WASHINGTON, DC, December 10, 2025 – Global bad actors may be able to exploit the identity system meant to guard Americans' access to the IRS, Social Security Administration, and other agencies by selling stolen credentials and tools to bypass government contractor ID.me, according to an investigation by the Digital Citizens Alliance.
The report, "Identity Crisis: As Americans Become More Reliant on ID Verification Systems, Global Bad Actors Seek to Exploit ID.me for Profit," uncovered more than 7,000 fraud entries targeting ID.me, 241 unique offers of compromised email addresses, automated bots facilitating fraud, and suggested links to organized criminal enterprises. ID.me currently verifies identities for 20 federal agencies and 45 state agencies with access to Americans' highly sensitive personal data.
The sale of purportedly breached login credentials, methodologies for bypassing verification checks, and other means of compromise could threaten to undermine the security and trust of government systems that use ID.me for identity verification. On the Dark Web, purported methods for fooling ID.me’s solution are sold for as little as $4.15 while ostensibly verified accounts can be bought for between $50 to $1,020, reflecting access to a larger number of accounts.
“Identity is a master key in the digital age – failing to secure it opens the door to fraud,” said Tom Galvin, executive director of the Digital Citizens Alliance. “Our nation faces an identity crisis. Bad actors on the Dark Web are taking advantage of the current system to line their pockets. This crisis isn’t going away. Our leaders need to look into this issue and rethink identity in a more serious way, so that we can protect the data of the American people.”
For millions of Americans, ID.me is a required first step to accessing benefits, including unemployment, disability, healthcare, and more. The lack of a requirement for re-verification may be helpful for a valid ID.me user accessing multiple services but presents a potential vulnerability once a bad actor bypasses the system.
Fixing our nation’s identity crisis requires an evaluation of the current system to determine whether changes should be made to protect Americans and their data. This includes understanding how offers of compromised logins ended up on the Dark Web, whether permanent verification is a security flaw that should be addressed by requiring periodic re-verification, and if policies on the retention of users’ personal information and third-party data sharing are too permissive.
Digital Citizens Alliance partnered with cybersecurity company Unit221B and other investigators to conduct a months-long threat intelligence evaluation to uncover how bad actors are able to harvest, collect, and sell personal information on the Dark Web. This report is the culmination of that investigation.
About Digital Citizens Alliance
The Digital Citizens Alliance is a nonprofit, 501(c)(6) organization that is a consumer-oriented coalition focused on educating the public and policymakers on the threats that consumers face on the Internet. Digital Citizens wants to create a dialogue on the importance for Internet stakeholders— individuals, government, and industry—to make the Web a safer place.
Recent reports include:
Based in Washington, DC, the Digital Citizens Alliance counts among its supporters: private citizens, the health, pharmaceutical, and creative industries, as well as online safety experts and other communities focused on Internet safety.
Visit us at www.digitalcitizensalliance.org.
Press Contact:
Jennifer Spoerri
[email protected]
415-577-0171