How Phantom Carbon Credits and Identity Wallet Exploitation are Reshaping Global Fraud

By Adrian Cheek, Senior Cybercrime Researcher

Two fraud categories are converging on the global stage right now, and neither has received the attention it deserves. The first involves carbon credits and ESG compliance, where a volatile mix of political pressure, weak verification, and enormous sums of money has created ‌fertile ground for manipulation on an industrial scale. 

The second concerns the rollout of government-backed digital identity wallets, a technology that promises to redefine how people prove who they are, but which simultaneously opens fresh attack surfaces that criminals are already probing.

Together, these two areas represent a significant shift in the fraud landscape. They cut across borders, affect both public and private sectors, and expose vulnerabilities in systems that were designed to build trust. For fraud professionals, compliance teams, and investigators worldwide, understanding what is unfolding in these markets is no longer optional.

The Carbon Credit Issue: Billions at Stake with (Almost) No Guardrails

Voluntary carbon markets were built on a simple idea that a company that cannot immediately reduce its own emissions can pay for verified reductions elsewhere, whether through reforestation, clean alternatives, or methane capture projects in another part of the world. Each verified reduction earns a tradeable credit representing one metric ton of carbon dioxide removed or avoided. The company retires the credit, claims the offset, and reports progress toward its climate goals.

The trouble is that the item being traded is invisible. A carbon credit is not a barrel of oil sitting in a warehouse. It is a claim, backed by data, that something happened in a forest or a village thousands of kilometers from the buyer. That gap between the physical reality and the financial instrument has proved irresistible to fraudsters.

Independent studies have suggested that the problem is staggering. Research from Carbon Market Watch found that only around one in thirteen certified forestry carbon credits represents an actual reduction in emissions. A separate analysis from 2023 estimated that as few as 12% of all existing offsets deliver a genuine environmental benefit. The rest, according to these assessments, are essentially worthless on paper but very much real in financial terms.

$250 Million Carbon Credit Fraud Revealed 

In October 2024, the first coordinated enforcement action in the voluntary carbon market showed just how deep the problem runs. The US Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC), and the Department of Justice brought parallel cases against CQC Impact Investors, a Washington-based project developer. The company had sponsored cookstove and lighting projects across sub-Saharan Africa, Asia, and Central America. Regulators alleged that former executives systematically manipulated survey data, inflated emission reduction figures, and submitted fabricated reports to registries and third-party verifiers. The scheme generated millions of credits that the company was never entitled to receive. The SEC described the resulting investor offering as a $250 million fraud.

What makes this case particularly instructive is the mechanics. The fraud did not rely on sophisticated technology. However, it exploited the weakness of a verification system that depends heavily on self-reported data from project developers, reviewed by third-party bodies with limited resources and potential conflicts of interest. Verra, the dominant carbon credit registry controlling roughly 70% of the market, has itself faced persistent criticism for the discretion it grants to project developers and the adequacy of its oversight methodologies. 

The political environment adds further complexity. In Europe, the Corporate Sustainability Reporting Directive is extending mandatory climate disclosure to tens of thousands of companies. In the United States, SEC climate disclosure rules require auditable emissions documentation. These mandates are creating enormous demand for offsets at a time when genuinely high-quality credits remain scarce. This imbalance is exactly the condition that attracts organized fraud gangs.

Beyond Greenwashing: Carbon Fraud as White-Collar Crime

For years, the conversation around dubious carbon credits focused on greenwashing: the idea that companies were buying low-quality offsets to inflate their reputations without achieving any meaningful environmental impact. This framing treated the problem as a marketing issue. What regulators are now making clear is that it is also a criminal one.

