Chasing OnlyFake: how a template farm turned into a fake doc generator

Many articles have been written about OnlyFake, answering some of the most frequent questions revolving around the platform's operations, including our own brief published in May.

But despite the many media outputs, none provided a deep dive into the platform's origins, communication strategy, or how it essentially became one of the most serious and publicly known document fraud threats.

We decided to change that.

Drawing on our Threat Intel Unit, we have been investigating everything related to OnlyFake for the past few weeks, and now believe to have the most complete mapping of its origins that has been yet published.

So sit down, grab some popcorn, and get ready for a longform read.

Let's dive into Chasing OnlyFake.

OnlyFake Origins: the Blue Cat, “passport clouds” and John Wick

To know where you're going, you gotta know where you started.

So before we get to the juicy parts, let's first take a minute to establish when and how what came to be widely known as OnlyFake first emerged, and how it seemingly caused a major disruption in the fake document market.

Because even though there are now a lot of media mentions of OnlyFake, few actually deal with specific facts or datapoints regarding the platform's history.

Where did it all start then?

Finding the OnlyFake creators

Like Neo, following the white rabbit in The Matrix, we immersed ourselves into the history of OnlyFake by following the blue cat, a character we first identified in Telegram group chats we continuously monitor.

The blue cat is an avatar of the profile named as “Prostootrisovka”, which could be roughly translated as “Just Drawing” or “Just Rendering”.

According to the global intelligence company Recorded Future, “otrisovka” is also the Russian-language slang term for the production of counterfeit documents.

The name could not be more fitting, as Prostootrisovka claims to be the OnlyFake creator or administrator on numerous internet forums operating in Russian.

We traced Prostootrisovka to more than 35 different forums, and boy is this a fascinating read and source of material, as Prostootrisovka has been doing this for years (at least since 2021), often recording more than a 1,000 different posts/messages for a single forum.

Figure 1: Three of the most commonly used avatars of Prostootrisovka aka the Blue Cat across the many internet forums we identified

Regarding “the Blue Cat” moniker, Prostootrisovka took inspiration from a children's novel “Uncle Fedya, His Dog, and His Cat”, written by the Russian author Eduard Uspensky and published in 1974, and one of its main characters, the cat Matroskin.

To make things even more obvious, Prostootrisovka often uses cartoon illustrations from the novel in various posts to highlight the platform's updates, provide special discounts, or simply summarize his/her/their experience as OnlyFake's admin over the last 3+ years.

Figure 2: One of numerous images/cartoons Prostootrisovka is using for communication, posing as the Cat Matroskin character from a children's novel “Uncle Fedya, His Dog, and His Cat”

In this article we will refer to Prostootrisovka either by his/her/their designated name, or simply as “the (Blue) Cat”.

But let's get back to the forums' content itself.

Unraveling the initial threads

The oldest forum accounts were created in the second half of 2020, but new ones were continuously being created up until the summer of this year.

Usually, the identified accounts are described as providing “premium services for professional-grade doc rendering”, “including holograms rendered and printed on carefully selected plastic or paper”, “across as many as 97 countries” and with “thousands of satisfied clients”.

Publication of OnlyFake-related threads starts in the first half of 2021, with numerous different threads continuously created on different platforms corresponding with the creation of specific accounts. And while some of these platforms have been used sporadically, Prostootrisovka is still active on many of these, providing weekly or daily updates on OnlyFake's operations.

Inspecting these threads then provided us with a detailed oral history of OnlyFake's development, including domains used over time, customer communication, or relevant updates about the quality or availability of fraudulent templates — especially in the period before its mass media coverage in 2024.

One thing stands out to an almost comical degree: Prostootrisovka often declares to be at work almost every single day for months on end on some forums, as if to make other template farmers or fraud enablers aware of his thirst for a share of the fraudulent document market pie.

After all, the Cat started out as a template farmer as well.

Just a good ol' template farm

In the fall of 2020, Prostootrisovka created 7 different accounts on identified relevant forums.

In one of the initial forum posts from February 2021, the alleged OnlyFake admin listed 5 different domains, all using the terms “passport” and “cloud”, with each domain having a different TLD.

