CloudSEK, a leading cybersecurity firm, has exposed a sophisticated China-based operation selling high-quality counterfeit U.S. and Canadian driver’s licenses and Social Security Number (SSN) cards, posing a severe threat to national security, financial systems, and public trust.
The investigation, conducted by CloudSEK’s STRIKE team, uncovered a sprawling network of 83+ interconnected domains supported by 24/7 WeChat customer support, custom order flows, and multiple payment channels. Analysis of the exfiltrated database revealed over 6,500 counterfeit licenses sold to 4,500+ buyers, generating more than $785,000 in revenue.
A Hidden Threat Undermining Trust
Counterfeit IDs aren’t just tools for underage drinking—they enable serious crimes, including illegal firearm purchases, SIM-swap fraud, large-scale logistics misuse, and even election interference. CloudSEK researchers confirmed that the IDs, priced as low as $65 in bulk, are fully scannable and replicate advanced security features such as holograms, UV markings, laser engraving, and relief printing, making them nearly indistinguishable from genuine documents.
“This isn’t just about fake IDs – this is about a systematic attack on the foundation of trust that underpins our financial, legal, and civic systems,” said Sourajeet Majumder, security researcher at CloudSEK STRIKE. “When a single counterfeit license can enable unauthorized drivers, bypass compliance checks, or facilitate smuggling, we’re looking at a genuine national security threat.”
Sophisticated Operations
The threat actor demonstrated remarkable sophistication:
- Shell E-commerce Sites: Transactions were routed through fake online stores (clothing, shoes, accessories) to mask payments via PayPal, LianLian Pay, and cryptocurrencies.
- Covert Packaging: IDs were shipped globally via FedEx, USPS, DHL, and Canada Post, hidden inside toys, purses, or layered cardboard with camouflage stickers to evade detection. Tutorial videos guided buyers on retrieving concealed IDs.
- Systemic Misuse: One buyer linked to two trucking companies with revoked U.S. operating authorities purchased 42 counterfeit commercial driver’s licenses—highlighting risks to transportation safety and regulatory integrity.
- High-Confidence Attribution: Through HUMINT and OSINT, CloudSEK pinpointed the actor’s exact geolocation in Xiamen, Fujian, China and obtained a facial image via webcam capture.
Key Findings
- Massive Scale: Over 6,500 fake IDs sold, with dense clusters of buyers in New York, Pennsylvania, Florida, Georgia, Ontario, and British Columbia.
- Financial Footprint: $785,000+ generated through PayPal, LianLian Pay, Bitcoin, Ethereum, and Western Union.
- Age Analysis: Nearly 60% of buyers were above 25 years old, signaling intentions beyond casual misuse.
- Marketing Tactics: The network promoted IDs via Meta Ads, TikTok, Telegram, and YouTube, openly advertising uses like passing police checks, renting cars, or accessing benefits.
Real-World Consequences
The implications are far-reaching:
- National Security: Fake IDs can bypass airport, border, and law enforcement checks.
- Financial Fraud: Scannable IDs enable SIM swaps and account takeovers.
- Election Integrity: IDs can be exploited for mail-in ballot and voter registration fraud.
- Logistics & Trafficking Risks: Fake commercial driver’s licenses allow unlicensed operators to bypass U.S. Department of Transportation checks.
A Call to Action
CloudSEK urges urgent global action:
- Law Enforcement: Seize the 83+ domains and pursue legal action using attribution evidence.
- Courier Vigilance: Alert FedEx, USPS, and DHL to the covert packaging tactics.
- Payment Processors: Trace and freeze illicit accounts across PayPal, Western Union, and crypto platforms.
- Continuous Monitoring: Deploy threat intelligence platforms like CloudSEK’s XVigil for proactive detection.
Goshen Medical Center Notifying 450k+ people of data breach
Posted in Commentary with tags Hacked on September 18, 2025 by itnerdComparitech reported today that Goshen Medical Center, Inc. has started notifying 456,385 people of a data breach following a cyber attack that started in February 2025. Ransomware gang BianLian claimed the attack in late March.
Commenting on this is Rebecca Moody, Head of Data Research at Comparitech:
“This week has seen three of the six largest data breaches (via ransomware) on US healthcare companies this year. This attack on Goshen Medical Center becomes the third largest, while Medical Associates of Brevard, LLC takes fourth place (notifying nearly 247,000 of a January 2025 breach via BianLian) and New York Blood Center Enterprises takes sixth place (nearly 194,000 affected in a January 2025 attack via unknown hackers).”
“All three of these attacks highlight two key things. First, they demonstrate how the healthcare sector remains a dominant target for ransomware gangs because of the amount of sensitive data up for grabs. Second, they serve as a reminder that it’s often months before we find out about the extent of these attacks.”
“So, while ransomware attacks on the US healthcare sector may seem lower than last year (we’ve noted 61 confirmed attacks and 6.1 million breached records so far this year, compared to 174 attacks and 28.6 million breached records in total last year), we shouldn’t focus too much on these as of yet. It’s highly likely we’ll see a number of other major breaches coming through in the coming months. For example, we still don’t know how many were impacted in the attack on Kettering Health and out of
Two things jump out at me. First BianLian is quite busy with a growing list of victims. Second health care is yet again a victim of a cyberattack. Clearly there’s no end to the madness which is bad news for all of us.
Leave a comment »