Leak Check Me
Sign inRun Leak Check
All privacy guides
identity theft statistics 2026May 28, 2026Leak Check Me

Identity Theft Cost Americans Over $20 Billion in 2025 — Here's Where the Money Actually Goes

Fresh 2025/2026 stats on identity theft losses by attack type, victim age, and cash-out path — plus the connective tissue all of them share: broker data.

The FBI's Internet Crime Complaint Center booked $16.6 billion in cybercrime losses in 2024, a 33% jump from 2023. Javelin Strategy's 2025 Identity Fraud Study pegged consumer identity-fraud losses alone at $27.2 billion for the same year — a 19% increase. And the FTC's Consumer Sentinel pipeline shows identity theft reports through Q3 2025 already exceeding all of 2024, on pace to clear 1.5 million reports for the year.

Add the gap between reported and unreported (the FTC estimates roughly 10% of victims file), and the real number Americans lost to identity theft in 2025 comfortably cleared $20 billion. Here is where it actually goes, who's losing it, and why almost every one of these attacks starts with the same primitive: a profile assembled from data brokers.

One-sentence answer: In 2025, Americans lost more than $20 billion to identity theft and fraud — most of it siphoned through account takeover, new-account fraud, government-benefits fraud, and tax-refund fraud, then cashed out through reshipping mules, crypto, and gift cards.

TL;DR

  • FBI IC3 2024 cybercrime losses: $16.6B (up 33% YoY), from 859,532 complaints.
  • Javelin 2025 study: $27.2B in consumer identity-fraud losses for 2024 (+19% YoY).
  • FTC Consumer Sentinel 2024: 1.1M+ identity theft reports, ~18% of all consumer reports.
  • 2025 partial-year FTC data already exceeds 2024 — full-year tracking toward ~1.5M reports.
  • Older Americans lose the most dollars per incident. Gen Z is the fastest-growing victim cohort.
  • The cash-out paths are concentrated: reshipping mules, crypto, gift cards, prepaid debit.
  • Nearly every modern attack begins with a profile assembled from breached credentials + broker-sold public data.

The headline numbers, sourced

Different agencies measure different things, which is why you see ranges. The cleanest version:

SourceWhat it measures2024 figureYoY
FBI IC3 2024 ReportAll internet crime complaints filed with IC3$16.6B losses, 859K complaints+33% losses
Javelin 2025 Identity Fraud StudyConsumer identity-fraud losses (broader scope)$27.2B, 19M US victims+19% losses
FTC Consumer Sentinel 2024All consumer fraud + ID theft reports$12.5B fraud losses, 1.1M ID theft reports+25% fraud $
AARP / FINRASpecifically older-adult fraud losses$61.5B (broader definition incl. elder financial exploitation)n/a

Each of these is real and measures a slightly different slice. The IC3 number is what people self-reported to one FBI portal; the Javelin number is a national survey extrapolation that catches under-reported cases; the FTC number is a different reporting pipeline used by state AGs and consumer-protection agencies.

For 2025 partial data, the most current view is the FTC's interactive Consumer Sentinel dashboard, updated quarterly. As of late 2025, identity theft reports filed January through September had already exceeded the 2024 full-year total, with projections pointing to ~1.5M annual reports.

Where the money goes, by attack type

Identity theft is not one crime. It is a family of crimes that share a primitive (your data) and end in different cash-out paths.

Account takeover fraud — the biggest single bucket

Javelin's 2025 study attributes $16 billion of the $27.2 billion total to account takeover (ATO). An attacker uses leaked credentials (or social-engineers a password reset) to log in to an account you already own — bank, brokerage, retailer with stored cards, loyalty program — and drains value through transfers, purchases, or stored-credit redemption.

ATO starts with credential stuffing. The attacker takes a dump of email/password pairs from one of the billions of breached records sitting in HIBP and tries them against high-value sites. Hit rates are low (~0.1–1%) but the volume makes it profitable.

New-account fraud

The attacker opens a new credit card, loan, or bank account in your name using your SSN, address, date of birth, and mother's maiden name — most of which are either in old breaches (SSN, DOB) or on people-search sites (address, family). They burn the credit line, then disappear, leaving you with the debt and a 12-month battle to get it off your record.

Tax-refund fraud

Files a fake return with your name and SSN early in tax season, claiming a refund routed to a prepaid debit card or controlled bank account. The IRS's Identity Theft Affidavit (Form 14039) workflow exists specifically because of this. The IRS Taxpayer Advocate Service has reported median resolution times of 6+ months in recent years.

Government-benefits fraud — pandemic-era boom that didn't end

Unemployment-insurance fraud exploded during COVID and never returned to baseline. State unemployment systems verified identity loosely under federal pressure to disburse fast; attackers harvested SSNs and identity packages from breach data plus broker-aggregated profiles and filed claims in victims' names. SSA, IRS, and state-level continue to see significant volumes through 2025.

Medical identity theft

The fastest-growing category by some measures. An attacker uses your insurance ID to receive treatment, fill prescriptions, or file claims. The fallout is harder to clean up than financial fraud because medical records mix into your file and can affect future coverage decisions.

