Security numbers, pristine credit histories, and tax records, allowing fraudsters an avenue for exploiting U.S. systems.
Launched in September 2024, this Telegram-based marketplace provides identity packages in three distinct tiers, with those featuring aged expatriate identities fetching prices over $1,000 due to their credible credit histories. Scammers utilize these deceptive identities to open new bank accounts, apply for credit cards, request fraudulent tax refunds, and gain unauthorized access to public benefits—all while masquerading as legitimate individuals.
According to David Maimon, head of fraud insights at SentiLink, these identities can be reactivated after periods of inactivity, often without detection due to lax financial institution protocols. “While there are indicators that can should raise red flags when reactivating these identities after long dormancy, many institutions are unsure how to identify or manage them,” Maimon stated. “The fraud rings are aware of this gap and decisively exploit it.”
The Karma Fullz operation extends beyond mere data exploitation. The group cultivates synthetic credibility by offering account setups with Experian, creating aged email accounts that reflect U.S. financial activity, and even registering public records. These enhancements enable fraudsters to bypass typical security measures, increasing their chances of remaining undetected.
Instances of fraudulent credit applications involving identities of former immigrants from countries such as Ukraine, Lithuania, and China have emerged as recently as July 2025, highlighting the ongoing risks associated with legacy data. One case reported the use of a victim’s data to open accounts with multiple financial entities, leading to substantial financial losses.
In a recent interview, Maimon further elaborated on the implications of this exploitation, emphasizing that a one-size-fits-all approach to fraud detection could leave institutions vulnerable to these types of identity theft. He also discussed the unintended consequences of tax preparation services and how targeted detection tools could enhance the identification of patterns related to identity fraud.
As organizations strive to strengthen their cybersecurity frameworks, the techniques illustrated in this case resonate with several tactics outlined in the MITRE ATT&CK framework, particularly regarding initial access and persistence through compromised identities. Business owners must remain vigilant against such sophisticated threats.
