Blog
2TB of personal data for $80: Exploring ...

2TB of personal data for $80: Exploring the "identity market"

Online template farms have gotten so consistent, they've switched to subscriptions.
Published 13 Jul 2026Updated 13 Jul 2026
Resistant AI Logo
Table of contents
Subscribe to our newsletter

In our last article, we teased that Fakedocshop, a popular document template farm running on subscriptions, has branched out beyond template selling into another crucial part of the financial crime enablement ecosystem:

We call it "the identity market."

Bundling and distributing ready-made identity packages instantly usable by fraudsters is quite different from simply downloading a trove of messy leaked data (and much more dangerous).

And Fakedocshop seems to have been at this for years, using closed "VIP" communication channels to cultivate a small community of the most dedicated (and likely sophisticated) criminals.

We accessed and analyzed the contents of one of these channels which has already amassed over 2TB of data, continuing to add more by the week.

How we got access to the VIP channel

The “VIP” channel run by the template farm is the first of its kind we have seen.

Invite-only, with a relatively small monthly fee to get in, it's advertised both on the Telegram “news” channel as well on Fakedocshop’s website itself.

Wayback Machine data show that the VIP channel was first advertised on the farm website in March 2025, which would correspond with its Telegram history.

TI_ARTICLE_VIP_channel_farm_website_first_mention_2025_03

Soon after, Fakedocshop also added a stand-alone “product” page. Phrases like “exclusive content”, “some of our best files are never shared publicly” or “unique, high-quality content” aim at attracting both existing and new template-buying customers (without specifying what the files may be).

Originally, Fakedocshop advertised the 1TB data trove for $100 (or $149 if you look at the button). Exact pricing seems to be relatively fluid when it comes to criminal negotiations.

The web page also highlights the difference between regular site membership for templates and the VIP subscription to this channel.

TI_ARTICLE_VIP_channel_farm_website_product_page_2025_05

We contacted Fakedocshop’s main support persona Janet and inquired about the channel access and its contents.

Just two minutes later, Janet shared pricing details along with a screen recording of the channel’s contents with the comment “real documents” and that “we can’t share real docs on site so we share here”. She also included a screen recording video of the channel’s contents which proved to be authentic.

TI_ARTICLE_VIP_channel_Janet_convo

The rest is history. We sent the requested $80 and were granted access via a unique channel link less than 2 hrs after our first inquiry.

Channel history and activity

The channel's activity consists almost entirely of document uploads. There’s very little interaction between its members (if any) and no real conversations. Fakedocshop’s admin account is the only account to ever post any messages.

This is understandable. If the purpose of the channel is only to function as a posting board that advertises and hosts the data, there’s no need for conversation or socializing.

Fakedocshop doesn't even want members of the channel to see each other. Only the number of subscribers is visibly (likely to guarantee confidentiality). In that sense, this is not community based on facilitating exchange between its members. They just want to keep tabs on actors willing to pay for a continuous supply of leaked identity data.

As of July 3, there have been 882 messages posted in the channel, with over 85% being pure file drops without any accompanying text message. 150 messages did contain a text description but they often held very little tangible value.

Most contained phrases like “high-quality documents,” “front, back, selfie,” or the industry-wide known term “fullz,” used to describe a complete package of stolen personal and financial data to impersonate an individual.

For the messages that contain text, the country functions as the primary identifier of each dataset, sometimes with the addition of how many identities the pack contains.

The first messages started popping up in February 2025. The early days flooded the channel with already collected data to create the allure of a large data trove. In its first month, there were 177 messages shared, with no other month recording higher activity.

This shows that Fakedocshop clearly aimed to dump all the files they already had at hand to attract subscribers, while simultaneously browsing its own sources to look for further data to share.

TI_ARTICLE_VIP_channel_message_activity

Because Fakedocshop does consistently post new files to the channel each month. While there’s fluctuation with respect to how much new data is provided, the tempo highlights:

  • Fakedocshop admins are repeatedly capable of obtaining new identity data to provide to its subscribers.