Figure 3: One of the earliest forum posts we identified, introducing the “passport cloud” group of websites which acted as predecessors to OnlyFake (and some are still operational)

Prostootrisovka boasts of premium quality of templates, worldwide coverage or future plans, all while promising “convenient” payment through crypto or Telegram.

The Cat also mentions the availability of free generators for machine-readable zones (MRZ) and PDF417 barcodes, data encoding mechanisms designed to store and convey information in a standardized, machine-readable format, used in many applications by both commercial and government organizations.

And how does the original website look like itself?

Earliest web archive screenshots come from August 2021, with the sites looking almost the same as what later came to be known as OnlyFake's “Generator 2.0”.

Figure 4: Earliest Internet Archive capture of the original "passport cloud" website from August 2021, with a visual style almost identical to the one later used by websites under the "OnlyFake" brand.

Right from the start, the website offered templates for:

• passports,

• IDs,

• driving licenses,

• utility bills,

• and payment cards.

Regardless of the document type, the Cat promised templates of “the highest quality of up to 1200 DPI”, considered very high quality and commonly used for professional printing.

Figure 5: The very first template sample shared by the Cat on one of the oldest Internet forums,
a high quality (1200 DPI) Russian passport of "John Wick"

Nevertheless, the website did not differ dramatically from a standard template farm catalog, and seemingly did not include anything that could be specifically called “innovative” or “employing AI”.

The only theoretical exception could be the barcode/MRZ generation, but we have seen that in other template farms' offerings as well.

The important thing to note here then is that:

• the name “OnlyFake” (or the platform/project in general) actually was not the initial moniker of the platform. That came later in a — let's admit it — smart branding move probably inspired by the OnlyFans content sharing platform,

• OnlyFake actually did start out as a “classic” template farm offering specific templates without any special features like batch generation or incorporation of AI-powered features.

Why are these findings important?

The fact that OnlyFake started out as a regular template farm shows that with enough resources and expertise, essentially any template farm could, following OnlyFake's success, try to replicate its business model, most dangerously incorporating the possibility of batch generation of fake documents.

OnlyFake then showed other template farms the blueprint for leveling up in terms of scaling their operations and fraud enabling capacity. This only further emphasizes the importance of OnlyFake for the document fraud landscape and how we might see it changing in the near future.

Our research already shows there are numerous farms with larger template databases or website traffic, and it's likely only a matter of time before they draw inspiration from OnlyFake's story.

Obviously, the rebranding of the template farm to OnlyFake and something labelled as an AI-powered generator likely played a major role in how the platform became the go-to fake document vendor.

But we can't also forget the persistent marketing and positioning of its creators as experts in the field of document forgery.

Trust us, we're wicked experts!

As early as within the initial forum posts, Prostootrisovka clearly wants to demonstrate OnlyFake's expertise, and states that “a detailed manual is attached to each template order to make the filling process as simple and understandable as possible”.

Figure 6: OnlyFake's Manual, marketed by the Cat as a bonus to each template purchase

But despite listing numerous document building or editing tools, document structure and its elements, or various document security features, we found the manual didn't provide easily replicable and detailed instructions on high-quality document forgery, i.e. this document alone definitely won't turn you into a digital forgery specialist.

Nevertheless, the document likely succeeded in demonstrating the expertise the Cat needed initially to convince customers to test out the service quality. A typical content marketing tactic, when you think about it. 

At one point, the Cat even tried to sell the manual itself for $150, further acting as if this is a really valuable document that could be considered as a fellow template farmer starting point and a significant bonus to any template purchase.

Both in the manual and within forum posts, Prostootrisovka also refers to yet another alias operating accounts related to OnlyFake: John Wick...Who said fraudsters don't have a taste for pop culture?

Let's pause for a moment here, because it seems the John Wick character is integral to OnlyFake's story, both historically and currently.

Across its messaging, the Cat positions itself and John Wick as two separate individuals: the Cat usually being the service operator, and John Wick the “technical mastermind” behind OnlyFake's templates and services, the one who wrote the above-mentioned document drawing manual.

John is also routinely depicted in OnlyFake's advertising up until today, and has become the mascot of sorts for OnlyFake, with the Cat only acting in the background but not present in published ads or other materials.