The CFTC established an Environmental Fraud Task Force in 2023, specifically to examine fraud related to environmental claims in carbon and ESG markets. The coordinated action against CQC was the task force’s first major outcome, and officials have signalled it will not be the last. Whistleblower programs are being positioned as central to detection, with the CFTC explicitly calling on market insiders to report manipulation. The fraud typologies vary:

• Inflated baselines: Project developers may exaggerate baseline emissions to make reductions appear larger. 
• Fabricated distribution data: Reports overstate the number of cookstoves distributed or inflate the efficiency of those devices.
• False additionality claims: Projects claim the carbon reduction would not have happened without the credit funding, when in reality the protected forest was never under threat of logging in the first place.
• Phantom credits: In more extreme cases, credits are issued for projects that exist only on paper.
• Laundering through conservation projects: In Brazil, investigators uncovered cases where carbon credit schemes were allegedly used to conceal illegal logging on protected land. The credits served as a laundering mechanism, allowing illegally harvested timber to be disguised as part of a legitimate conservation project. Similar dynamics were reported in Southeast Asia and parts of Central Africa, where weaker governance structures make oversight even more difficult.

For fraud investigators, the takeaway is that carbon markets now present a genuine and growing area of financial crime, not merely a reputational risk. The intangible nature of the underlying asset, the complexity of cross-border verification, and the rapid scaling of both compliance and voluntary markets create conditions that are attracting increasingly sophisticated criminal actors.

The Front Door Is Wide Open: Why Carbon Fraud Doesn’t Need the Dark Web

There is a striking feature of carbon market fraud that distinguishes it from many other forms of financial crime. It does not require underground infrastructure. There are no dark web forums brokering phantom credits, no encrypted Telegram channels offering fraudulent offsets to buyers. The reason is simple: the legitimate market itself has such weak controls that criminals can operate in plain sight.

Russia based “HYDROMONO” offering guaranteed contracts and carbon credits (Flare link to post, sign up for the free trial to access if you aren’t already a customer)

CQC Impact Investors did not need to find buyers in hidden corners of the internet. It sold credits through established registries to some of the world’s largest corporations. The Brazilian timber laundering operations used real REDD+ projects registered with recognised international certifiers. The credits carried official serial numbers, passed through accredited verification processes, and were retired against genuine corporate climate commitments. Every step took place through front-door channels.

This pattern is not new. The EU Emissions Trading System experienced its own devastating fraud wave between 2008 and 2009, when criminal networks exploited VAT rules to run carousel schemes through official carbon exchanges. Europol estimated the damage at more than five billion euros across European tax revenues. In some member states, up to 90% of total market volume during that period was attributed to fraudulent activity. In Denmark, the government ultimately closed over a thousand of its roughly twelve hundred registry accounts during the investigation. The French carbon exchange BlueNext, where an estimated 90% of trades during the fraud period were illegitimate, eventually settled with the government and shut down entirely.

What made those early schemes possible was the same structural gap that enables today’s voluntary market fraud: carbon allowances and credits are high-value, easily transferable, and historically subject to minimal identity checks. National registries at the time conducted their own vetting of account holders, but the requirements fell far short of the Know Your Customer standards common in other financial markets. Criminals recognised that the front door was not only unlocked but effectively propped open.

This matters for how investigators and compliance teams should think about the threat. Traditional fraud detection often focuses on identifying activity that has migrated to underground channels, monitoring dark web marketplaces, tracking encrypted messaging groups, and flagging suspicious off-platform transactions. In carbon markets, the fraud is embedded within the legitimate transaction chain. The manipulated data sits inside official registry submissions. The fabricated credits carry the same serial numbers and certification stamps as genuine ones. Detection requires looking not at where the trading happens but at the integrity of the data underpinning each credit, and that is a completely different investigative challenge.

Digital Identity Wallets: A New Trust Infrastructure, A New Target

While carbon fraud exploits the gap between claimed and actual emissions, a parallel vulnerability is emerging in the infrastructure designed to prove who people are. 

Across Europe, governments are building digital identity wallets, which entered into force in May 2024. Every EU member state must offer a national digital identity wallet to its citizens by late 2026. By 2027, regulated industries including banking, insurance, telecommunications, and healthcare will be required to accept these wallets for identity verification. The wallets will store verified credentials including national ID documents, driving licences, diplomas, and health records. People will prove their identity and share specific attributes electronically across any EU member state. 

The Attack Surface

The potential benefits are real: faster onboarding, reduced document fraud, and greater user control over personal data. But for anyone who has spent time studying fraud, the architecture raises pointed questions.

