Regula’s recent study highlights a disturbing trend in identity verification: biometric fraud, identity spoofing, and deepfakes ranked among the top threats faced by companies worldwide. A third of respondents from aviation, banking, crypto, fintech, healthcare, and telecom confirmed experiencing them.
While the numbers are concerning, real incidents speak louder than statistics.
In this article, we break down five identity verification attacks that stood out in 2025 — worth mentioning due to their impact, scale, or unusual nature. Alongside each case, we’ll look at the tools that could have prevented them, and that may help others stay ahead of similar threats.
Subscribe to receive a bi-weekly blog digest from Regula
#1 Discord age-verification data breach
Let’s start with the most recent example. In October 2025, sensitive data of around 70,000 Discord users worldwide was exposed. The leaked data included government-issued ID photos, names, emails, IP addresses, and user support messages.
All of this information had been submitted to the chat and messaging platform as part of its age verification procedure. According to the company’s policy, users locked out of their accounts were required to upload a photo ID and their Discord username to regain access to the platform.
The breach didn’t originate from Discord itself but from a third-party age verification provider used by the platform. The service was hacked, and the attacker attempted to extort a ransom from the compromised vendor.
Expert opinion:
This breach highlights a less obvious risk. Many digital platforms now face new age-check regulations, such as the UK's Online Safety Act, but aren’t yet equipped to comply securely. As a result, the platforms that collect copies of ID documents for compliance quickly become attractive targets for hackers.
In practice, different age verification approaches are used to reduce such risks, going beyond simply checking an ID for date of birth. It may also involve facial biometric-based age estimation. Implementation methods vary as well. Some companies opt for on-premise software that keeps all customer data stored locally on their own servers.
Businesses in banking and fintech — industries with long-standing compliance experience — can offer valuable lessons to newer players navigating these requirements.
#2 Identity theft at Coinbase
Unfortunately, no internal security policy can fully eliminate insider threats. In May 2025, Coinbase, a major crypto exchange, faced exactly that.
Cybercriminals bribed the company’s overseas support agents to steal users’ personal data, including names, emails, phone numbers, addresses, partial Social Security numbers, bank account info, and even images of ID documents. The breach affected less than 1% of Coinbase’s customers, but that still means tens of thousands of users.
For the victims, the damage didn’t end there. Their data was used in phishing scams, with attackers impersonating Coinbase to trick users into transferring funds. Additionally, the cybercriminals demanded a $20 million ransom in exchange for not releasing the data. Instead, Coinbase reported the incident, reimbursed affected users, and offered a $20 million reward for information leading to the attackers’ arrest.
Expert opinion:
The Coinbase case shows how fragile identity becomes once insiders are compromised. Attackers didn’t need to bypass customer verification — they simply bribed support agents who already had broad access to personal and KYC data.
For remote and outsourced teams, this means two things: first, treat employee and contractor onboarding like client KYC checks, using strong document and biometric verification; second, tightly limit and monitor what each role can access and export.
Generative AI only adds urgency, turning stolen identity data into highly convincing phishing and impersonation attacks.
#3 Aadhaar biometric forgery ring
This case highlights one of the biggest concerns about centralized, government-backed databases that store personal details, including biometrics. The risk isn’t just about potential data breaches due to poor security — it also includes sophisticated fraudulent attacks that target the system itself.
In April 2025, Indian authorities uncovered a fraud ring that compromised the Aadhaar national ID system. By exploiting loopholes in the Unique ID Authority’s enrollment software and working with hundreds of paid “retailers,” the perpetrators illegally updated the personal and biometric data of over 1,500 Aadhaar ID card holders.
For example, fraudsters changed names, birthdates, and linked phone numbers for clients willing to pay for unauthorized modifications on their documents. To do this, criminals used tools such as cloned credentials and iris scans of legitimate Aadhaar operators, silicone fingerprints, and tampered biometric scanners. As a result, fraudulent transactions were processed as if they were authorized.
Currently, four key suspects have been detained. Indian officials have also begun enhancing the system enhancement by introducing measures like facial recognition verification for high-value transactions.
The incident revealed critical weaknesses that should not exist in large-scale biometric ID databases. It calls for stronger oversight, not just for government systems, but also for smaller systems run by private businesses.