Figure 7: Various advertising materials published by the Cat
and featuring John Wick as the titular character

At one point, John Wick even offered to lead a training course to pass his document forgery skills to other ambitious template farmers, claiming that he is “the creator of the [passport cloud] service”, who “personally painted more than 200 templates” and “led a team of renders that conducted more than 10,000 template works”.

If true, such claims do lend some credibility to his document forgery expertise.

Figure 8: A forum post offering document "rendering" course,
led by John Wick and hosted on Discord

The original 404 Media report itself claimed direct communication with Wick, who stated that “they have started creating document templates three years ago” and “have been developing the document generator since mid-2022”.

But despite being a well-known pop-culture figure by now, the fame of John Wick alone did not likely put OnlyFake as one of the often referred to fake document providers.

The transformation into “OnlyFake” was likely even more crucial, and we'll now take a closer look at the rebranding itself and how the label “OnlyFake” came to see the light of day.

The big rebrand: “OnlyFake” officially in business

The original website, or rather websites, posing under the brand of OnlyFake have been around for at least several years.

One of the original root domains, onlyfake.org, was registered in February 2022 according to official domain registration data.

As could be expected, the domain registration data do not provide any tangible information on the domain registrants themselves.

Numerous other mentions of the website can then be identified via simple Google search between 2022 and 2024.

Figure 9: A so-called WHOIS (domain registration) record of the original onlyfake.org domain,
placing the domain's creation in February 2022

The first capture of the website within the Internet Archive database comes from January 2023.

Looking at the visual side of the website itself, there is not that much of a difference compared to the “passport cloud” template farm.

All of the listed template categories are the same, considering the visual style of the site (colors, elements, structure), everything seems almost identical.

Even the in-your-face “Generator 2.0” button, re-directing the visitor straight to account registration/login, was also previously used by the original “passport cloud” website.

Figure 10: While domain registration data point to the website being created in February 2022,
the Internet archive captures go only as far back as January 2023, indicating that
the site was getting set up for most of 2022 before being officially launched.

Considering this, the “transformation” of the template farm to OnlyFake really was not anything other than a name/domain change, at least in the beginning.

This would line up with what John Wick has told 404 media about developing the fake document generator—if the generator "was being developed since (roughly) mid-2022", the idea of creating this semi-automated tool was potentially what inspired the rebrand, and soon became the central focus of it.

Because as we now know, the Cat and John Wick had a much more ambitious vision for OnlyFake.

What could really then be considered as OnlyFake's true launch is the introduction of the so-called “Generator 3.0” in 2023.

Launching OnlyFake's “Generator 3.0”

In January 2023, the Cat posted a “coming soon” video teaser for a new version of OnlyFake.

Styled almost as a Hollywood-like trailer, complete with dramatic background music, the video announced “new templates” and a “mobile app” as the main new features of “Generator 3.0”.

Till today, the video accumulated almost 95k views—giving us a rough idea of how many people have seen posts linking to the teaser, either through forums or in Telegram channels.

Figure 11: A screenshot of the "Generator 3.0" teaser, which was posted in January 2023
and till today accumulated almost 95k views

The actual launch of the 3.0 version likely came a couple months later, with the Internet Archive captures indicating that the website operated under the new, “3.0” layout no later than in April 2023.

Figure 12: Internet Archive data place the shift of OnlyFake's website from the “2.0” version
to the “3.0” version somewhere between January and April 2023.

By the summer of 2023, Prostootrisovka boldly and repeatedly declared within respective forum threads that “the era of rendering documents using Photoshop is coming to an end”.

The main advertised features of the new OnlyFake version at the time were:

• Speed—batch generation of document using pre-prepared database (e.g. Excel sheet)

• Clever photo generation—generation of photos by age and gender with automatic cropping of the background

• Signature generation—generation of authentic signatures with background removal

• Algorithm for document numbering—an alleged advanced algorithm drawing on the experience of OnlyFake's creators with how special numbers on IDs such as passports are constructed (demonstrated, for example, by OnlyFake's “drawing manual” referenced above)

• Template quality—OnlyFake routinely boasts of having the highest quality templates available on the fake doc market

• AI Editor—a built-in AI editor for advanced photo and signature generation

• Innovation—OnlyFake claims to “have created more than 200 new templates” over the last year and a half, and redesigning the old ones.

