Fraud as a service: how criminal networks are selling fraud at scale.

• Fraud as a Service lets non-technical criminals launch sophisticated attacks for as little as $50 a month.
• FaaS kits bundle phishing tools, stolen credentials, bots, and mule networks into subscription packages.
• Account takeover losses tied to FaaS-enabled attacks are projected to reach $17 billion in 2025.
• Europol’s IOCTA 2026 named fraud schemes the fastest-growing area of organised crime in the EU.
• Defending against FaaS requires real-time identity signals at onboarding, not just perimeter controls.

In May 2026, Europol declared fraud schemes the fastest-growing area of organised crime in the EU, with losses reaching $64.1 billion in 2025 alone. That figure was not driven by a new class of criminal mastermind. It was driven by infrastructure: a thriving market on the dark web where criminal networks sell access to ready-made fraud tooling, automated attack frameworks, and stolen credentials, packaged and priced like enterprise software subscriptions.

Fraud as a Service, or FaaS, is how organised crime scaled beyond its own headcount. Understanding how the model works — and where it is structurally vulnerable — is the first step toward building defences that hold.

What is Fraud as a Service?

Fraud as a Service is a criminal business model in which organised networks sell or rent pre-built fraud tooling to third-party buyers, enabling non-technical actors to run sophisticated attacks without building the underlying infrastructure themselves.

The model is the criminal equivalent of Software as a Service: subscription access to attack capabilities, delivered through dark web marketplaces, with pricing tiers, customer support channels, and feature update logs that deliberately mirror the conventions of legitimate software vendors.

How FaaS differs from traditional cybercrime

Traditional cybercrime required technical expertise at every stage: writing malware, building phishing pages, managing bot traffic, recruiting money mules, and laundering proceeds. FaaS separates those functions. Specialist criminal vendors build and maintain the tools, while non-technical buyers purchase access and direct the attacks against chosen targets. This division of labour opened the market to a far larger pool of bad actors.

The FBI received over one million cybercrime complaints for the first time in 2025, with cyber-enabled fraud accounting for $17.7 billion in losses. That volume is only achievable because the technical barrier to entry has effectively collapsed.

The economics: why $50 per month changed the attack surface

FaaS subscriptions typically start at around $50 per month, giving buyers immediate access to phishing kits, credential databases, bot infrastructure, and automated testing frameworks. The entry price is lower than most business software licences.

The average size of detected FaaS attacks doubled between 2023 and 2024, and 56% of companies reported becoming victims of FaaS-style attacks in that period. The doubling of attack size in a single year reflects what happens when operational cost drops to near zero: attackers run larger campaigns, more frequently, against more targets simultaneously, with no marginal cost for scale.

What tools are inside a FaaS kit?

A mature FaaS kit is modular by design. Buyers subscribe to individual components or purchase a full-stack package depending on their target and budget. The table below maps the standard components of a FaaS offering to the attack vector each one enables.

No single component in this table is new. What FaaS changed is the assembly. Buyers receive a complete, tested attack chain rather than individual parts, delivered alongside customer support, update logs, and occasionally a satisfaction guarantee.

The polish is intentional: it reduces the learning curve for buyers and makes the vendor’s offering competitive against other FaaS providers in the same marketplace. Dark web FaaS vendors have adopted product-management thinking, shipping updates in response to new security controls the same way legitimate software teams respond to user feedback.

Which industries does FaaS target most?

FaaS attacks concentrate wherever account credentials carry direct financial value or where onboarding controls have exploitable gaps. Financial services absorb the largest volume of attacks, but crypto exchanges, gaming platforms, e-commerce, and healthcare each face distinct FaaS attack profiles shaped by the monetisation route available in each sector.

How does FaaS connect to account takeover and credential stuffing?

FaaS is the supply chain behind most large-scale account takeover fraud. The attack chain runs in three steps.

First, a FaaS vendor assembles or purchases a combolist: a dataset of email/password pairs harvested from prior data breaches or purchased from infostealer malware campaigns. Credential stuffing attacks rose 65% in 2024 as combobilists grew larger and more current, fed by a parallel market in infostealer logs that harvest credentials in real time from infected devices.

Second, the buyer loads the combolist into a credential-stuffing framework. These tools automate login attempts across dozens of target platforms simultaneously, rotating through residential proxy networks to defeat IP-based rate limiting and mimicking legitimate browser behaviour to evade bot-detection controls. Third, confirmed logins are sorted by account value, priced, and either sold back into the FaaS marketplace or exploited directly for financial gain.

The failure mode most organisations miss is structural. Credential-stuffing frameworks are engineered specifically to look like legitimate user behaviour at the network perimeter. IP rotation, browser fingerprint spoofing, and paced login timing all defeat firewall-level and rate-limiting controls.

What they cannot defeat reliably is a liveness check that distinguishes a live person from a replay attack, or a behavioural signal layer that detects session anomalies inconsistent with a returning user’s established pattern.The FaaS attack chain is most vulnerable at the identity verification layer, not the perimeter.

How has the FaaS threat landscape shifted in 2026?

Three developments have made FaaS materially more dangerous since 2024.

The first is agentic AI integration. Fraud networks have begun embedding autonomous AI agents into the attack loop, enabling credential-stuffing campaigns, social-engineering sequences, and fraud-monetisation steps to execute with minimal human involvement.

Europol’s IOCTA 2026 identified autonomous cybercrime as the next inflection point in organised crime, noting that agentic systems allow attacks to scale at a velocity no human-supervised operation can match. For defenders, this means attack volume will continue to grow even as the human headcount behind the attacks stays flat or shrinks.

The second is deepfake commoditisation. Deepfake-as-a-service is now a standard line item inside FaaS kits, enabling buyers to generate convincing face-swap video and synthetic voice for biometric bypass without building or training the underlying model. The cost has dropped to the point where deepfake capability is economically viable against low-value account targets, not only high-value financial targets.

The third is coordinated regulatory response. In May 2026, Europol launched the EU Anti-Scam Platform, a dedicated operational hub drawing on both the European Cybercrime Centre and the European Financial and Economic Crime Centre to coordinate cross-border takedowns of industrialised fraud networks. Enforcement actions will disrupt individual FaaS marketplaces, but the structural economics that make FaaS viable will persist.

The platform is most significant as a signal: regulators now treat FaaS as infrastructure-level organised crime, not isolated bad actors, which means compliance obligations for regulated businesses are likely to tighten around onboarding controls in the near term.

How Shufti fits into your FaaS defense strategy

The FaaS attack chain is built to exploit the gap between perimeter security and identity verification. Phishing kits harvest credentials that pass password checks. Credential-stuffing frameworks mimic legitimate login patterns. Deepfake-as-a-service targets onboarding steps that rely on shallow liveness detection.

Shufti’s fraud prevention layer operates at exactly these points. Behavioural analytics flags the anomalous session patterns that FaaS automation reliably generates, including copy-paste sequences in document fields, device reputation mismatches, and IP geolocation inconsistencies across the onboarding flow.

Combined with document intelligence trained on 10,000+ document types and a liveness engine that holds iBeta Level 3 conformance under ISO/IEC 30107-3, the integrated stack catches the signals FaaS kits consistently produce, at the moment they appear. One platform. Fully owned technology. Global coverage with real local depth.

Book a demo to see how Shufti’s fraud prevention layer detects FaaS-driven onboarding attacks on real traffic.