  • Fakedocshop admins actively ensure there’s a reason (or, you know, a thousand reasons) for renewing your subscription each month.

This is much more than a side revenue stream for Fakedocshop on top of its template-selling operations. It puts them among data brokers specializing in re-selling of leaked or stolen data.

Subscriptions and crypto payments

While regularly advertised by Fakedocshop both on its website and Telegram communications, the VIP channel seems to be getting a fraction of the attention/traffic the template selling operation gets.

The number of the channel’s subscribers has fluctuated between 5–30 over the last year.

At those numbers, this is a very small group willing to pay a monthly fee to obtain regular access to privileged data unavailable on the main website. But that also means it’s likely somebody who needs such data constantly, likely to design and execute repeated financial crime operations.

We have paid the VIP channel subscription several different times ourselves.

Each time, the Telegram link to join the channel was different. This is how Fakedocshop’s admin retains control over the monthly subscribers to the channel: once your subscription ends, you’re kicked out by the admin and need to pay again to get the new channel invite link.

This is an expected level of anonymity and obfuscation. Fakedocshop’s crypto wallet address changed each time as well. Wallet addresses seem to be used actively for about 2 months before being replaced. This makes it highly likely there’s still addresses we couldn’t collect.

We have tracked four different bitcoin wallets that have processed 130 receiving transactions worth about $5,000 between November 2025 and June 2026. The transaction data confirms the relatively low number of the channel’s subscribers, with some paying a larger amount for several months in advance while others pay on a monthly basis.

Right now, there’s only 10 members of the channel in total. Quite the VIP club indeed.

What data is in the channel?

As of June 2026, the channel hosts over 750+ different archive (.zip, .rar, .7z) files, totaling about 2TB. On an individual level, the largest archive files can have over 100GB.

In short, this is a huge amount of data, likely containing at least thousands of identities (and likely more) from all over the globe.

In one instance, the target files were hosted on another platform via a provided link, directing us to the Transfer.it, a file-sharing web service similar to other alternatives like WeTransfer or TransferNow. Outside of that, they're always hosted on the main site. 

And it's not from one massive leak. It’s a collection Fakedocshop built over time, likely from many different sources, and there’s a large variety in terms of files themselves as well as their age, country or platform of origin.

So what kind of data and files does the channel contain?

In one word: identities. But it’s a little more complicated.

ID packages

ID packages definitely prevail. Images of IDs (front and back) are often labeled by the individual’s name or the relevant country. Folders can be single identities or so-called "country multipacks" where the archive contains identities from different countries.

Quality varies. They occasionally show signs of document tampering, whether it’s forgery executed with tools like Photoshop or attempts to leverage AI. But most files seem to be authentic.

Selfies and videos

Selfies and videos: Basic head movements or even liveness videos of people turning around holding their business certificates.

Some evidence of tampering, though again, often likely real leaked image data.

Non-ID docs

The most interesting component of some packages, whether it’s a bank statement, a utility bill, or a pay stub. Each of these assets would be valuable on its own. Combined together, they’re a full KYC fraud starter pack.

And that’s exactly what the VIP channel is aimed at. Each new dataset is usually neatly structured, with a dedicated subfolder for each individual identity and several of the named assets (and sometimes all of them) available.

Leaked databases and “fullz”

There’s several cases where the files shared do not actually contain any images or documents. 

It’s just raw, text-based personal details stolen from a wide variety of sources: a hotel customer database, a ministry database of personnel, business and investor databases and so on.

While personal information without documents is less usable immediately, fraudsters can still use these in different contexts for identity fraud, account takeover, new account fraud and, of course, creation of new fake documents themselves.

While sometimes incomplete, the main threat of so much data available for so little rests on the assumption that the personal details are authentic.

The leak, the logs, and the threat of real identities

One of the datasets we harvested from the VIP channel was different.

