In a single day April 13, 2025, some 129 stolen checks with a value of more than US $5 million turned up for sale across 14 Telegram channels. The images of the checks revealed a variety of routine payment activity — a call center paying its US $7,140 power bill, a couple paying their taxes and a Christian book store paying one of its distributors. Some of the checks had very high amounts. A small town in Georgia wrote a check for a hefty US $105,432.50 for insurance. In another example, a Tennessee construction company wrote a check for US $259,110.32 to a metal supplier.
The checks have been stolen, most likely in transit through the U.S. mail, and these checks were for sale. Stolen checks are a thriving market category on underground forums and messaging platforms such as the Telegram platform. The checks turn up in these channels not long after they’ve been either printed or written. Threat actors selling the checks sometimes include part of the original envelope in the image. Checks often appear to be photographed inside cars, suggesting that the threat actors moved quickly after envelopes had been stolen to attempt to monetize the checks inside — steal a batch of checks and then quickly upload them in a Telegram posting.
Once purchased, the physical checks can be modified using chemicals to erase amounts and payees — a technique known as “washing” — and fill in new information, such as the name of a money mule, a higher amount and a new account number. Washing is just one of numerous techniques, including cloning, which can be used to try to get a bank to pay out a bogus check. This is a big headache for banks, which must comply with federal rules to process checks under tight timelines, putting them at risk of absorbing the losses if a bad check is paid out.
In this blog, we’ll analyze a slice of illicit check activity Intel 471 has observed in the first half of 2025 and put into context why this crime is successful.
Despite much of the world moving to purely digital financial instruments, more than 10 billion checks are still written every year in the U.S. Consumers are writing fewer of them, but business use remains robust.
In March 2025 the U.S. Federal Reserve released statistics related to check use for calendar year 2021, the latest year for which statistics are available. The number of paid checks fell from 13.6 billion in 2018 to 11.1 billion in 2021, but the value of the checks from those two years was about the same at US $27.11 trillion. For the first time, businesses in 2021 wrote more checks than consumers at 5.7 billion versus 5.2 billion. Those business checks also were on average double the value of consumer checks at US $3,601 versus US $1,246, representing 76% of the value of all commercial checks. The reasons why some consumers and businesses still write checks appear to be varied, ranging from longstanding habits, lower fees in some scenarios than other transaction methods and beliefs that checks are more resistant to fraud than electronic fund transfers.
The latter point, however, is inaccurate. Check fraud seems archaic and has been around for decades, yet in 2025 it is a booming illicit business, according to the Atlanta Federal Reserve. The problem has become so significant that the Treasury Department included it in its 2024 National Money Laundering Risk Assessment. It listed multiple causes for this, including “the limited capability of financial institutions to verify the legitimacy of checks in a timely manner, the lack of self-verification systems built into checks, the prevalence of remote capture technology and the ability to directly access all funds within a specified account through a single check.”
Check fraud rose during and after the COVID-19 pandemic and has continued at high levels. Financial institutions filed about 285,000 Suspicious Activity Reports (SARS), which are required when illegal activity is detected or suspected, to the Financial Crimes Enforcement Network (FinCEN) related to fraudulent checks in 2020. That figure rose to 350,000 in 2021 and then nearly doubled to 680,000 in 2022. To quantify the problem of check fraud in another way, a sampling of 35,000 checks by the Federal Reserve Bank of Atlanta and Federal Reserve Financial Services found 15% of checks in 2021 were returned due to possible fraud, up from 10.2% in 2018.
One reason for rising check fraud was three rounds of economic stimulus checks distributed by the U.S. government to tens of millions of people in 2020 and 2021. Stimulus checks were distributed to people using their direct deposit information on their tax return. But if direct deposit was not possible, the U.S. Treasury mailed checks, as it continues to do in certain circumstances with refunds from the Internal Revenue Service (IRS). This opens up a traditional attack vector — mail theft.
As seen below, checks from the U.S. Treasury are sent in easily identifiable envelopes, and a clear window in the envelope shows the blended greenish-yellow check itself and the name and address of the recipient. The U.S. government also issues checks for Medicare and Medicaid reimbursements, which are two national medical insurance schemes in the country. The COVID stimulus checks — and some from U.S. state programs as well — flooded the postal system with checks. Criminals found they potentially could make easy money from an old scheme and correspondingly expanded their operations to include personal, business and cashier checks. The stimulus checks became known as “stimmys” by participants in the check fraud underground.
The image depicts a check cut from the U.S. Treasury for a tax refund and its accompanying envelope.
Counterintuitively, the risks have not put businesses and organizations off of checks. In April 2025, the Association for Financial Professionals (AFP) released a survey of 521 financial practitioners conducted in 2024. Some 91% of respondents said their organizations were using checks, a figure up from 73% in 2023. AFP said the reason for the dramatic rise was “unclear,” particularly because 63% said their organizations had encountered attempted or actual check fraud. Further, 75% said that they had no plans to retire checks as a payment instrument in the next two years.