Device Compromise and Credential Sharing

If a device is compromised through malware or social engineering, and security relies primarily on a PIN or fingerprint, an attacker could potentially share credentials from the wallet without the owner’s knowledge. The regulation defines three levels of assurance, from low to high, but many everyday transactions may operate at the substantial level, where biometric verification of the wallet holder is not always required at the point of sharing. 

Synthetic Identity Amplification

Then there is the question of what happens when these wallets become targets for synthetic identity fraud. Criminals already combine real and fabricated information to build false identities that pass conventional checks. A government-backed wallet that aggregates multiple verified credentials in one place could, if compromised, provide a far more convincing foundation for synthetic identities than anything currently available. The credentials would carry the authority of state-issued attestations, making them harder to challenge and easier to weaponize.

Deepfake and Biometric Attacks

As biometric verification becomes standard for wallet onboarding, the tools to defeat those checks are improving in parallel. Presentation attacks, screen recapture techniques, and AI-generated facial imagery all pose threats that wallet providers will need to counter continuously, not just at launch but as the technology evolves. Unlike carbon markets, digital identity wallet fraud is likely to develop a significant underground infrastructure. The criminal ecosystem is already in place and waiting. There are an estimated 50,000 plus cybercrime-focused groups and channels currently operating on Telegram alone, trading stolen credentials, phishing kits, identity bundles, and account access at enormous scale. Carding channels sell complete identity packages, or “fullz”, organized by country, bank, and card type. 

As wallets roll out across EU member states, it is reasonable to expect that compromised wallet credentials, cloned attestations, and social engineering kits specifically targeting wallet users will surface on these existing channels. The tooling, the buyer networks, and the distribution infrastructure already exist. What is missing, for now, is the target. That changes in late 2026.

This creates an interesting contrast with carbon fraud. Where carbon credits are stolen through the front door of legitimate registries, digital identity wallet exploitation will almost certainly involve a significant underground component, with compromised credentials and attack kits traded through the same encrypted channels that currently service the broader cybercrime economy. Investigators and researchers will need to monitor both ecosystems simultaneously, applying fundamentally different detection methodologies to each.

The global implications extend well beyond Europe. Countries across Asia, Africa, and Latin America are watching the EU rollout closely and developing their own digital identity frameworks. India’s Aadhaar system, while structurally different, has already demonstrated both the power and the vulnerability of centralized digital identity at scale. Whatever fraud patterns emerge around the EU wallets will almost certainly be replicated and adapted elsewhere.

Where Two Worlds Collide

Carbon fraud and digital identity exploitation may appear to be separate problems, but they share structural similarities. Both involve intangible assets or credentials where the gap between digital representation and physical reality creates space for manipulation. Both are scaling rapidly under regulatory pressure, with timelines that prioritize deployment over security maturity. And both operate across borders in ways that complicate enforcement.

Yet they also differ in ways that matter for detection. Carbon fraud thrives inside legitimate systems, exploiting weak verification to pass fabricated data through official channels. Digital identity wallet fraud, when it arrives at scale, will likely involve a hybrid model: social engineering and device compromise at the point of attack, followed by monetization through underground channels that already handle billions in stolen credentials annually. Anyone who focuses on only one pattern will miss the other.

There is also a direct connection on the horizon. As ESG reporting requirements tighten and digital identity infrastructure matures, it is plausible that carbon credit transactions will eventually require verified digital identities for buyers, sellers, and project developers. If the identity layer is compromised, it undermines the integrity of the carbon market layer built on top of it. A threat actor operating with a synthetic identity verified through a compromised wallet could register carbon projects, submit fabricated data, and extract credits, all while appearing to be a legitimate, government-verified actor.

What Compliance Teams Can Do Now

For compliance teams, these converging trends demand attention now, not after the first large-scale incidents make headlines. The carbon market enforcement actions of 2024 were a warning shot. The digital identity wallets launching across Europe in 2026 and 2027 represent a transformation in how trust is established online. Both systems are being built and scaled under political and regulatory pressure, with security maturity trailing behind deployment timelines. The organizations best positioned to respond will be those that monitor both the legitimate transaction chains where carbon fraud operates in plain sight and the underground channels where identity wallet exploitation will inevitably take root. These two fraud categories are not developing in isolation; they are on a collision course, but defenders can stay ahead with greater visibility into threat actor activities.