Synthetic identity fraud

The fastest-growing category by dollar measures. The attacker combines real fields (your SSN) with fabricated fields (a made-up name and DOB) to build a "synthetic" identity that doesn't quite match any one person — passes lender verification because the SSN is real, escapes credit-monitoring alerts because the name doesn't match. The Federal Reserve has called synthetic ID fraud one of the fastest-growing financial crimes in the US.

Where the money actually exits

Once the attacker has the goods — cash transfer, gift cards, electronics, fraudulent refund — they have to convert it to something they can keep without getting caught. The common cash-out paths:

  • Reshipping mules. The attacker buys electronics with your card and ships them to a "package handler" recruited via fake work-from-home ads. The mule re-ships internationally. Goods get fenced abroad. The mule usually doesn't know it's fraud and gets prosecuted anyway.
  • Crypto cashouts. Attacker buys crypto with stolen ACH or wires, then moves it through mixers. Stablecoin volumes have made this faster and cheaper since 2024.
  • Gift cards. The classic. Especially common in elder-scam variants ("buy $5,000 in Apple gift cards and read me the numbers"). The FTC reported gift card payments accounted for significant portions of 2024 scam losses.
  • Prepaid debit cards. Where tax-refund and unemployment-benefit fraud usually lands.
  • Bank-account-to-bank-account transfers through money mules recruited via romance scams or "job offers."

Who is losing the money

This is where the data is genuinely interesting.

By dollars lost per victim: Older Americans get hit hardest. The FBI IC3 2024 report showed Americans 60 and over filed 101,068 complaints with $4.885 billion in losses — roughly $48K per filed complaint, far above the cross-age average. Romance scams, tech-support scams, and elder fraud all skew older.

By victim count growth rate: Gen Z is the fastest-growing cohort. People in their 20s grew up with breached data as a baseline, often share more on social media, and are more likely to fall for AI-generated scams that ride on personal context. The FTC's 2024 data showed adults 20–29 reporting fraud at a higher rate than older brackets, though with smaller average losses.

By geography: California, Florida, Texas, and New York lead in raw complaint volume. Per-capita, the leaders shift toward states with higher elder populations and states that bore the brunt of pandemic-era unemployment fraud.

The connective tissue: your profile

Every single attack type above starts with the same primitive. The attacker needs a coherent identity to work with — an email, a password, a name, an address, a phone, a date of birth, sometimes a mother's maiden name and a previous address. The credential half (email, password) comes from breaches. The identity half (name, address, phone, family) comes from data brokers and people-search sites.

That is the join we keep coming back to in the pillar piece. It is the load-bearing fact of modern identity theft.

A leaked email by itself is recoverable. A leaked email plus a current address plus a phone number plus a mother's maiden name is an identity package an attacker can monetize. The brokers ship that package every day for under $5.

The two operational consequences:

  1. Lock down your phone number. SIM swap is the path from "attacker has your phone number" to "attacker has all your 2FA codes." Carrier port-out locks help. The SIM-swap prevention guide is the 30-minute version.
  2. Lock down your email. Email is the recovery vector for everything else. The post on email as the skeleton key explains why one address compromised cascades through your whole life.

What you can do today

  1. Pull your credit reports for free at annualcreditreport.com — you can do this weekly now, free, from all three bureaus.
  2. Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes 10 minutes per bureau, and stops new-account fraud cold. Unfreeze temporarily when you actually apply for credit.
  3. File an IRS Identity Protection PIN at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin. Pre-empts tax-refund fraud.
  4. Add a carrier port-out lock at Verizon, AT&T, or T-Mobile.
  5. Scrub the broker side. Public-profile sites are the supply chain. Removing yourself does not undo prior breaches, but it disrupts the join attackers need.

The framing, plainly

$20 billion is a number. The lived version is one person realizing their unemployment benefits were redirected to a stranger, or watching $14K leave their brokerage account at 3 AM, or fielding calls from collections about a credit card they never opened. The mechanics of each story look different. The supply chain underneath is the same.

You cannot un-breach the past. You can starve the supply chain of the live half: your current name, address, phone, family, and employer being one click away on a $4 people-search profile. That is the half Leak Check Me works on — find the leak, scrub the link, patrol for relistings. The cost of identity theft compounds. The cost of cleanup doesn't have to.

Sources

Keep going

Related privacy guides

data leak protection

Leaks Happen. The Real Risk Is the Link Between Them. (Our Manifesto)

Leaked passwords are recoverable. Joined profiles are not. Why data leak protection has to break the link, not just chase the breach.

Read guide
how to prevent sim swap

SIM-Swap Attacks Are Surging — Lock Down Your Phone Number in 30 Minutes

SIM-swap losses hit $25.9M in 2024 and UK cases rose 1,055%. Here's how the attack works and how to lock your number at AT&T, Verizon, and T-Mobile.

Read guide
why is my email address dangerous

Your Email Address Is the Skeleton Key to Your Whole Identity

Your email is the join key for nearly every breach database and data broker profile. Here's why that's risky, and how aliasing breaks the link.

Read guide
Leak Link Check

See what is exposed before it gets joined.

Run a verified check for known breach exposure and public identity links, then authorize eligible scrub actions from the dashboard.

Run Leak Check