In December 2023, a threat actor posted this message on the crdpro[.]cc forum, which is a marketplace for stolen payment card details, identity information and various other underground services. It read:
“Hi, Looking for someone in USA to pick up checks. Checks would be mailed to your drop. You need to pick it up and make a picture of front & back, then just throw it away.”
The poster received many responses, often from people who appeared to be familiar with the lingo of check fraud and the underground economy behind it. It’s a complex chain of petty thieves, insider threats, document forgery specialists and money mules.
The most common way that checks are sourced is mail theft — from people’s own mailboxes, apartment complexes and even the iconic blue U.S. Mail collection boxes that dot many U.S. street corners. The box, along with other types of mailboxes in apartment buildings, are unlocked by arrow or Modified arrow lock keys. Those keys have been sought by the criminal underground for all kinds of schemes focused on past theft, including sourcing checks for fraud. The discussion thread on crd.prp[.]cc spun off side discussions for mail fraud and the threat actor Coup wrote March 4, 2024:
“Hit me I got mail key n get checks.”
The image depicts a screenshot of arrow keys that CBS Chicago 2 published on Feb. 2, 2023.
More disturbingly, the U.S. Postal Service (USPS) has reported their carriers have been robbed. The U.S. Postal Inspection Service (USPIS) reported 412 mail carriers were robbed on duty between October 2021 and October 2022 and 305 were robbed in the first half of fiscal year 2023. The agency warned such incidents were on the rise and that it had launched an initiative, Project Safe Delivery, to mitigate mail and package theft and risk to Postal Service employees.
Mail theft is such a problem that the Postal Service has issued guidance and created videos warning people not to leave outgoing mail in their mailbox for too long. It also advised people should hand mail directly to their carrier, drop it off at a post office or even drop items into the iconic blue mailboxes just before a carrier is due to empty one. As part of Project Safe Delivery, the Postal Service planned to install 12,000 high-security blue collection boxes and also replace what it termed were “antiquated” arrow and modified arrow lock keys with electronic locks.
Some check writers who do everything they can to prevent fraud still get stung by check fraud. Perhaps they dropped off the check at the post office, yet it ended up being paid out to the wrong person down the line. The possible reason? Insider threats.
The IRS outlined a pending criminal case in May 2025 against four individuals in the Detroit, Michigan, area who were charged with conspiracy to aid and abet bank and wire fraud. Two Detroit women, Vanessa Hargrove and Crystal Jenkins, were Postal Service employees who allegedly stole “a high volume of tax refund checks issued by the U.S. Treasury” in exchange for payments, according to the IRS. Two others, Jaiswan Williams and Dequan Foreman, are accused of being the administrators of two Telegram channels used to sell the checks to other threat actors.
The IRS said the price of each check was based on its face value. One channel called “Whole Food Slipsss” — which is now offline — advertised the high-value checks, while another called “Uber Eat Slips” — also now offline — advertised lower-valued checks, with “slips” being the lingo for stolen checks. The IRS said payment for the checks was done outside Telegram, and then the purchasers of the checks sought to monetize the checks using a variety of methods. If convicted of the charges, each could face as long as 30 years in federal prison.
Doing the cooking and the washing
So far we’ve outlined how threat actors across the underground source stolen checks by lifting them from post boxes, at points in transit during the mail journey, bribing insiders and even robbing U.S. postal carriers. These checks often are posted quickly in Telegram channels for sale. In some photos, threat actors have laid out a check or several checks on their leg in a vehicle, which could suggest that the checks were freshly sourced and put to market without delay. Some of the information on the checks is always redacted. That information is the bank account number of the person or business and the routing number, which identifies the financial institution that holds the funds. The payee – the person or entity the check is addressed to — and the payer, whom the funds are being distributed to — and the amount are often left visible.
So how do fraudsters monetize the checks?
There are a variety of ways, which range in sophistication. One of the most common ways is “washing,” which involves using chemicals such as acetone to erase the payee, allowing for another payee’s name to be inserted. This process also may work to modify the payment amount to a higher value, or the less sophisticated way is to try to insert more zeros. Buying the check allows visibility into the account and routing number, which theoretically are the keys to unlock funds from someone’s account. By buying a real check, a threat actor could clone it using computer manipulation tools and a check printer to create a look-alike for a higher amount and print it out on check stock, which can be ordered online. The creation of a fake check based on a real one is an underground service in itself, often referred to as “cooking.” The two services may be combined. The vendor may offer both the stolen check and the manipulation services as a package. Vendors often sell “cookups” and advertise them as “glass,” meaning they should be cashed without trouble by a financial institution.
The image depicts a screenshot of an advertisement for fraudulent and stolen checks on the “Remomafia” Telegram channel obtained June 15, 2025.
