The Collapse of Trust in the Digital State

For decades, the systems that governments, banks, universities, and public institutions built to verify who someone is rested on a single foundational assumption that personal information, documents, and physical characteristics were difficult to convincingly fake. A Social Security number combined with a date of birth and a driver's license was, for most practical purposes, enough to establish identity.

That assumption has now been broken. The US recorded its highest number of data breaches in 2025 since tracking began, identity theft reports to the Federal Trade Commission rose nearly 20% year over year, and global fraud losses now exceed $534 billion annually. Generative AI, the same technology powering productivity tools and creative applications across the economy, has become a force multiplier for those seeking to deceive digital systems at scale. The speed, sophistication, and accessibility of these tools mean that the problem is no longer confined to the margins of financial crime. It has moved to the centre of a broader question about whether the digital infrastructure modern states depend on to function is as reliable as they have assumed.

To understand why this moment is different from previous waves of cybercrime, it helps to understand what synthetic identity fraud actually is and why it has become so difficult to detect and contain. Unlike conventional identity theft, where a criminal steals and uses a real person’s complete identity, synthetic identity fraud involves assembling fragments of real information from different individuals, a Social Security number from one person, a date of birth from another, an address from a third, and combining them into a fictitious but highly convincing person. The Federal Reserve Bank of Boston describes this as one of the fastest growing and most costly forms of financial fraud, with losses climbing from roughly $8 billion around 2020 to over $30 billion today.

The reason synthetic identities are so effective is that they are designed to behave like real people over time. Fraudsters open small credit lines, make regular payments, and gradually build up a credit history that banks find indistinguishable from a legitimate customer. As Mike Timoney, Vice President of Secure Payments at the Federal Reserve Bank of Boston, explains: “Once I get credit, I almost have achieved a proof of life.” The fraudster then slowly expands the credit line, sometimes over years, before ultimately maxing out every account and disappearing. The longer the identity sits, the more legitimate it appears, and the harder it becomes for any institution to flag it.

Moreover, generative AI has transformed this already sophisticated scheme in three distinct ways. First, it dramatically accelerates the creation of synthetic identities by parsing the enormous datasets made available through data breaches. In 2024 alone, over 3,200 data breaches were reported in the US, and between 1.6 and 1.7 billion individual breach notices were sent out to affected users. This reservoir of compromised personal information is the raw material that AI-powered fraud tools use to rapidly generate and test synthetic identities at a scale no human operation could match.

Second, generative AI enables these systems to learn from failure, identifying which approaches are getting flagged and adjusting accordingly. Third, and perhaps most unsettling, AI can now generate deepfake voices, faces, and forged identity documents, giving synthetic identities a believable human presence that extends beyond data fields into visual and auditory verification systems.

The pandemic years offered an early preview of how quickly fraud ecosystems adapt. When government relief programs flooded the economy with emergency funds between 2020 and 2021, fraudsters who had spent years building synthetic credit identities simply pivoted, applying for unemployment benefits, small business loans, and federal aid programs instead. The infrastructure was already in place and only the target changed. Today, the same flexibility is visible again as fraud operations shift toward opening fake bank accounts through online portals, eliminating the need for human intermediaries and reducing operational costs further.

The problem is not limited to financial institutions. Universities with high acceptance rates and straightforward applications are now among the most targeted institutions, with federal student aid systems exploited through automation at scale. Experian, one of the world’s largest consumer credit reporting agencies and a frontline processor of data breach cases, projects that agentic AI, which deploys multiple autonomous agents working simultaneously toward a shared goal with minimal human oversight, will become the leading cause of data breaches this year, capable of contacting multiple banks at once, impersonating different identities in parallel, and filling out complex government forms automatically. Experian itself handled 5,000 data breaches last year and found that 40% were already AI-powered.

The financial costs of AI-driven identity fraud are significant, but they point toward a deeper and less discussed problem. Modern states and institutions function on the assumption that identity is verifiable. Passports, Social Security numbers, driver’s licenses, biometric checks, and digital credentials are not merely administrative conveniences. They are the mechanisms through which democratic governments distribute rights, services, and resources to the right people. When those mechanisms can be systematically deceived at scale, the institutions built around them begin to lose their functional integrity.

The breach of multiple Mexican government agencies in early 2026 shows what this looks like in practice. A hacker used Anthropic’s Claude chatbot to infiltrate the country’s federal tax authority and national electoral institute, stealing 150 gigabytes of data including 195 million taxpayer records, voter data, and government employee credentials. The attacker framed requests to the AI as a legitimate security exercise and when the system initially resisted, provided it with a detailed operational playbook that bypassed its safeguards entirely. The result was the exposure of data tied to virtually every adult in Mexico. Beyond the immediate breach, the episode demonstrated something more troubling: a single individual, armed with a publicly available AI tool, was able to compromise the foundational databases of a sovereign state’s identity infrastructure.