Figure 13: A list of main features of "Generator 3.0", routinely advertised by the Cat in the last year and a half, including this ad still circulating on some monitored forums

Comparing this with the current style of OnlyFake's advertising, this has not really changed over the last year and a half.

But let's not be fooled here—the Cat's activity on monitored forums signals OnlyFake's admins keep adding and/or improving templates.

The key question that has not yet been entirely conclusively resolved is OnlyFake's declared implementation of AI into it fake document generation, and this is something we looked at in our original OnlyFake report as well.

How real is the utilization of AI?

So far, available information point to the fact that while some application of AI is happening, OnlyFake is far away from something that could be considered as fully AI-powered.

Despite claims from either the Cat or John Wick, “there is actually very little evidence of AI being used in the creation of the documents themselves”—a fact readily admitted even by the original 404 Media investigation.

The only two areas that seem to leverage genAI is “the a-la-carte generation of fake portraits and signatures—the trickiest parts of the forgery process”.

And despite all the hype and promise around generative AI, the reality is that the technology is still not at a point where it can generate complete documents from whole cloth. By its very nature, it struggles with consistency across generative attempts.

And given the limitations of fully generating a fake document via AI, it's no surprise that OnlyFake didn't rely on the technology alone.

Simply, the AI-related messaging of OnlyFake likely used the term as a marketing hook more than anything else.

And it is the advertising of OnlyFake that was likely the main driver behind the platform's seeming growth and position within the document fraud landscape.

Let's now look at OnlyFake‘s advertising in a broader scope.

OnlyFake's advertising—product updates, free trials, discounts and breached verifications

There's one aspect of OnlyFake's functioning we haven't gotten into yet, and that's its marketing and advertising activities.

Generally speaking, OnlyFake's advertising activities do not feature anything that could be considered especially innovative or different from other template farmers.

Regardless, it is intriguing to see how the Cat has developed its advertising over time, likely corresponding with the influx of OnlyFake's clients.

Within the forums and monitored Telegram channels, the Cat's communication can be divided into 3 main categories of content that occurs most frequently. These are:

• Product & platform updates—information on adding templates, fixing bugs, new active domains, tweaking the barcode/MRZ generators or the Cat's experience with running OnlyFake,

• Free trials & promo codes—information on various “seasonal” discounts or offerings of “document for a review”,

• Breached verifications—information on what verification checks have been breached and for which platforms, usually accompanied by a visual proof (screenshot of verified account or verification confirmation).

OnlyFake's Product Updates

How does the communication of Prostootrisovka look over time with respect to the development of the platform?

Within the monitored forums and on Telegram channels, Prostootrisovka has regularly provided updates to its audience regarding the current state of the platform, mostly revolving around various discounts, expanding the template catalog or updates on active domains and communication channels.

Take some of the main updates in 2022 when the Cat first started posting on these forums regularly:

• May 2022—the Cat announced a new domain, which corresponds both with the available domain registration data (the domain was registered in May 2022) and the internet archive data (which first captured the site in August 2022).

• July 2022—the Cat announced the publishing of a video on Telegram showing how document templates are created, styling himself as an educational figure of sorts in the world of professional document forgery.

• August 2022—more than a year after the flurry of initial OnlyFake announcements, the post mentions fixing of bugs related to document generation and adding of new US templates and changing the barcode generation technology

• November 2022—an announcement of an update related to MRZ generation and with Prostootrisovka stating that 120 identity documents of different countries have been “fixed”.

Figure 14: Examples of "Product Updates" routinely published by the Cat over time

From an analytical standpoint, these product features serve as some of the most convincing content linking the Cat or John Wick as the owners/operators of OnlyFake, as the idea that somebody would go to the very extreme lengths to fabricate and disseminate such content sounds like a way too stretched conspiracy theory with no clear objective behind it.

But the constant product updates also show that the Cat (or John Wick, for that matter), are very actively listening and communicating with its customers.

In other words, while automation might be applied to some of the document generation, all other sides of OnlyFake's businesses are still managed by an organized group of individuals.

