Skip to content

Dark Web Fraud “Groups” Listing Over 6K Stolen Checks Per Month

  • Check fraud has increased significantly
  • An "online market" for stolen checks is growing
  • Financial institutions will need to prepare to defend themselves against an onslaught of fraudulent checks

BlueVoyant Cyber Threat Intelligence Analyst Nissan Kedar takes a look at the emergence of check fraud as the "go-to" scam for bad actors. She notes that, over the past decade, the digital economy has done much to transition people from in-person banking to online transactions, emphasizing mobile banking as opposed to visits to an actual bank branch.

She observes that bad actors, perhaps frustrated with attempts to break through sophisticated cyber security, have moved their efforts to physical checks.

Checking out

Over the past year, BlueVoyant has observed a significant spike in the trade of compromised and fraudulent checks on the deep and dark web, particularly in the United States. Both the number of new cyber threat instant messaging (IM) groups specifically pertaining to the exchange of checks and the total number of checks published in these groups have grown aggressively since the start of 2022. The number of check fraud reports filed by U.S. banks nearly doubled year-over-year between 2021 and 2022, as the Wall Street Journal recently reported.

Number of Checks on the Dark Web Continues to Grow

This is certainly borne out in statistics from BlueVoyant's new report entitled Checking Out: How Cyber Threat Actors Use Physical Checks to Commit Fraud. As we've noted previously, the "Dark Web" is not as remote as it used to be -- online groups dedicated to providing "fraud assets" are growing by leaps and bounds. Ms. Kedar points out Telegram in particular.

As startling as that jump in participation is the huge leap in check availability:

Additionally, Ms. Nadar notes that there are more than 6,000 checks per month in each group:

These checks are procured through theft of residential mailboxes and actual physical assaults on postal carriers in order to accumulate physical checks to copy.

Threat actors and criminals break into mailboxes and empty out the mailbox's contents, or get keys by robbing mailmen and making copies of their master keys that allow access to all mailboxes – and to a renewable pool of envelopes containing checks. Master keys can be easily purchased in underground communities, with entire Telegram groups dedicated to trading mailbox keys. The keys are priced at around $1,000 and are delivered straight to the buyer's doorstep.

Tackling the Dark Web Challenge

Given the growing prevalence of stolen checks on the dark web, FIs should be evolving their strategies. We recently noted that there are services that will help monitor the dark web for everything from email/personal/account information to images of checks. And, as we know from a previous post, once a fraudster has this information, they are able to perform acts such as full account takeovers as well as washing or creating counterfeit checks.

By deploying dark web monitor services, the bank and their customers  are alerted when their information or checks are compromised, enabling the banks to proactively take action before funds are lost.


Combining dark web monitoring services with other complementary technologies such as behavioral analytics to identify anomalous transactions, data analytics to identify trends, and image forensic AI to analyze the images of checks for counterfeits, forgeries, and alterations creates the strongest check fraud detection strategy possible.

Leave a Comment