How Malta’s iGaming Operators Can Put an End to Synthetic Identity Fraud

We pass the audits, but the bonus spend keeps drifting.” That sentence came out of three separate calls with compliance leads at Malta Gaming Authority (MGA) licensees in Q1 2026, and it describes the exact fingerprint of synthetic identity fraud. The attack rarely triggers a dramatic alert. It shows up instead as a steady erosion of promotional budget and a creeping manual review queue, visible only when someone plots four months of welcome-bonus data on the same chart. 

Malta’s iGaming market has become a concentrated target for this pattern. This article maps how the fraud plays out on a Malta registration window, what the MGA and the Financial Intelligence Analysis Unit (FIAU) expect when it does, and where a combined face-and-document verification flow closes the gap that three separate tools tend to leave open.

Synthetic identity fraud is the creation of a fictitious person by stitching together real breached data (a valid name, a stolen national ID number, a reused address) with AI-generated or hybrid document images and a deepfake-assisted selfie. The identity does not map to a real human, but it passes enough checks to register, deposit, and claim a welcome bonus. A coordinated ring runs dozens of these in parallel.

Why Malta’s iGaming market draws synthetic identity fraud rings?

Malta carries a disproportionate share of Europe’s online gaming traffic relative to its population, and that density is the first condition fraud rings look for. More than 300 MGA-licensed operators are headquartered on the island, and the sector contributes over €1.1 billion a year to Malta’s gross domestic product, according to KPMG Malta’s iGaming practice. The second condition is a global player base. MGA licensees accept registrations from more than a hundred countries, which gives a fraudster access to document formats from dozens of jurisdictions at a single registration page.

Three structural factors pile on. First, welcome-bonus spend per player is high because operator competition is fierce and customer acquisition cost is a board-level metric. Second, MGA-licensed platforms must verify every player to the same regulatory standard regardless of where the player sits geographically, which creates a wide surface area for impersonation. Third, the FIAU received 9,430 suspicious transaction reports in 2024 (an increase of 3% year-on-year), and remote gaming remains the top-reporting sector in the country. Fraud rings know an attack here gets written up quickly, but they also know the volume keeps scrutiny diffuse.

How synthetic identity fraud plays out on a Malta registration window?

The registration window on a licensed Maltese platform is where the attack succeeds or fails. Understanding the four stages matters because the defence has to be placed at the right stage. A fraud ring does not run a single attack. It runs a pipeline.

Identity assembly

The ring starts with leaked personal data sold in bulk on closed channels. A European breach gives a name, a date of birth, and sometimes a national ID number. Address data comes from a separate breach or from a generative model trained to output plausible Maltese, Italian, or Spanish addresses. The finished identity is never a real person and never a fully fabricated one. It is a composite with just enough real data to pass a database cross-check.

Document creation

The ring produces or buys a template-quality image of a passport, residence permit, or national ID card, then populates the MRZ zone with values consistent with the assembled identity. Template quality has improved sharply in the last eighteen months because the models used to generate them are the same models players legitimately use for photo editing. Anything that fails basic OCR is dropped before submission. Whatever passes OCR but carries forensic inconsistencies gets submitted anyway, because most operators do not run forensic checks by default.

Liveness bypass

A deepfake selfie is attached to the identity through one of three methods, typically a frame-by-frame face swap against a cooperating human, a video injection at the mobile camera API, or a 3D-rendered face driven in real time from a live studio. The European Gaming and Betting Association’s 2025 evidence submission to the European Commission explicitly calls out deepfake-enabled synthetic identity creation as a method currently used to exploit promotional bonuses and enable multi-accounting on licensed European platforms.

Multi-account bonus extraction

The first account deposits the minimum needed to claim the welcome bonus, then plays it to the withdrawal threshold through a sequence of low-variance bets. A single ring runs thirty to two hundred accounts in parallel, each on a different composite identity. Behaviour at the individual account level looks unremarkable, and the pattern only surfaces when someone correlates play across the full cohort.

What MGA rules and the FIAU actually expect at onboarding?

Malta’s regulatory architecture is specific, and it treats identity verification as a primary compliance control rather than a tick-box. Two authorities matter here. The MGA sets gaming licence conditions, while the FIAU handles anti-money laundering and suspicious-activity reporting. Both sets of obligations land in the same registration window.

The MGA Player Protection Directive requires licensees to establish strong controls and procedures covering every stage of the player relationship, starting with identity verification at registration. Under that directive, verification must be completed before any wager is placed where relevant conditions apply, which turns the verification window into a hard commercial and compliance pinch point. If the flow is slow, legitimate players abandon. When it is loose, synthetic identities get in.

On the AML side, Malta’s Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) require subject persons (which includes every MGA licensee) to carry out customer due diligence (CDD) at onboarding and to file Suspicious Transaction Reports (STRs) when player behaviour or source-of-funds indicators warrant it. Across 2024, the FIAU conducted 187 supervisory interventions and took over 70 compliance actions through remediation or administrative measures, with remote gaming among the most scrutinised sectors. Practically, onboarding controls get audited backwards from STR quality. When STRs rest on shaky identity data, they read as operational failure rather than diligence.

Where Shufti smoothens the player-onboarding flow?

The gap most operators live with is architectural. A document-verification vendor, a separate liveness vendor, and a separate AML screening stack leave handoff seams that synthetic identity rings target specifically. Shufti’s approach is to bind the three checks together in a single decision event and return one defensible verdict.

In practical terms, that means a player presents a document, the document is authenticated against 10,000+ templates, the selfie is captured with active or passive liveness, and the face is matched back to the document photo in the same transaction. 

The face verification layer covers 56+ anti-spoofing attack vectors, including AI-generated deepfake injection, 3D mask attacks, and video replay, and was named a top performer in the United States Department of Homeland Security’s 2025 Remote Identity Validation Rally (DHS RIVR 2025) across diverse demographic groups. Combined document and biometric verification is completed in under fifteen seconds at a 99.5% pass rate for legitimate players, which keeps the MGA’s pre-wager timing obligation intact without degrading conversion.

One SDK, one audit trail, one decision. That is the architectural point. The FIAU’s expectations and the MGA’s requirements both land on the same event record, which shortens the paper trail every thematic review eventually asks for.

Synthetic identity fraud doesn’t announce itself on a Maltese iGaming platform. It arrives as a steady drain on promotional budget, a creeping manual review queue, and a pattern that only becomes visible when it lands in the FIAU’s next annual report or the MGA’s next thematic review. Shufti’s face verification binds live liveness to a document photo in under fifteen seconds, covering 56+ anti-spoofing attack vectors, including AI-generated deepfake injection, and sits inside the same API that also handles document, NFC, AML, and KYB for a single audit trail that regulators can read. 

Explore Malta-specific IDV to start complying with regional and international KYC obligations.