Synthetic identities expose the gap in modern identity controls

At a glance

What this is: This is an analysis of synthetic identity fraud and the key finding is that fabricated identities can survive onboarding controls long enough to create delayed, high-loss bust-out events.

Why it matters: It matters because IAM, fraud, and identity governance teams need shared controls for onboarding, monitoring, and offboarding across human identity programmes that synthetic fraud now exploits.

By the numbers:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read SumSub's conversation on synthetic identities, bust-out fraud, and AI-assisted abuse

Context

Synthetic identity fraud is the creation of a believable but fake identity by combining real data fragments with fabricated attributes. In practice, the identity looks valid at onboarding, then accumulates trust over time until it can be used for a bust-out event, which makes it a governance problem as much as a fraud problem.

For IAM and identity governance teams, the issue is not only whether the initial check passes. The harder problem is whether the programme can keep validating legitimacy after account creation, across behaviour, device signals, and downstream privilege changes, because static approval alone does not expose an identity that is built to age into legitimacy.

The article’s framing is typical of the current market reality: synthetic identity abuse is no longer confined to credit cards. It is now a cross-sector identity lifecycle issue that reaches fintech, payroll, government programmes, and other environments where trust is granted early and reviewed too late.

Key questions

Q: How should organisations detect synthetic identities after onboarding?

A: They should treat onboarding as the start of verification, not the end. The strongest signals come from later behaviour, including dormancy followed by sudden activity, device reuse, repeated attribute patterns, and mismatches between identity age and value extracted. Continuous monitoring matters because synthetic identities are designed to look legitimate long after initial approval.

Q: Why do synthetic identities cause such large losses?

A: They cause large losses because they are built to earn trust before they are used. A synthetic identity may remain active for months or years, which lets it move deeper into workflows, avoid scrutiny, and then extract value in a bust-out event. The longer the identity survives, the larger the eventual loss can be.

Q: What do security teams get wrong about synthetic identity fraud?

A: They often assume fraud can be solved at account creation. In reality, synthetic identity fraud is a lifecycle problem. If programmes do not re-check legitimacy after onboarding, they miss sleeper accounts, delayed monetisation, and the behavioural drift that reveals the identity was never real.

Q: Who should own synthetic identity risk in an organisation?

A: Ownership should be shared across IAM, fraud, risk, and operations because the problem crosses onboarding, access, and transaction stages. When only one team owns it, the organisation misses the identity signals that appear in other systems and loses the chance to stop abuse before the bust-out stage.

Technical breakdown

How synthetic identities establish initial trust

Synthetic identities work by assembling enough real-world data to satisfy onboarding checks, then layering fabricated attributes around that core. The goal is not immediate theft but believable persistence. Once an account clears identity proofing, downstream systems often treat it as low-risk unless something later breaks the behavioural pattern. That creates a gap between verification and ongoing trust. Device reputation, document signals, and identity proofing are useful, but they are strongest at entry, not at proving long-term legitimacy.

Practical implication: treat onboarding as the start of assurance, not the end of it, and pair proofing with continuous risk scoring.

Why sleeper accounts enable bust-out fraud

Sleeper accounts are identities that remain quiet long enough to avoid scrutiny, then suddenly move money, open credit, or trigger other value extraction. Their effectiveness comes from patience and staged trust accumulation. The fraud does not look suspicious when the identity is young, which is why narrow monitoring windows miss the pattern. The technical challenge is correlation over time, not a single anomalous event. Behavioural drift, funding patterns, and device reuse become more revealing than initial registration data.

Practical implication: correlate identity age, transaction timing, and behavioural drift instead of relying on point-in-time approval signals.

How AI-assisted fraud changes synthetic identity scale

AI-assisted fraud lowers the cost of generating plausible identity fragments, including names, documents, profile details, and synthetic businesses. That changes the economics of abuse more than the mechanics of verification. Defenders are no longer dealing only with handcrafted fake identities but with volumes that can be iterated, tested, and tuned quickly. The defensive answer is not only stronger front-door checks. It is a broader telemetry model that can connect identity, device, behaviour, and relationship signals across the full lifecycle.

Practical implication: expand detection to include cross-channel behavioural intelligence and shared fraud signals across business units.

Threat narrative

Attacker objective: The attacker seeks to convert a trusted-looking account into delayed financial gain, access, or benefit extraction at scale.