Why do financial institutions pay on checks that have not been verified yet? There are several reasons, but a significant one is the tight timelines mandated by the Federal Reserve under Regulation CC, a set of funds availability rules.
Certain types of checks, such as those that come from the U.S. government or states that are deposited in person, must be available for withdrawal the next business day. For checks that aren’t bound by this rule, the first US $275 — up from US $225 on July 30, 2025, —must be made available the next business day. The Webster First credit union outlined on its website the processing for a US $15,000 check — the first US $225 is available the next business day, then the second business day US $5,300 would be unlocked and then by the seventh day after the deposit US $9,475 is available. The rules mean that financial institutions could be paying out on checks that may not have been verified as legitimate.
In some obviously suspicious scenarios, a bank may refuse to pay, such as if a high value check is deposited into a brand-new account, which can be a strong fraud signal. Threat actors tend to try to find “aged” accounts less likely to raise suspicion and pay the holders of those accounts — the money mules — a share of the proceeds. Banks are allowed to withhold payment for checks for more than US $5,525 to ensure time to clear.
Further complicating the fraud picture is that a financial institution may never see the physical check. Physical checks have a variety of security features, running from foil holograms to special colored backgrounds to watermarked backgrounds to embedded ultraviolet fibers to heat sensitive icons. But many institutions offer remote deposit capture (RDC), where customers take a photo of the front and back of a check, although the value of the check that can be deposited via this method usually is limited. Scammers like this method since it means they don’t have to pull up to a bank ATM or branch and risk exposing their identity. Customers usually are advised to hold on to the paper check until it has cleared completely and a financial institution may request it.
The image depicts a screenshot of a check circulating in the underground on Sept. 5, 2025, that shows several security features, which include watermarked paper, a foil hologram and a heat sensitive icon.
In the first half of 2025, Intel 471 observed thousands of images of stolen checks circulating across 162 Telegram channels. Threat actors often post images of checks across several channels to reach a wider market. This was not a complete picture of check fraud in the U.S. but rather a small sampling of this prolific criminal activity as observed by Intel 471 on select Telegram channels. Threat actors may spin up new Telegram channels and groups that are dedicated to check fraud while Telegram may shut down fraud-centered channels and groups.
Analysis of the checks reveals check fraud hot spots across the nation. There are three locales involved in most checks — the location of the payer, the location of the payee and the location of the bank. Not all checks necessarily can be attributed to a state, however, due to redactions made by threat actors.
The data shows some of the top states affected by check fraud in descending order are New York, Pennsylvania and California. Another data point is the total value of the advertised stolen checks per state. This shouldn’t be considered a loss figure, however, since financial institutions likely stopped some fraud. Higher value checks may hold the potential for a greater payout, but also may be scrutinized closer.
Very high value checks in the pool push the average values higher, but the average median value in our samples is $6,034 — about 10% higher than the $5,525 threshold allowed under federal rules to hold checks longer or until cleared. Our figure suggests fraudster interest in checks less than US $8,000 — high enough to make the effort worth it but not quite so high as to attract undue attention which may be rejected by a financial institution.
Many factors make it difficult to combat check fraud. First, it’s nearly impossible to ensure 100% security around incoming or outgoing mail since there are many potential vulnerabilities, ranging from physical theft to insider threats. Sourcing stolen checks is low-hanging fruit for those willing to take the risk.
Determining whether a check has been forged merely on sight is complicated if scammers are using high quality printers and paper check stock. The security features in the checks — whether watermarks, holograms or other features — are irrelevant if the people cooking checks have access to that paper stock. Further, some institutions may not actually be collecting all of the paper checks they are cashing due to remote deposit capabilities in banking apps where users can take a photo of a check, although there are usually limits on the values of checks that can be deposited that way.
The Federal Reserve’s Regulation CC requires most checks to be processed under strict timelines which may in some cases work in favor of scammers, particularly given the sheer quantity of checks still written annually in the U.S. Financial institutions are allowed to hold checks above $5,525 longer to ensure they clear, a figure that’s within 10% of the average median value we calculated with our samples. This affirms that the $5,525 threshold for allowing longer processing times is appropriate. Still, it is in the interest of financial institutions to process checks relatively quickly to avoid annoying their customers by mistakenly holding legitimate checks for too long due to veracity questions but turn out to be false positives. This type of pressure may cause financial institutions to pay out on checks that are fraudulent.
We would not expect a state change in the situation unless the processing rules are relaxed or businesses and people start writing fewer checks in the U.S., which may take years. In the meantime, check fraud will remain a prevalent and costly hassle.
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Malware distribution campaigns that trick people into copying and pasting malicious commands, known as ClickFix, have been wildly successful. Here's an examination of ClickFix and how to defend against it.
Payment card "checkers" are used by criminal hackers to check the validity of stolen payment card details. Here's how this in-demand underground service works.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.