GoKawiilThreat actors across underground forums and chat groups are increasingly crafting structured fraud methods aimed at exploiting weaknesses in work processes of financial institutions. Rather than isolated or opportunistic scams, these discussions reflect an organized, process-driven approach that combines stolen identity data, social engineering, and knowledge of financial workflows.
Within these conversations, smaller institutions, particularly small-sized to mid-sized credit unions, are often referenced as more attractive targets due to perceived gaps in verification systems and limited fraud prevention resources.
Flare researchers recently identified a detailed loan fraud method circulating within one such underground group, outlining how attackers can move through credit checks, identity verification, and loan approval processes using stolen identities while avoiding traditional security triggers.
The approach does not rely on exploiting software vulnerabilities, but instead focuses on navigating legitimate onboarding and lending workflows as if the applicant were genuine.
The structure of the post reflects a methodical approach, breaking down the process from identity use to loan approval in a way that can be consistently replicated, pointing to a more organized use of fraud techniques.
Screenshot from the method shared in the chat group,
showing the threat actor’s opening
A Process Built on Identity, Not Intrusion
At its core, this approach relies on obtaining sufficient personal data to convincingly impersonate a legitimate borrower. This includes identifiers such as names, addresses, dates of birth, and in some cases, credit-related details.
A typical example to identity fraud guide in the underground
... continue reading