The Market for Stolen Personal Data Is Feeding a New Fraud Wave in 2026 Around the World

_c39671a0-862c-42d6-a966-5b6899140a1f

Names, birth dates and ID numbers are being bundled and sold to buyers who want ready-made profiles.

WASHINGTON, DC, March 27, 2026.

The global fraud wave in 2026 is not being powered only by clever phishing messages or isolated hacks. It is being fed by inventory, stolen personal data that can be sorted, bundled, repackaged, and sold to buyers who want a usable identity profile rather than a random pile of information. That shift matters because the criminal value is no longer just in stealing data. It is in turning data into a product that can support scams, fake applications, account takeovers, and synthetic identities across borders. Recent FTC fraud-loss data shows just how large the broader fraud environment has already become.

For ordinary people, that means the danger does not begin only when money disappears from an account. It may begin much earlier, when a breach exposes a birth date, phone number, passport number, email address, or other identity detail that seems harmless on its own but becomes powerful once combined with other pieces. What fraud networks increasingly want is not perfect information. They want enough information to build a believable person. Recent reporting on the Odido customer data breach illustrates how exposing ordinary consumers’ details can fuel subsequent fraud.

That is why the stolen-data market matters so much in 2026. It sits upstream from many of the frauds people notice later. A victim may see a fake loan application, a suspicious login, a bank transfer, or a tax problem. But behind those events, there is often a quieter stage in which personal information is gathered, sorted, and sold long before the victim ever knows it has value to someone else.

The criminal product is no longer just the breach; it is the profile.

A decade ago, a major data breach was often understood as the main event. In 2026, the breach is usually only in the supply stage.

What matters next is curation. Fraud actors and brokers can separate high-value records from low-value ones, match one dataset against another, and create bundles that are more useful than any single leak on its own. A name paired with a birth date, address history, phone number, and account clue is far more valuable than a standalone email address. A package containing government ID data, banking signals, or breached credentials is even more valuable. Once organized this way, personal data stops looking like digital debris and starts looking like inventory. The latest annual breach tracking from the Identity Theft Resource Center shows why so much material is available for that kind of packaging.

That is one reason the problem feels bigger now. Fraud rings do not always need to steal the data themselves. They can buy it, refine it, and use it. The underground economy has become modular. One actor compromises the system. Other aggregate records. Another sells them. Another uses them to support phishing, account takeover, mule recruitment, or synthetic identity fraud. That division of labor helps explain why so many criminal schemes scale so quickly once a large pool of personal data starts circulating.

Ready-made bundles are making it easier to launch global fraud.

The most worrying development is not just that data is stolen, but that it is increasingly sold in forms that reduce the buyer’s work.

A fraudster trying to open accounts, impersonate a consumer, or seed a synthetic profile does not want to spend weeks assembling fragments from scratch. The market now rewards sellers who can deliver more complete sets, names, dates of birth, phone numbers, email addresses, government ID details, and sometimes account or device clues that make the target easier to exploit. That kind of packaging lowers the expertise needed to commit identity crime. A buyer does not need to be an elite hacker once the groundwork for identity is already in place.

Recent reporting has made that ecosystem harder to dismiss as a niche dark-web story. In its March sanctions action, the UK targeted a crypto platform that authorities said was used to distribute stolen personal data and support scam operations. Reuters’ coverage of that sanctions case showed how identity-related data now sits alongside fraud-enabling services inside a wider transnational market for deception and money movement. That is a sign of how mature the business has become. These are not just random files passing between criminals. These are components in an organized fraud supply chain.

The data does not have to look dramatic to be dangerous.

One reason the market keeps growing is that consumers often underestimate what counts as useful personal data.

A full financial record is obviously sensitive. But names, phone numbers, email addresses, dates of birth, and passport details can also be valuable, especially when mixed with other records. Reuters reported that hackers claimed to have stolen data on millions of customers from Dutch telecom company Odido, including names, telephone numbers, email addresses, bank account numbers, birth dates, and passport numbers. That kind of record set is exactly what turns a generic fraud attempt into a targeted one.

It also helps explain why fraud feels more personalized in 2026. Scam messages are more convincing when the sender already knows something true. Account recovery attacks are more effective when the attacker has accurate profile details. False applications are more likely to pass when they are built on real anchors rather than pure invention. The criminal advantage comes from blending truth and fiction until the resulting profile looks ordinary enough to survive early scrutiny.