Therefore, this is no longer a hypothetical. Anthropic itself disclosed in late 2024 that it had disrupted the first confirmed AI-orchestrated cyber-espionage campaign, in which suspected Chinese state-backed hackers used its Claude tool to attempt breaches of 30 global targets. The company’s own internal research, conducted on a more advanced model called Mythos, found that the system could autonomously exploit vulnerabilities across every major web browser, chain together multiple software flaws in a single attack, and find critical weaknesses in Linux, the open-source code underpinning most modern computing including smartphones, hospital systems, and government infrastructure. The findings were serious enough that the US Treasury Secretary and the Federal Reserve Chair convened an emergency meeting with Wall Street executives to warn them to use the tool defensively before attackers used it offensively. As one US national security official described it, equipping a hacker with such a model would be the equivalent of turning a conventional soldier into a special forces operator.

The institutional implications extend further still. The populations most vulnerable to synthetic identity fraud are not primarily wealthy individuals with complex financial lives. They are children, whose Social Security numbers are issued at birth and go unused for over a decade, the elderly, who have accumulated strong credit histories they rarely access, and incarcerated people, who cannot monitor or protect their own records. These are groups whose relationship to state institutions is already structurally mediated, and whose vulnerability reflects not just a cybersecurity gap but a governance one. When the state cannot reliably protect the identity credentials it issues, and when the notices informing breach victims have dropped by over 79% year over year despite breaches rising, the state’s implicit promise to maintain a trustworthy and functional identity infrastructure begins to hollow out.

The responses being developed are real and in some cases promising. TransUnion uses AI to conduct liveness checks on identity selfies and cross-references them against DMV records and persistent device behaviour patterns. JPMorgan Chase had already been deploying large language models to find zero-day vulnerabilities in its own software before the Mythos disclosure, reducing processes that previously took weeks to under an hour. The Linux Foundation is now experimenting with Mythos to find and close flaws in foundational open-source code.

Yet the defensive ecosystem remains fragmented, unevenly distributed, and structurally reactive, always catching up to the last method rather than anticipating the next one. Moreover, the gap between institutions that can afford sophisticated AI-driven defences and those that cannot is itself a vulnerability, since fraudsters naturally gravitate toward the weakest points in any system.

Few countries make the stakes of this picture more concrete than the UAE. The country has deliberately positioned itself at the forefront of digital transformation, with Abu Dhabi’s Digital Strategy 2025–2027 setting out an ambition to establish the world’s first fully AI-powered government by 2027, and the UAE AI Strategy 2031 projecting that AI could contribute nearly 14% of GDP by 2030. That ambition is reflected in the country’s financial sector, where in 2024, 9 in 10 UAE residents held digital-first bank accounts, a penetration rate that far exceeds the broader Middle East and Africa regional average. The UAE now hosts a quarter of all fintech companies across the MENA region, and its AI-in-finance market is projected to grow from $67 million in 2023 to $514 million by 2032.

However, the same digital density that drives this growth has dramatically expanded the country’s attack surface. According to the UAE Cyber Security Council, the country’s financial sector receives the equivalent of 14,000 cyberattacks per day, with accumulated losses exceeding $2.5 billion since 2020. Ransomware incidents in the financial sector rose to 34 reported cases between January and November 2024, up from 27 the year before. Deepfake fraud attempts during digital onboarding processes increased by more than 300% in 2025, and synthetic identities represented approximately one third of fraud cases in fintechs globally that year. There have already been recorded cases in the UAE of fraudulent bank transfers executed after impersonating a senior executive’s voice using audio cloning techniques.

The tension this creates is particularly acute in the context of financial inclusion. Digital and neobanks are leaner by design, operating without the branch infrastructure, legacy verification systems, and compliance overhead of traditional banks. That leanness is precisely what makes them powerful engines of financial inclusion, extending services to populations previously excluded from the formal banking sector. Yet, it also makes them structurally more exploitable. The growth of digital banking in the UAE has been extraordinary, but that acceleration has also amplified the attack surface. Smaller fintech entrants in particular struggle to meet the AML, cybersecurity, and governance compliance standards that larger institutions absorb as a cost of doing business. The result is a two-tier system in which the institutions most focused on broadening access are simultaneously the most vulnerable to the fraud mechanisms described throughout this analysis.

