I spend my days inside fraud networks most Americans never see — dark web forums, Telegram channels and marketplaces where stolen identities are bought and sold like commodities. I study them because understanding how these systems work is the only way to stay ahead of them.
What I’m seeing right now should concern every American.
Iran, North Korea, Russia and China are not just conducting cyberattacks against the United States. They are running coordinated financial fraud operations inside our system — deliberately, systematically and in ways our defenses were never designed to detect.
This isn’t ordinary crime. It’s statecraft.
ALARMING RISE OF FAKE LEGAL REQUESTS: WHAT IT MEANS FOR YOUR PRIVACY
While policymakers rightly focus on Iranian cyber threats to power grids and water systems, a quieter operation is already underway, and this is one that reaches directly into the U.S. financial system using the same tools as everyday fraudsters.
Iran has spent decades building what amounts to a parallel financial network that is designed to function when access to the formal system is restricted.
MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT
It relies on front companies registered across multiple jurisdictions, nominee directors who exist only on paper and bank accounts opened with stolen or fabricated identities. Each new round of sanctions forces adaptation and, each time, the system evolves. We see new shell companies appear and new identities being deployed. Funds are routed through intermediaries that cannot see who is actually behind the transactions.
For example, on June 6, 2025, the Office of Foreign Asset Control (OFAC) sanctioned over 40 individuals and entities linked to the three Zarringhalam brothers — Mansour, Nasser, and Fazlolah –brothers for laundering billions through Iran’s “shadow banking” network. This network uses exchange houses and front companies in the UAE and Hong Kong to evade sanctions and move funds from oil and petrochemical sales.
The operation enables payments to flow through international banks in multiple currencies on behalf of sanctioned Iranian entities, including military-linked groups. Proceeds help finance Iran’s nuclear and missile programs as well as support terrorist proxies.
HOW DEBIT CARD FRAUD CAN HAPPEN WITHOUT USING THE CARD
North Korea’s approach is even more direct.
The regime has placed IT workers inside U.S. companies using fabricated identities. These are not low-level scams. The identities are constructed from stolen personal information, purchased documents, and in some cases fully synthetic profiles built to pass employment verification.
AI CYBERSECURITY RISKS AND DEEPFAKE SCAMS ON THE RISE
Those workers draw legitimate salaries, which flow into accounts that feed into laundering pipelines. The money moves through layers of transactions designed to look like ordinary retail banking activity, until its origin is effectively invisible.
Russia plays a different role: supplier.
Infostealer malware operations harvest Social Security numbers, dates of birth and account credentials from millions of Americans. That data feeds dark web markets where identity components are packaged and sold to criminals and foreign state actors alike.
China, by contrast, plays a long game. In 2015, Chinese state actors breached the Office of Personnel Management, exposing sensitive data on 21.5 million people. That was one of the most impactful intelligence windfalls of recent times and it created a durable identity dataset that has been detailed enough to build, verify and sustain false identities at scale.
That data didn’t disappear after the breach. It has circulated for years in underground markets, where it can be combined with other stolen information to construct identities that pass financial and employment checks.
In other words, China didn’t just steal data. It helped seed the very identity ecosystem that others — including Iran and North Korea — can now exploit.
CLICK HERE FOR MORE FOX NEWS OPINION
What makes this so hard to confront is that none of these states are running a separate, exotic operation. They are the heaviest users of the same global identity fraud ecosystem that ordinary criminals use. The same document forgery platforms. The same AI-composited selfie tools used to defeat identity verification checks. The same Telegram channels and dark web markets. The difference is not the tooling. It is who is holding it and what they intend to do with it.
Our financial defenses were built to catch criminals. They screen names against sanctions lists. They flag behavioral anomalies. They check documents. None of that is sufficient when the adversary has the patience to cultivate an identity over years before activating it, and the resources of a state intelligence agency behind every step.
I watch these networks every day. The infrastructure our enemies rely on is not hidden. It is operating openly, in the same places domestic criminals operate, using the same playbook. And in some cases, these states are not just the heaviest users of that shared infrastructure. They are its primary suppliers. Russia’s infostealer operations produce the raw identity components that end up in Iranian front company structures. China’s OPM breach seeded a dataset that has been circulating in dark web markets ever since. The question is whether American institutions are prepared to treat that as the national security threat it is. Right now, most of them are not.