Synthetic identity fraud is one of the clearest downstream effects.

Not every buyer of stolen personal data wants to impersonate one complete real person. Some want to build a new one.

The U.S. Government Accountability Office has described synthetic identity fraud as a growing concern in which criminals combine real and fictitious information to create identities used to defraud financial institutions, government agencies, or individuals. That is where stolen personal data becomes especially dangerous. A real Social Security number or other authentic identifier can be paired with a false name, invented address history, or newly created digital footprint to produce an applicant who looks plausible enough to enter the financial system. The GAO’s review of synthetic identity fraud reflects how difficult this problem has become for institutions trying to separate thin-file applicants from manufactured ones.

For the public, that means personal information can fuel fraud even when the final fake profile does not look exactly like the victim. A child’s identifier, an older adult’s dormant file, or scattered breach data tied to an ordinary consumer can all become raw material. The victim may not immediately see the fraud. The first institution to feel the damage may be a lender, payment platform, or telecom provider that approved the manufactured identity.

The global loss picture keeps getting worse.

The financial backdrop helps explain why buyers keep showing up for these data bundles. According to the Federal Trade Commission, consumers reported losing more than $12.5 billion to fraud in 2024, a sharp jump from the prior year. Identity theft remained one of the FTC’s largest complaint categories, and the agency said it received more than 1.1 million identity theft reports through IdentityTheft.gov. Those numbers do not prove that every loss started with a stolen data bundle, but they show the size of the fraud environment that these data markets are feeding.

The supply side is also expanding. The Identity Theft Resource Center said in January that it tracked 3,322 data compromises in 2025, a record high and a 79 percent jump over five years. It also said many notices still lack enough detail for victims to understand what happened. That matters because a bigger flow of compromised data, combined with weak public clarity, gives criminal sellers more material and victims less ability to respond intelligently.

This is why the wave of fraud now crosses borders so easily.

Once personal data is digitized, packaged, and sold, geography becomes less important to the criminals than usability.

A record leaked in one country can support an account-opening fraud in another. A passport detail exposed in a telecom or retail breach can later make a phishing call more convincing somewhere else. A bundle bought through one marketplace can be used by a scam network, a mule recruiter, or a synthetic identity ring operating on a different continent. This is one reason governments often struggle to describe the full scale. They tend to measure breaches, scams, payment fraud, and identity theft in separate categories. Criminal networks treat all of them as connected uses for the same underlying resource.

The result is a world in which stolen personal data behaves like a tradable commodity. It can be moved, priced, bundled, refreshed, and resold. And because many fraud schemes now require less technical sophistication than the initial theft, the pool of downstream buyers is larger than many people assume. The market does not need every buyer to be highly skilled. It only needs enough buyers who know how to turn a ready-made profile into money.

The line between lawful identity change and criminal identity packaging still matters.

As identity crime grows, public confusion about identity itself also grows. That confusion helps criminal sellers, who often market illegal shortcuts in language that sounds official, discreet, or legitimate. There is an important difference between underground trafficking in stolen personal data and lawful identity-change processes handled through official channels. Readers trying to understand that distinction more clearly can compare the illegal bundling economy with the regulated identity-change framework described in this overview of lawful identity services.

The broader lesson is uncomfortable but increasingly clear. A lot of modern fraud no longer begins with a con artist improvising from scratch. It begins with a profile that is already assembled, already sold and already believable enough to travel. That is why the market for stolen personal data matters so much in 2026. It is not just feeding fraud. It is industrializing it.

The latest FTC fraud data and current Reuters reporting on the UK sanctions case tied to scam-market infrastructure point in the same direction. Stolen personal data is no longer just a byproduct of cybercrime. It has become one of the central fuels of a global fraud economy.

Anton Stravinsky

Anton Stravinsky

Anton Stravinsky is an associate correspondent for Tri-City News, BC. CanadaStravinsky focuses on international finance, banking, and asset management trends across Europe and Asia for Markets.Before his current role, Stravinsky completed Bloomberg's journalism fellowship, contributing stories to Bloomberg's digital and broadcast platforms. He originally joined Bloomberg as a summer intern covering financial markets and global economies in 2017.Stravinsky’s prior experience includes internships with Reuters' business desk in London, CNBC's Squawk Box Europe, and The Financial Times' editorial team.He earned a bachelor's degree in economics and journalism from New York University, where he served as senior editor for the university’s independent news outlet, Washington Square News.