OnlyFake's “free trials” and discounts

In some of the oldest forum posts we identified, the Cat is fishing for customers using the old “free trial” tactic.

As the platform likely did not have that much brand visibility in its beginnings, the Cat is simply declaring to provide a document for free to those who will, in turn, submit a review of OnlyFake to promote it further.

Figure 15: One of many forum posts where the Cat offers a free template in exchange for feedback on the forum, and the happy client then posts a feedback of the service.

This tactic brought the Cat first positive reviews of its templates and “customer service”, expectedly bringing in yet more business.

And his type of activity also highlights one other important finding, and that is the importance of Telegram channels for OnlyFake's business.

In the “review for feedback” post, the Cat clearly directs the forums' audience to Telegram, implying that all direct communication takes place there and not within forums themselves.

As OnlyFake's service likely grew, the Cat visibly moved on from “freebies for review” to a different strategy of promo codes and discounts

Having enough positive feedback and a stream of customers, these offerings of savings, especially for larger customers, also signify that the platform started to transform from an ambitious template farmer to a likely more organized, well-resourced operation that could offer to slash some percentages to invite more deals and fuel yet more growth.

Various discounts then start popping up in the second half of 2022,
and there are still promo codes being advertised right now.

Whether it's 10%, 15% or even 30%, the Cat usually communicates the discount using on of his favorite novel illustrations and emphasizing a possibility of individual discounts negotiated via Telegram.

Figure 16: Examples of forum posts advertising discounts, starting from a discount on template packages and progressing towards percentage-based discounts

But let's pose a simple question—what really is the biggest factor for steering a client towards a purchase?

It's not the discount, the branding, or the persona of the vendor.

It's knowing that the thing you're about to buy works, and this very much applies to fake documents as well.

Breached verifications as social proof

As evidenced above, Prostootrisovka emphasizes proactive communication with OnlyFake's clients through offering a free document/template in exchange for positive feedback.

But the idea of establishing a sort of “quid pro quo” and back-and-forth communication has clearly one more very important benefit for the platform, and that is clients' referrals on which platforms and their verification processes have been breached using OnlyFake-generated documents.

The Cat starts flooding the forums with these proofs of its document quality in the second half of 2023, usually obtaining these via Telegram messages.

Figure 17: October 2023 example of the Cat starting to routinely leverage feedback from customers on breached verifications

We attempted to make a coherent list of all such reported cases, and identified more than 50 companies whose verifications have allegedly been breached.

Most breached companies provide cryptocurrency services, and breaching of crypto platforms are also what allegedly kickstarted the industry-wide panic around OnlyFake's existence, with the author of the original 404 media report himself successfully verifying his identity on the cryptocurrency exchange OKX.

But various other sectors are also represented. Whether it's financial services, online marketplaces, content platforms, or even companies providing web hosting or data center services, it is evident that OnlyFake's clients don't limit themselves to any specific sectors.

On the contrary, they utilize OnlyFake's products to commit document fraud across the global economy.

This is as much true if we looked at breached companies' territoriality, with most of breached companies being headquartered in Europe and North America, but with companies located all across the globe.

Figure 18: The sector comparison of breached platforms shows most companies operate
in the cryptocurrency and financial services, while regional comparison
indicates most of these platforms are based in Europe.

What's the main takeaway here?

The fact that the “fraudster” community present on these forums and channels is willingly sharing information on breached verifications checks is crucial, as this mode of communication can fuel more and more attacks on the listed platforms.

Whether this is done by fraud enablers such as OnlyFake itself, when such information is shared as a social proof of the quality its templates, or when its shared by OnlyFake's happy customers as a form of review or further embedding in the community, the community-wide referrals on successful document fraud attempts add yet another threat layer that we need to proactively monitor (and do so).

Just consider that a single breach is successful, and it does highlight a verification vulnerability that can be exploited repeatedly. In such a case, the capabilities of committing fraud at scale increase not only via one organized group committing a series of attacks, but across the entire wider fraudster community.

The current state of OnlyFake

We spent plenty of space explaining OnlyFake's origins and development. But it is more than crucial to understand how the service functions now.

