CloudSEK Exposes China-Linked Counterfeit ID Operation Flooding North America with Fake Licences

From News Desk

CloudSEK, a cybersecurity company has exposed a sophisticated China-based operation selling high-quality counterfeit US and Canadian driver’s licences and Social Security Number (SSN) cards, posing a severe threat to national security, financial systems and public trust.

The investigation, conducted by CloudSEK’s STRIKE team, uncovered a sprawling network of 83+ interconnected domains supported by 24/7 WeChat customer support, custom order flows and multiple payment channels. Analysis of the ex-filtrated database revealed over 6,500 counterfeit licences sold to 4,500+ buyers, generating more than $785,000 in revenue.

A Hidden Threat Undermining Trust

Counterfeit IDs aren’t just tools for underage drinking – they enable serious crimes, including illegal firearm purchases, SIM-swap fraud, large-scale logistics misuse, and even election interference. CloudSEK researchers confirmed that the IDs, priced as low as $65 in bulk, are fully scannable and replicate advanced security features such as holograms, UV markings, laser engraving, and relief printing, making them nearly indistinguishable from genuine documents.

“This isn’t just about fake IDs – this is about a systematic attack on the foundation of trust that underpins our financial, legal, and civic systems,” said Sourajeet Majumder, security researcher at CloudSEK STRIKE. “When a single counterfeit license can enable unauthorised drivers, bypass compliance checks, or facilitate smuggling, we’re looking at a genuine national security threat.”

Sophisticated Operations

The threat actor demonstrated remarkable sophistication –

Shell E-commerce Sites: Transactions were routed through fake online stores (clothing, shoes, accessories) to mask payments via PayPal, LianLian Pay, and cryptocurrencies.
Covert Packaging: IDs were shipped globally via FedEx, USPS, DHL and Canada Post, hidden inside toys, purses, or layered cardboard with camouflage stickers to evade detection. Tutorial videos guided buyers on retrieving concealed IDs.
Systemic Misuse: One buyer linked to two trucking companies with revoked US operating authorities purchased 42 counterfeit commercial driver’s licenses – highlighting risks to transportation safety and regulatory integrity.
High-Confidence Attribution: Through HUMINT and OSINT, CloudSEK pinpointed the actor’s exact geolocation in Xiamen, Fujian, China and obtained a facial image via webcam capture.

Key Findings

Massive Scale: Over 6,500 fake IDs sold, with dense clusters of buyers in New York, Pennsylvania, Florida, Georgia, Ontario, and British Columbia.
Financial Footprint: $785,000+ generated through PayPal, LianLian Pay, Bitcoin, Ethereum, and Western Union.
Age Analysis: Nearly 60% of buyers were above 25 years old, signaling intentions beyond casual misuse.
Marketing Tactics: The network promoted IDs via Meta Ads, TikTok, Telegram, and YouTube, openly advertising uses like passing police checks, renting cars, or accessing benefits.

Real-World Consequences

The implications are far-reaching –

National Security: Fake IDs can bypass airport, border, and law enforcement checks.
Financial Fraud: Scannable IDs enable SIM swaps and account takeovers.
Election Integrity: IDs can be exploited for mail-in ballot and voter registration fraud.
Logistics & Trafficking Risks: Fake commercial driver’s licenses allow unlicensed operators to bypass U.S. Department of Transportation checks.

A Call to Action

CloudSEK urges urgent global action –

Law Enforcement: Seize the 83+ domains and pursue legal action using attribution evidence.
Courier Vigilance: Alert FedEx, USPS, and DHL to the covert packaging tactics.
Payment Processors: Trace and freeze illicit accounts across PayPal, Western Union, and crypto platforms.
Continuous Monitoring: Deploy threat intelligence platforms like CloudSEK’s XVigil for proactive detection.

“This case demonstrates the critical importance of comprehensive threat intelligence in combating sophisticated criminal operations,” said Ibrahim Saify, Security Analyst at CloudSEK. “Without visibility across social media, dark web, and infrastructure channels, investigations of this depth would be nearly impossible.”

Disclaimer – The details expressed in this post are from the companies responsible for sending this post for publication. This website doesn’t endorse the details published here. Readers are urged to use their own discretion while making a decision about purchasing or using a product/service related to this company, or using this information in any way. There has been no monetary benefit to the Publisher/Editor/Website Owner for publishing this post and the Website Owner takes no responsibility for the impacts of purchasing or using these products/services on the reader, or using this information in any way.