Behind the Scenes of Global Fraud: How a Chinese Network Sells Fake IDs in North America

An investigation by the CloudSEK STRIKE team has unmasked a massive counterfeit identity operation, named ForgeCraft, which sells fake driver's licenses and Social Security Number (SSN) cards in the United States and Canada. The operation, run by a China-based threat actor, uses a sophisticated online infrastructure to sell documents that "look authentic" and are "scannable."

Threat Actor's Tactics and Infrastructure

The CloudSEK investigation identified and traced the entire operation, revealing a well-organized and scalable business model.

• Web Infrastructure: The operation relies on over 83 interconnected domains, many of which use the recurring keyword "idcaca." These sites act as online storefronts, offering a uniform user interface with pages dedicated to product information, order forms, and customer reviews. Most sites also feature a 24/7 live chat that redirects communication to WeChat.

• Marketing and Promotion: To attract new customers, the threat actor leverages paid campaigns on Meta Ads (Facebook and Instagram) and promotes content on platforms like TikTok, Telegram, and X (Twitter). The ads explicitly market the illegal use of fake licenses for purposes such as buying age-restricted items, entering adult-only venues, and evading police checks.

• Ordering and Payment System: Customers fill out an online order form with personal details such as their name, address, photo, and signature, and select shipping and production options. The threat actor accepts a variety of payment methods, including PayPal, LianLian Pay, credit/debit cards, and cryptocurrencies. To disguise transactions, card and PayPal payments are redirected to fake e-commerce shell sites that pose as clothing or accessory stores.

• Delivery Process: The fake documents are shipped via legitimate courier services like FedEx, USPS, and DHL. To bypass customs inspections, the threat actor uses concealment techniques, hiding the licenses inside regular cardboard boxes with a false bottom or inside harmless items like purses. Customers are provided with a video tutorial to show them how to retrieve the hidden documents.

Financial Impact and Security Risks

The operation has generated significant revenue and poses tangible security risks.

• Scale of the Operation: The investigation identified over 4,500 unique buyers and confirmed the sale of more than 6,500 fake licenses. The total estimated revenue amounts to over $785,000 USD. The fake licenses cost between $65 and $90 each, depending on the quantity purchased.

• Customer Geography: Customer data shows a high concentration of buyers in the United States, particularly along the East Coast, and in Canada. The majority of buyers (59.4%) are over the age of 25, suggesting the licenses are not just for "minor" misuse, but for more serious criminal activities.

• Security Threats: The fake documents enable a variety of illicit activities, including financial fraud, trafficking, and evasion of security checks at airports and borders. For example, one buyer used 42 fake commercial driver's licenses, linked to two trucking companies with prior regulatory violations, for potential trafficking or illicit logistics operations. The use of fake licenses also facilitates SIM swap attacks and access to online platforms requiring identity verification, such as Airbnb or Uber.

Attribution and Future Outlook

CloudSEK successfully attributed the operation to a single individual located in Xiamen, Fujian, China, with a high degree of confidence. This attribution was made possible through a combination of HUMINT and OSINT techniques that yielded the exact geolocation and a facial image of the threat actor. However, it is likely that other individuals are involved in the production, packaging, and customer support aspects of the operation.

This investigation serves as an example of the increasing professionalization of counterfeit identity networks. To effectively combat these threats, ongoing collaboration is needed among law enforcement, online platforms, and financial intermediaries to dismantle the infrastructure, trace financial flows, and prevent counterfeit identity from becoming a normalized gateway to both digital and real-world crime.