By NHI Mgmt Group Editorial TeamPublished 2026-06-18Domain: Identity Beyond IAMSource: Prove Identity

TL;DR: Account takeover fraud is rising sharply in digital marketplaces, with 21% growth from H1 2024 to H1 2025, 90% year-over-year attack growth on marketplaces, and more than 26 billion credential-stuffing attempts per month across the web, according to Prove Identity. Identity confidence, not just transaction rules, is becoming the control plane for fraud prevention.


At a glance

What this is: The article argues that account takeover fraud has become a structural revenue and trust problem for digital marketplaces, driven by credential stuffing, AI-enabled impersonation, and fraud-as-a-service.

Why it matters: Marketplace and gig platforms need identity-led controls because account compromise now drives chargebacks, refund abuse, churn, and operational cost, not just direct fraud losses.

By the numbers:

👉 Read Prove Identity's analysis of account takeover fraud in digital marketplaces


Context

Account takeover fraud is the abuse of legitimate user accounts after an attacker obtains or guesses working credentials. In marketplaces, that compromise is especially damaging because the account already carries trust, payment history, delivery access, or payout authority. The primary identity issue is that conventional login controls often detect the password problem too late, after the account has already become a fraud channel.

For IAM, fraud, and identity teams, the relevant question is not whether account compromise can be prevented perfectly, but whether the platform can continuously verify that the person or device using the account still matches the identity it was originally bound to. That is where marketplaces differ from ordinary consumer services: account integrity directly affects revenue, dispute rates, and trust in the transaction ecosystem.


Key questions

Q: What breaks when account takeover controls stop at login?

A: When controls stop at login, attackers can still exploit the account through recovery flows, payout changes, refund abuse, and trusted-device reuse. That means the platform measures authentication success while the real fraud happens later. Effective defence has to extend trust controls across the account lifecycle, not just the sign-in page.

Q: Why do marketplace accounts create a higher fraud risk than ordinary consumer logins?

A: Marketplace accounts often hold payment methods, loyalty balances, fulfilment permissions, or payout authority, so one compromise can affect both revenue and operational trust. The account is already pre-authorised by the platform, which makes post-compromise abuse easier to monetise. That is why identity continuity matters more in marketplaces than in low-value consumer services.

Q: How do security teams know whether identity-based fraud controls are working?

A: Look for reduced takeover success at login, fewer high-risk account changes, lower refund abuse, and fewer chargebacks linked to suspicious sessions. If the controls are working, suspicious recovery attempts should be challenged early and legitimate users should move through with minimal friction. Measurement should combine fraud loss data with account-change telemetry.

Q: Who is accountable when account takeover drives chargebacks and churn?

A: Account takeover accountability should sit across IAM, fraud operations, trust and safety, and finance because the impact is cross-functional. IAM owns the trust signals, fraud teams own decisioning, and finance tracks downstream loss. When those functions are separated, the organisation underestimates the true cost and responds too late.


Technical breakdown

Credential stuffing turns password reuse into mass account compromise

Credential stuffing is the automated testing of stolen username and password combinations against live services. It works because many users reuse passwords and because leaked credentials remain valid long enough to be exploited at scale. For marketplaces, the threat is amplified by saved payment methods, loyalty balances, and verified profiles that attackers can monetise quickly once they get in. The problem is not brute force in the classic sense. It is industrialised reuse of valid identity material across environments that were never designed to treat login as a high-volume attack surface.

Practical implication: teams need rate limiting, breached-password detection, and account risk scoring at login, not only after a transaction is attempted.

AI-powered social engineering lowers the skill barrier for account takeover

AI tools now help fraudsters craft more convincing phishing, impersonation, and support scams, while deepfake media can be used to defeat weak trust checks. That shifts account takeover from a narrow technical attack into a blended identity and trust abuse problem. In a marketplace, the attacker may not need to break authentication at all if they can persuade the platform or the user to hand over recovery channels, phone numbers, or device trust. This is why social engineering and account takeover increasingly overlap in the same incident pattern.

Practical implication: strengthen recovery and account-change workflows, because those paths are often easier to abuse than the primary login.

Continuous identity monitoring is the missing control layer for high-volume platforms

Marketplaces cannot rely on a single login event to establish trust for the rest of the session or lifecycle. Continuous identity monitoring combines device signals, network signals, behavioural consistency, and account-change telemetry so that a session can be re-evaluated when risk changes. That matters because many ATO campaigns begin with quiet access and only later pivot into payout diversion, refund abuse, or device substitution. Identity signals are therefore not just authentication inputs. They are fraud-detection signals that determine whether the account is still behaving like the known user.

Practical implication: feed identity telemetry into fraud decisioning at login, account recovery, payout change, and high-value transaction points.


Threat narrative

Attacker objective: The attacker aims to monetise trusted marketplace accounts at scale while avoiding immediate detection and maximising downstream financial abuse.

  1. Entry begins with credential stuffing, phishing, SIM swapping, or a fake recovery flow that produces working account access.
  2. Escalation follows when the attacker changes payout details, adds trusted devices, or harvests additional recovery control to preserve access.
  3. Impact occurs through refund abuse, chargebacks, stolen balances, customer churn, and operational cost that outlast the initial compromise.

NHI Mgmt Group analysis

Account takeover in marketplaces is an identity assurance problem before it is a fraud problem. Once an attacker controls a live account, transaction monitoring is already operating downstream of the real failure. The governance gap is weak identity continuity across login, recovery, payout changes, and session reuse. Practitioners should treat account integrity as a lifecycle control, not a one-time authentication event.

