appliedbits
FIELD NOTES PUBLISHED
PUBLISHED 2026-05-27

GASA's FALKIN: 22,661 bank-fraud operator signals, with account takeover at 69%

GASA (Global Anti-Scam Alliance)  ·  FALKIN  ·  source ↗

GASA’s FALKIN team has published a snapshot of 22,661 bank-tagged signals collected over six weeks from Telegram channels, dark-web forums, and live attack infrastructure. The breakdown is stark: “account takeover and credential harvesting is by far the largest category, at 69.2% of classified signals. OTP interception sits in second place at 17.3%.” Card and CVV trade accounts for another 7.3%, identity bundles 5.1%, and APP mule infrastructure 1.1%.

The framing FALKIN reaches for — “What used to require skill, infrastructure, and patience is now a checkout flow” — is the right metaphor for where adversary tooling has landed. Phishing kits sell like SaaS, identity bundles ship in volume, and OTP bots rent by the hour. The 17.3% line item for OTP interception is the one that should concentrate the mind of anyone betting authentication can be solved with SMS one-time passcodes: a meaningful slice of operator labor is now dedicated specifically to defeating the second factor that’s most commonly deployed.

OTP-bot infrastructure is also the connective tissue between voice/SMS fraud and account-takeover fraud — the same operators rent the platforms that convert a stolen credential bundle into a drained account by relaying live SMS codes in seconds. KYUP at the call-origination layer and possession-factor authentication at the bank layer are addressing two ends of the same supply chain; FALKIN’s data is a useful reminder that the middle of that chain is the part that’s industrialized.

Tagsgasafraud-as-a-serviceaccount-takeoverotp-interceptiondata