The UAE’s regulators have moved with notable urgency in response. Federal Decree-Law No. 6 of 2025, the primary banking law, mandates the implementation of robust fraud prevention and detection mechanisms and the reporting of incidents to the Central Bank of the UAE under direct management responsibility, with the possibility of criminal liability in cases of gross negligence regarding customer funds. Federal Decree-Law No. 30 of 2024 established a mandatory National Digital KYC Platform, centralizing and standardizing identity verification across the entire financial sector. In May 2025, the Central Bank issued Notice 2025/3057 ordering banks to phase out SMS and email one-time passwords, which are vulnerable to interception, in Favor of more robust authentication methods. The conceptual shift underlying all these measures is significant in that digital identity has become regulatory infrastructure rather than a user experience tool, and secure digital identity has ceased to be a competitive advantage and has become a licensing condition.

Even so, regulation moves on a timeline that fraud does not respect. Nearly 64% of respondents in the UAE said that a cyberattack was missed either due to a lack of resources or the lack of skills to deal with a complex incident in a timely manner. The challenge facing the UAE, and by extension other digitally ambitious states in the region, is not whether to regulate more aggressively. It is whether the pace of regulatory adaptation can keep up with AI capabilities that are improving on a timeline measured in months. The broader question of how to reconcile the imperative of financial inclusion with the structural vulnerabilities it creates has no clear answer, but it is one that states placing digital ambition at the centre of their economic identity cannot afford to defer.

To sum up, the dark period where offensive AI holds a structural advantage over defensive tools is not a future prospect. It is the present condition of digital identity systems across governments, financial institutions, and public services worldwide. The deeper question is not whether to invest in better fraud detection tools, though that is necessary, but whether the architecture of digital identity itself requires rethinking from the ground up. A system of verification built on the assumption that personal data, documents, and biometric signals are inherently difficult to replicate was always only as strong as that assumption held. Generative AI has broken it, and the institutions that depend on it are only beginning to grapple with what that means for their ability to function, govern, and maintain the trust of the people they serve.

Bank, Reserve. 2025. “Federal Reserve Bank of Boston.” Federal Reserve Bank of Boston. March 31, 2025. https://www.bostonfed.org/publications/six-hundred-atlantic/interviews/synthetic-identity-fraud-how-ai-is-changing-the-game.aspx.

Bodoni, Stephanie. 2022. “Meta Probe into 533 Million-User Data Leak Draws to a Close.” Bloomberg.com. Bloomberg. October 3, 2022. https://www.bloomberg.com/news/articles/2022-10-03/meta-probe-into-533-million-user-data-leak-draws-to-a-close.

Dempsey, Clint , and Amardeep Shoker. 2025. “UAE Enacts Landmark Central Bank Law.” Ashurst. November 24, 2025. https://www.ashurst.com/en/insights/uae-enacts-landmark-central-bank-law/.

Facephi . 2026. “Cybersecurity and Digital Identity in UAE Banking: The New Standard for 2026.” Facephi . Facephi. May 4, 2026. https://facephi.com/observatory/en/cybersecurity-digital-identity-banking-uae-2026/.

Haque, Jennah . 2026. “AI Is Making Digital Fraud Easier, Faster and Harder to Stop.” Bloomberg . May 8, 2026. https://www.bloomberg.com/graphics/2026-ai-identity-theft-scams/?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb3VyY2UiOiJTdWJzY3JpYmVyR2lmdGVkQXJ0aWNsZSIsImlhdCI6MTc3ODI0ODEzOCwiZXhwIjoxNzc4ODUyOTM4LCJhcnRpY2xlSWQiOiJURVBOT0dLSUpIQ1owMCIsImJjb25uZWN0SWQiOiIyMkJBREVGRDU5QjI0ODg5OEIwMzhBNUZGMjA1NzlFOCJ9.3mbrsg8DpR9QgdSzUUv-zPEoLhh7M507HyhsyinvxYo.

Martin, Andrew, and Carolina Millan. 2026. “Hacker Used Anthropic’s Claude to Steal Mexican Data Trove.” Bloomberg.com. Bloomberg. February 25, 2026. https://www.bloomberg.com/news/articles/2026-02-25/hacker-used-anthropic-s-claude-to-steal-sensitive-mexican-data.

Murphy, Margi, Jake Bleiberg, and Patrick Howell O’Neill. 2026. “How Anthropic Learned Mythos Was Too Dangerous for the Wild.” Bloomberg.com. Bloomberg. April 16, 2026. https://www.bloomberg.com/news/features/2026-04-16/how-anthropic-discovered-mythos-ai-was-too-dangerous-for-release.

Rego, Nick . 2023. “UAE Banks on AI to Boost Cybersecurity.” Www.darkreading.com. December 29, 2023. https://www.darkreading.com/cyberattacks-data-breaches/uae-banks-on-ai-to-boost-cybersecurity.