Identity trust gap: marketplaces often trust the account too long after the original proofing event. That assumption fails when stolen credentials, SIM swaps, and device substitution let an attacker inherit the account’s prior legitimacy. The field should move toward continuous verification of the account holder, the device, and the change request, because fraud commonly appears at the moment trust is updated, not at initial login. Practitioners should redesign trust to expire and re-evaluate.

Fraud-as-a-service has industrialised account takeover into a governance scaling problem. When toolkits, phishing kits, and AI-generated lures are cheap and accessible, the baseline threat is no longer a small number of skilled attackers. That means marketplace defence must be built for volume, not exception handling. Practitioners should align IAM, fraud, and trust-and-safety ownership around a shared control model.

The revenue impact of ATO is what forces identity teams to collaborate with finance and risk. Chargebacks, refunds, churn, and support cost show that account compromise is a balance-sheet issue as much as a security issue. That changes the governance conversation from detection performance alone to customer lifetime value protection, making identity assurance a measurable business control.

NHI-adjacent fraud infrastructure matters because attackers now automate identity abuse end to end. Recovery bots, scripted credential testing, and AI-assisted impersonation behave like non-human actors in the threat chain, even when the final victim is a human account. Identity teams should therefore watch for machine-driven abuse patterns that signal when fraud volume has crossed into automated campaign behaviour.

What this signals

Identity-led fraud prevention is becoming a programme design issue, not a point-in-time control choice. For marketplace teams, the practical signal is that authentication, recovery, payout change, and device trust must be evaluated as one continuous chain. The organisations that separate fraud from IAM will keep paying for the same compromise in different cost centres.

Verified identity signals are now part of operational resilience for transaction platforms. If trust can be re-established continuously, platforms can reduce chargeback exposure without increasing customer friction. That creates a clear governance outcome: the identity programme becomes measurable in loss avoidance, not just login success.

The broader market signal is that ATO defence is moving toward lifecycle trust orchestration. Teams should expect more convergence between IAM, fraud analytics, and customer experience controls, because account compromise is now a business continuity problem as much as a security one.


For practitioners

  • Implement continuous account risk scoring Score login, recovery, payout changes, and device substitution with the same identity telemetry so risk is evaluated at each trust boundary, not just at authentication. Link anomalous behaviour to step-up controls before funds or account settings change.
  • Protect account recovery as a privileged path Treat reset, recovery, and support workflows as higher-risk than ordinary sign-in. Require stronger verification for SIM changes, email changes, and payout edits, and log these events separately for fraud review.
  • Use breached-credential and device intelligence together Block known compromised credentials and correlate them with device reputation, IP intelligence, and behavioural consistency. A single signal is weak; the control is the combined view of credential quality and session trust.
  • Align IAM and fraud operations around account integrity Create a shared operating model for identity, trust and safety, and finance so chargebacks, refunds, and account compromise are investigated as one problem set. The goal is faster containment and better attribution of revenue loss.
  • Instrument lifecycle events for payout abuse Flag changes to payout destinations, shipping addresses, recovery channels, and trusted devices as high-value events that require review, especially when they occur shortly after first access from a new device or location.

Key takeaways

  • Account takeover in marketplaces is best understood as a lifecycle trust failure, because the attacker exploits the account after login rather than by defeating login alone.
  • The scale is now large enough to affect revenue planning, with marketplace attack rates, credential stuffing, and downstream chargeback costs all rising together.
  • Controls that combine identity telemetry, account-change protection, and continuous risk scoring are the most relevant response for teams that need to reduce fraud without adding friction.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BPassword reuse and login assurance are central to credential-stuffing ATO.
NIST CSF 2.0PR.AC-1ATO prevention depends on strong identity and access control at the point of authentication.
GDPRArt.32Marketplace account compromise can expose personal data and trigger security obligations.
NIST SP 800-53 Rev 5IA-5Credential management and reuse resistance are directly relevant to credential stuffing.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle controls are central to preventing post-login abuse and account changes.

Strengthen authenticator assurance and breached-password handling for high-risk marketplace accounts.


Key terms

  • Account Takeover: Account takeover is the unauthorised use of a legitimate user account after an attacker obtains working access through stolen credentials, phishing, SIM swapping, or recovery abuse. The key risk is not just entry, but the attacker inheriting the trust, payment context, and permissions already attached to the account.
  • Credential Stuffing: Credential stuffing is the automated testing of leaked username and password combinations across live services. It succeeds because many users reuse passwords and because the attacker is not guessing from scratch. In practice, it turns identity data breaches elsewhere into direct account compromise here.
  • Identity Confidence: Identity confidence is the degree to which a platform can trust that a returning user, device, or session still matches the verified identity originally bound to the account. It is built from multiple signals, including device history, behavioural consistency, and network context, and it changes over time.
  • Continuous Authentication: Continuous authentication is the process of re-evaluating trust during a session rather than only at login. It uses risk signals such as device shifts, SIM changes, and unusual account activity to decide when step-up checks or containment are needed, especially for high-value actions.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • How Prove models identity confidence across login, recovery, and payout-change events for high-volume marketplaces
  • Examples of continuous authentication signals such as device binding, SIM changes, and number portability events
  • The specific way Prove ties verified identity signals to frictionless user journeys in marketplace and gig workflows
  • What the vendor says about identity continuity across the entire customer lifecycle and why it matters for fraud loss attribution

👉 Prove Identity's full blog covers the ATO attack chain, cost multipliers, and identity-led prevention model in more operational detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity for practitioners responsible for trust boundaries and access control. It is designed for security and identity teams that need a common operating model for non-human and human identity risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org