At the time of publication of this article, at least 3 primary domains run by either the Cat or John Wick (or both) are still operational, and the Cat is still (almost daily) active on several of the forums we keep monitoring.

It is clear that the media attention brought to OnlyFake by the original reports in the first half of this year did not hamper its operations, although the 404 follow-up to the initial article claimed the main site stopped functioning. 

Per the Internet Archive, the site was actually down between February and March 2024, with the archived screenshot from April 13 already showing the website in its original state on the primary domain.

Figure 19: After the 404 media reports from February 5-6, the original OnlyFake domain seemed
non-fuctional for about 2 months before returning to its original state

But ever-since April, the main OnlyFake site has been in business again.

Regarding advertising and communications on forums and Telegram channels, the activity never really stopped there.

So let's look at some of the main findings related to the current state of OnlyFake.

Active domains

Currently, 4 active domains can be traced back to the original OnlyFake. These are:

• onlyfake.org—the original OnlyFake domain, still functional

• passport-cloud.ru—one of the originally referred OnlyFake-related domains, this website still refers to “Generator 2.0”

• wh.onlyfake.org—a mirror site of the original domain, whose web archive data can be traced back to January 2024, likely created as a backup site in case the primary OnlyFake website was taken down or otherwise compromised

• passport-cloud.space—one of the originally referred domains when the Cat started advertising, this site actually looks significantly different from the others, not mimicking the OnlyFake look at all. Nevertheless, the site still advertises “generating most accurate barcodes”, big data consulting or data analytics, essentially looking as somewhat of a lorem ipsum website with few relevant information.

It is highly possible that more backup sites exist, and that the Cat or John Wick would be ready to re-open their template vaults should the currently active websites be taken down.

As previously discussed in or Doc Juicer article, the fact that the template repositories and the surrounding processes and communication channels are not tied to specific websites makes these farms virtually unkillable, ready to copy/re-create their point-of-sale websites or communication channels almost instantaneously.

Knowing that, we can rest assured that OnlyFake will continue to operate.

But what's the current pricing strategy and the so-called “ideal” customer profile?

“The Netflix of fake document creators”—OnlyFake's current pricing strategy

While “Generator 2.0” relied on what could be considered as the classic pricing model of “payment per template”, a significant shift was made with the release of “Generator 3.0” in 2023.

Similarly to the streaming platforms in pop culture that disrupted and in the end essentially transformed the movie and music markets, OnlyFake's owners decided to pivot to a subscription-based model that currently stands at the pricing you can see below:

• 1 document for $15,

• 10 documents for $99,

• 50 documents for $249,

• 150 documents for $499,

• 1,000 documents for $1,500.

Figure 20: A current version of OnlyFake‘s ad, utilizing the John Wick character and placing emphasis on template quality and very favorable pricing for large-scale customers

As is evident from the different tiers, the price per document decreases drastically, with OnlyFake's largest customers paying one tenth of the price per doc than single-document clients, whose purchases are only considered as “tests”.

OnlyFake then clearly favors and targets the large customers, which is not necessarily surprising given the profits they are likely to make off of organized groups committing fraud at scale, and OnlyFake's ability to generate thousands of documents simultaneously without the extra strain on manpower.

But the pivot to this pricing model, more than anything, implies that there is a significant demand for batch generation of documents, and first-party fraudsters looking for a single document to commit a simple, singular act of fraud, might increasingly be irrelevant to fraud enablers when compared to so-called serial fraudsters.

In short, the document fraud landscape is quickly shifting towards organized crime activity that is much more of a significant threat to businesses rather than hosts of small-time, first-party fraudsters.

Key insights and lessons

In this article, we strived to provide a detailed, yet comprehensive description and analysis of how OnlyFake transformed from a relatively standard template farm into one of the most well-know document fraud enablers of today.

We looked at how:

• OnlyFake initially started communicating and promoting its business,
• How it leveraged “the big rebrand” to OF and the seeming use of advanced technology,
• What techniques it used for advertising and acquiring customers,
• What it is now and how its re-positioning its pricing to accommodate serial fraudsters.