The identity assets were still there, neatly organized by every single identity.

But there was also a JSON file. Upon closer inspection, a technical log of the documents uploaded and being verified.

We already suspected that a majority of the files stored on the VIP channel could be real, authentic documents and identities. Then, with just this one dataset, we now had an audit trail of the verification process itself.

Checking the full logs and cybersecurity breach reports, the breached platform in question had already admitted to a security incident that impacted almost 100,000 users. According to the report, the original attacker accessed the platform’s "KYC vendor and gained access to the names, DOBs, ID documents and selfies/videos.” 

To be clear about scope: one traced dataset doesn't authenticate all of the 2TB data available on the channel. But it proves the mechanism and confirms that at least some of this inventory is sourced from a real breach of a verification pipeline.

The leak analysis tells us three things:

  • Obtaining a real identity is now trivially easy and cheap. At the scale this channel operates, the cost comes down to just a few cents per identity, or even less.

  • The data provided on the channel are not fully clean and authentic. Forged documents are present alongside authentic ones, and there’s likely document forgeries that passed the original KYC verification.

  • It does not matter what kind of financial crime you want to execute, sooner or later, you will need to use an identity. But the seeming easiness and cheapness of obtaining a real identity changes the context of when and if a fraudster needs to forge the ID documents in the first place.

All three factors shift the paradigm of detecting fraudulent activities away from the ID document analysis towards the non-ID document part of what’s required during KYC.

Leveraging authentic non-ID documents is far harder than leveraging authentic ID documents. Not because they're rarer, but because they can't be used as-is.

An ID document lifted from a breach can be presented without modification. A bank statement, utility bill, or paystub almost always needs to be altered: the reporting period is wrong, the address doesn't match the application, the balance doesn't fit the profile being constructed. Every one of those edits is an intervention point, a place where a criminal leaves a trace.

This is precisely why non-ID documents are the more interesting detection surface. They are contextual in a way ID documents are not.

While a passport is largely self-contained, a bank statement exists in relation to an account, a bank, a reporting cycle, a set of transactions, all of which can be cross-referenced. Altering one element to fit a fraud scenario typically creates inconsistencies elsewhere.

Forging non-ID documents convincingly requires a level of craft and domain knowledge that isn't widely distributed. Template farms exist precisely to fill that gap.

The ”identity market” implications

The existence of an “identity market” where leaked or stolen identities are sold in bulk is not at all a new concept and has been covered by media and law enforcement alike.

For example, Europol clearly highlights the threat of personal data brokerage in its recent report “Steal, deal and repeat: How cybercriminal trade and exploit your data” as part of its 2025 Internet Organised Crime Threat Assessment (IOCTA).

What the existence of channels like Fakedocshop VIP tell us is that template farmers are actively tapped into the “identity market,” whether for the creation of templates or for re-selling the data and assets themselves.

The financial crime prevention/detection industry has spent years building better ID document verification. That problem, it turns out, may have already been rendered largely irrelevant. The frontier has moved, and it's in the non-ID stack where the next generation of financial crime will be won or lost.

Detection-wise, monitoring and understanding the identity packages circulating in different markets or channels allows us to understand which document types or classes are more exposed and what signals to look out for.

The fact that Fakedocshop branched out into data brokerage also confirms that template farmers likely often venture beyond selling document templates.

They are actively participating in the criminal ecosystem on numerous levels, and the overall fraud community is therefore likely more intertwined that what we’ve been able to see so far.

Last but not least, we also need to consider a broader typology impact: 

Are stolen and leaked real identities easier to re-use for fraud rather than forging synthetic ones? How does the liveness component fit into the KYC and KYB verification workflows, and what kind of criminal “industry” advice and tutorials can be found in the ecosystem communications?

We’ll leave that for the next time.

Enjoyed this content? Sign up for our "Threat Radar" newsletter using the form on your left!

 

Blog post author
Jan Indra Threat Intelligence Investigator