Nevertheless, biometrics remains one of the most reliable verification methods — when implemented correctly. This includes safeguards such as on-premises software deployment, robust identity and access management policies, and extra checks for high-risk transactions — from both the employee’s and the customer’s side.
#4 US Medicare account hijacking
Identity theft remains a major challenge in healthcare. What makes it worse is how hard it is to trace identity thieves, leaving providers to deal with the aftermath.
In May 2025, the US Centers for Medicare & Medicaid Services (CMS) revealed that fraudsters had created over 100,000 online accounts for Medicare beneficiaries using stolen personal data.
The scheme was detected after victims reported receiving unexpected mail confirming new Medicare.gov accounts they hadn’t set up. Bad actors had used details like names, birthdates, ZIP codes, and Medicare ID numbers (obtained from unknown external sources) to register unauthorized profiles, opening the door for impersonation.
These fake accounts could also have granted access to patients’ sensitive medical data, such as service dates, diagnoses, provider names, and insurance claims.
All fraudulent accounts were quickly deactivated. Affected individuals were notified, urged to stay alert, and given new Medicare ID numbers.
While financial losses were avoided, the incident shows how static personal data alone can be enough to bypass identity verification on government websites.
Expert opinion:
In countries like the US, where healthcare combines public and private systems instead of following a universal model, fraud is still a common and effective tactic. Scammers often impersonate patients to get expensive treatments or medicines, leaving real patients to deal with the bills.
Unfortunately, these attacks frequently target vulnerable groups. Take Medicare, for example, a program serving mostly seniors, many of whom have limited awareness of digital threats.
There’s no simple fix for the problem. But robust identity verification based on users’ biometrics, stronger security, and public education can go a long way toward protecting people and systems from such incidents.
#5 Deepfake CEO scam on Zoom
The rise of advanced and affordable deepfake technology has completely changed the identity fraud landscape — both for scammers and businesses. Today, bad actors can use realistic fake images, videos, or audio clips to impersonate anyone — from politicians to company executives.
In March 2025, a finance director at a multinational firm in Singapore was nearly tricked after joining a Zoom call with what he believed was his CEO and other top leaders. In reality, criminals had used deepfake video avatars, mimicking their faces and voices. Bad actors aimed to get the director to transfer about $500,000 for a so-called confidential deal.
The scam almost worked. The director initially sent the money to a scammer-controlled account without suspecting anything. But when the fraudsters asked for an additional $1.4 million, he grew suspicious and alerted the bank. Fortunately, the funds were frozen and recovered before they could be withdrawn.
Singapore police urged businesses to verify unusual requests, even if they appear to come from familiar faces on video.
Expert opinion:
This case set off alarm bells globally, showing just how sophisticated deepfake-driven fraud has become. This technology is more advanced than traditional presentation attacks, and fraudsters have quickly adapted it for social engineering.
The threat isn’t limited to impersonating real people. Fraudsters can now create entirely synthetic identities from ground zero, complete with fake, but realistic, ID documents.
Businesses must act fast. That starts with raising employee awareness about deepfake threats and investing in stronger protections. The anti-deepfake toolkit should include biometric verification with liveness detection and extra checks for high-risk customers and sensitive transactions.
Key takeaways
In 2026, companies need to take a proactive, not reactive, stance on identity fraud detection and prevention. Here’s what to focus on:
Stricter regulations are expanding into industries previously seen as “lightly regulated.” Newcomers should avoid relying on quick-fix solutions. Instead, they should invest in end-to-end identity verification systems that provide security, scalability, and compliance from day one.
Data breaches remain a goldmine for fraudsters. Companies must regularly review and strengthen their identity and access management policies. Insider threats should be treated as a real and rising risk and addressed through tighter controls and ongoing monitoring.
Government services must step up their protection of digital identity systems. As more countries adopt non-physical IDs, it's vital to secure not only the digital documents themselves but also the back-end databases that hold sensitive personal data.
Industries like healthcare and hospitality often treat identity checks as basic admin tasks. This mindset makes them easy targets for scammers. To reduce the risk of impersonation and costly fraud, these sectors need to integrate secure identity verification into their core risk policies.
Deepfakes aren’t going away — they’re getting better. Organizations must strengthen their verification tools with liveness detection and other anti-deepfake technology. At the same time, customers need education: knowing what to look out for can stop fraud before it starts.
