Full Report
A Ukrainian man has pleaded guilty to operating OnlyFake, an AI-powered website that generated and sold more than 10,000 photos of fake identification documents to customers worldwide. [...]
Analysis Summary
# Incident Report: Operation OnlyFake - Sale of AI-Generated Fake IDs
## Executive Summary
This incident involves a Ukrainian national, Yurii Nazarenko, who operated an AI-powered website named "OnlyFake" to generate and sell over 10,000 counterfeit digital identification documents worldwide. The primary impact was the circumvention of Know Your Customer (KYC) protocols at financial institutions and crypto exchanges, facilitating potential money laundering. The operation was concluded following an investigation involving undercover FBI purchases, leading to the perpetrator's extradition and subsequent guilty plea.
## Incident Details
- Discovery Date: February 2024 (When 404 Media reported on the site)
- Incident Date: Operation ongoing prior to May 2024 until September 2025 (Extradition).
- Affected Organization: N/A (Actor operating online service targeting global entities).
- Sector: Cybercrime, Digital Forgery, Financial Services Evasion.
- Geography: Actor based in Ukraine, customers worldwide, investigation coordinated by US authorities (SDNY).
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-May 2024 (Site operational)
- **Vector:** Publicly accessible website, **OnlyFake**.
- **Details:** Customers accessed the subscription-based platform designed to generate counterfeit IDs (passports, driver's licenses for all 50 US states, SSN cards) using AI. Payments were exclusively in cryptocurrency routed through multiple wallets.
### Lateral Movement
- **Date/Time:** Not applicable to a single organizational network breach.
- **Vector:** N/A
- **Details:** The threat actor maintained operational security by obfuscating cryptocurrency transactions and deleting emails after high-profile reporting in February 2024.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during operation.
- **Vector:** Direct sale/delivery of digital files.
- **Details:** Over 10,000 photos of fake identification documents (digital versions of IDs from 50 US states, US passports, SSN cards, and documents from roughly 56 other countries) were sold to customers globally.
### Detection & Response
- **Date/Time:** February 2024 (Initial public exposure); May–June 2024 (FBI undercover purchases). September 2025 (Extradition).
- **Vector:** Intelligence reporting (404 Media) and undercover law enforcement operations.
- **Details:** Undercover FBI agents purchased various fake IDs. The perpetrator was extradited from Romania in September 2025, pleaded guilty, and agreed to forfeit $1.2 million.
## Attack Methodology
- **Initial Access:** Offering a service via a specialized website (OnlyFake) targeting end-users seeking fraudulent documents.
- **Persistence:** Maintaining an online service accepting payment and delivering products over an extended period.
- **Privilege Escalation:** Not applicable (Did not compromise an existing system).
- **Defense Evasion:** Routing cryptocurrency payments through multiple wallets; deleting emails after media exposure.
- **Credential Access:** Not applicable.
- **Discovery:** N/A (The actor was the creator of the service).
- **Lateral Movement:** N/A.
- **Collection:** Gathering required personal details from paying customers for customization of forged documents.
- **Exfiltration:** Delivering the final AI-generated digital document files to customers.
- **Impact:** Enabling customers to bypass KYC verification processes, posing risks related to terrorism, fraud, and money laundering.
## Impact Assessment
- **Financial:** Actor earned hundreds of thousands of dollars; agreed to forfeit $1.2 million.
- **Data Breach:** Distribution of over 10,000 fake identification documents globally. The potential compromise relates to the integrity of verification systems worldwide that rely on these documents.
- **Operational:** Facilitation of attempts to circumvent mandatory KYC/AML regulations at financial and crypto institutions.
- **Reputational:** Significant reputational damage to the security premise that government-issued IDs can reliably confirm identity during verification processes.
## Indicators of Compromise
- **Network indicators (defanged):** Access to the website platform `hxxps://www.onlyfake[.]org/` (archived).
- **File indicators:** Digital images/scans of counterfeit US State Driver's Licenses, US Passports, and Social Security Cards generated via AI.
- **Behavioral indicators:** Transactions exclusively using cryptocurrency routed through obfuscated wallets; customized requests for specific ID templates.
## Response Actions
- **Containment measures:** Undercover purchases to map operational procedures; collaboration with international partners leading to extradition (Romania, Sep 2025).
- **Eradication steps:** Cessation of the OnlyFake service; successful plea deal and asset forfeiture agreement.
- **Recovery actions:** The sentence scheduled for June 26, 2026, represents the final legal resolution of the incident.
## Lessons Learned
- AI technology is being leveraged efficiently by malicious actors to scale fraudulent activities (e.g., mass production of highly convincing fake documents).
- Financial crimes enforcement agencies must actively monitor online marketplaces and new service models (like AI-as-a-service for forgery) that facilitate the circumvention of critical regulations like KYC/AML.
- Cryptocurrency obfuscation (wallet hopping) remains a primary defense mechanism for financial cybercriminals.
## Recommendations
- Financial and crypto institutions must continually update AI/ML models used in identity verification to detect digitally synthesized or AI-generated document artifacts.
- Enhancement of transaction monitoring systems to flag patterns associated with high-volume, crypto-only payments destined for services suspected of ID forgery.
- Increase vigilance around reporting on illicit online operations, as public exposure only prompts immediate evasion tactics (e.g., email deletion) rather than immediate shutdown.