1. Entry occurs when a fraudster creates a synthetic identity from real and fabricated data that passes initial onboarding checks.
2. Credential and account abuse begins as the identity behaves normally long enough to earn trust and avoid review.
3. Impact arrives when the account busts out, extracting value before the business detects the identity was never legitimate.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Synthetic identity fraud is an identity governance failure, not just a fraud-control failure. The core problem is that programmes often treat onboarding as a binary decision instead of the first checkpoint in a longer trust lifecycle. Once an identity is accepted, many controls assume the subject remains the same as the one originally verified. That assumption breaks when the identity is synthetic and intentionally designed to mature into legitimacy. The implication is that identity assurance must be maintained across the full account lifecycle, not only at creation.

Delayed bust-out behaviour exposes a trust accumulation gap. Synthetic identities succeed because they can remain dormant or low-noise until they have enough tenure to trigger higher-value actions. This is not a simple evasion of a single control. It is the exploitation of a programme that equates time-in-system with trustworthiness. Behavioural review, device continuity, and relationship analysis matter because they surface identities that are accumulating trust without accumulating legitimacy.

Bot-generated identities and AI-assisted fraud create a named concept: synthetic trust at scale. The industrialisation of fake identities means defenders are no longer facing isolated cases but repeatable identity generation pipelines. That changes the problem from case management to control design. The implication is that IAM, fraud, and governance teams need shared telemetry and shared thresholds before fraud volume overwhelms manual review.

Cross-sector synthetic identity abuse shows that the attack surface is now organisational, not departmental. The same identity logic can be used against fintech, payroll, government benefits, and other trust-dependent systems. That means the governing assumption that fraud is owned by one team no longer holds. Practitioners need a single view of identity risk across onboarding, transaction monitoring, and account lifecycle review.

Identity programmes that do not re-validate legitimacy over time create their own exposure window. The longer a synthetic identity remains undetected, the more embedded it becomes in operational systems and reporting. That makes the eventual loss larger and the forensic picture harder to unwind. The practitioner takeaway is clear: long-lived accounts without continuing legitimacy checks become liabilities in waiting.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The 52 NHI Breaches Analysis shows that repeated identity exposure patterns, not isolated mistakes, are what turn credential issues into durable compromise.

What this signals

Synthetic trust: The programme risk is not just fake onboarding, it is trust that compounds after approval. Teams should expect attackers to exploit the gap between initial verification and later behavioural review, especially where transaction, payroll, or benefits workflows grant value before legitimacy is continuously rechecked.

Organisations that already struggle with offboarding discipline in non-human identity estates will recognise the pattern: once trust is granted, it tends to persist. The same governance weakness that leaves machine credentials alive too long also gives synthetic human identities room to age into credibility, which is why shared lifecycle discipline matters across identity domains.

For practitioners

• Add lifecycle re-validation after onboarding Require periodic legitimacy checks for accounts that have passed initial proofing, with higher scrutiny for dormant, low-activity, or newly activated identities that suddenly change behaviour.
• Correlate device, behaviour, and relationship signals Use behavioural intelligence to detect shared device patterns, repeated application attributes, and unusual account-age to value-action timing across customers or beneficiaries.
• Create bust-out detection thresholds Flag accounts that stay quiet and then rapidly increase transaction volume, funding, or benefit claims after a long period of apparent normality.
• Unify fraud and IAM telemetry Link onboarding, access, and fraud-review signals so synthetic identities can be detected before they accumulate enough trust to cause material loss.

Key takeaways

• Synthetic identities exploit a governance model that trusts onboarding too much and lifecycle review too little.
• The main risk is delayed loss, because these accounts can remain credible long enough to bypass normal scrutiny before busting out.
• Continuous behavioural validation, not static verification alone, is the control that changes the outcome.

Key terms

• Synthetic Identity: A synthetic identity is a fabricated person or account built from a mix of real and invented data. It can pass initial checks because each piece looks plausible on its own, but the identity has no legitimate real-world owner and is designed to survive long enough to extract value.
• Bust-Out Fraud: Bust-out fraud is the moment a trusted-looking account is used to take maximum value and then abandoned. The account may appear healthy for a long period, which is why lifecycle monitoring matters more than point-in-time approval. The loss often arrives late and at scale.
• Sleeper Account: A sleeper account is an identity that stays quiet to avoid review and then becomes active when the attacker is ready to monetise it. The account’s value comes from patience, not speed, which makes behavioural drift and timing signals more important than creation-time checks.
• Behavioural Intelligence: Behavioural intelligence is the use of activity patterns, timing, device continuity, and relationship signals to judge whether an identity is acting like a legitimate user. It is especially useful when static verification has already passed, because fraud often reveals itself after the first approval stage.

Deepen your knowledge

Synthetic identity lifecycle governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for long-lived accounts that can turn into losses later, it is worth exploring.

This post draws on content published by SumSub: What happens when a fraudster does not steal an identity but builds one from scratch? Read the original.