Considering that and the main points raised, there are several key lessons to take from OnlyFake's story:

1. FIRST, THERE WAS A TEMPLATE FARM
   
   OnlyFake's evolution started humbly as a basic template farm—one of many scattered across hidden corners of the internet. At this stage, there were no “game-changing” innovations or flashy claims of artificial intelligence.

   Yet, it was the Cat's relentless push to improve and expand offerings, combined with a willingness to adapt based on user feedback, that ultimately set OnlyFake on the trajectory to becoming a major market player.

   In other words, today's dynamic, automated identity-fraud engines can trace their origins back to something simpler. By studying how an ordinary template library morphed into a notorious, go-to resource for fraudsters worldwide, we learn that the building blocks for more advanced fraud-enabling services are often common and easily replicable.
   
   

2. BRANDING COMES BEFORE TECHNOLOGY
   

   
   The rebranding into “OnlyFake” wasn't just a cosmetic change; it was a strategic move to gain visibility, trust, and market share within the document-fraud ecosystem.

   By adopting a name reminiscent of a mainstream content platform—and by heavily marketing terms like “Generator 3.0” and “AI”—OnlyFake framed itself as a cutting-edge, sophisticated service long before its technology fully caught up to that promise, and likely never did anyway.

   This reveals a crucial insight: in the fraud underground, branding and perceived innovation can be just as powerful as actual technical leaps. Even partial or exaggerated claims of advanced capabilities are potentially enough to attract new customers.
   
   

3. EVERYTHING HAPPENS ON TELEGRAM
   
   Throughout OnlyFake's rise, Telegram emerged as the essential communications hub, where customers interact with the Cat and where critical exchanges—requests, updates, and testimonials—happen in near real-time. Rather than conducting business openly on forums or static websites alone, the platform leverages Telegram's semi-private and instant nature to cultivate a loyal community, nurture leads, and provide continuous support.

   This highlights that the true engine of modern fraud operations isn't just technology or branding—it's the ecosystem of trusted, agile communication channels. The ability to pivot quickly, respond to customer feedback, and maintain a permanent presence where the audience feels comfortable directly contributes to the platform's resilience and growth.
   
   

4. BREACHED VERIFICATIONS ACT AS SOCIAL PROOF, AND COMMUNITY-INSPIRED FRAUD RAISES THE THREAT LEVEL INSTANTLY
   

   
   One of OnlyFake's most powerful marketing tools is its publicized track record of breaching verification systems. Screenshots of successful account verifications on major companies or crypto platforms serve as “social proof,” instantly validating the quality and reliability of its templates. This feedback loop—clients share wins, encouraging others to try—fuels the platform's credibility in the eyes of would-be fraudsters and leads to a surge in demand for OnlyFake's services.

   Such community-driven endorsement magnifies the threat: as soon as vulnerabilities are confirmed through word-of-mouth, they are systematically exploited across a wider audience. The result is a fast-moving, ever-evolving cycle of fraud attempts targeting new sectors and geographies, raising the stakes for businesses and verification services providers alike.
   
   

5. SERIAL FRAUDSTERS ARE THE IDEAL CUSTOMER
   
   OnlyFake's pivot to a subscription-based, volume-discounted pricing model proves that it isn't interested in a single sale; it's optimizing for clients looking to create dozens, hundreds, or even thousands of documents. These large-scale buyers—often organized fraudsters—bring consistent revenue, provide robust feedback, and scale the platform's reputation as a serious, industrial-grade operation.

   This underscores a crucial lesson for businesses combating document fraud: well-resourced, methodical serial fraudsters can weaponize template farms like OnlyFake at scale, turning the verification processes of unsuspecting organizations into a revolving door of compromised credentials and persistent attacks.

OnlyFake's journey, from a simple template farm to a high-profile, community-driven document forgery engine, reflects the constant innovation and adaptation within the document fraud ecosystem.

WIth that in mind, each insight into its origins, brand strategy, communication methods, and sales approach highlights the urgent need to stay one step ahead.

Understanding these dynamics is then critical to building more robust defenses against not just OnlyFake, but the next wave of fraud enablers waiting in the wings.

We’ll be ready.

Want to learn more about template farms and serial fraud?

Sign up for the Threat Radar, or simply contact us and book a demo.