Fraud group targets vulnerable Americans by stealing accounts linked to EBT, pharmacy, and reward points
Kasada, the pioneers transcending bot management by countering the human minds behind automated threats, today released its Q1 2025 Quarterly Threat Report, calling out a fraud syndicate known as ALTSRUS that has been actively stealing and selling accounts connected to Electronic Benefit Transfer (EBT), pharmacy prescriptions, and consumer rewards programs. The group’s operations have scaled significantly while profiting from those already facing financial hardship.
Kasada’s threat intelligence team refers to ALTSRUS as the “Reverse Robin Hood” because of its focus on taking from those who are financially disadvantaged to fuel its own criminal enterprise.
In the first quarter of 2025 alone, ALTSRUS sold more than 220,000 stolen accounts, marking a 2,852% year-over-year increase in activity. The group expanded its fraud campaigns to span 13 industries, illustrating the growing scale and adaptability of modern organized fraud.
“While the security world often focuses on protecting high-value assets, groups like ALTSRUS remind us that no target is off-limits,” said Sam Crowther, CEO and founder of Kasada. “They’re even willing to compromise access to food and critical medications to turn a profit.”
Key Insights from Kasada’s Q1 2025 Quarterly Threat Report
- Account takeover (ATO) remained the most prevalent and impactful type of automated threat throughout Q1.
- Criminal marketplaces hit a peak of nearly 2.5 million stolen accounts for sale, far outpacing other types of listings.
- Webmail services, retail, and social networks accounted for 67% of observed stolen account sales.
- The Quick Service Restaurant (QSR) industry saw a 96% spike in compromised account sales.
- CAPTCHA solver services are being weaponized to passively facilitate criminal activities.
“The tools used to conduct account takeover attacks are now more advanced and widely accessible,” said Nick Rieniets, Field CTO at Kasada. “Our investigations into underground credential stuffing groups reveal the inner workings of this cybercrime ecosystem, exposing gaps in traditional defenses. Organizations need proactive threat intelligence, along with modern anti-automation detection, to strengthen authentication practices beyond just MFA.”
About the Report
Kasada’s Q1 2025 Quarterly Threat Report is based on investigations and analysis conducted by the company’s in-house research team through KasadaIQ for Fraud. The report provides an inside look at the tactics used by ALTSRUS, the latest account takeover attack trends, and the evolving criminal marketplace ecosystem.
Read the full report here.
About Kasada
Kasada has developed a radical approach to defeating automated cyber threats based on its unmatched understanding of the human minds behind them. The Kasada platform overcomes the shortcomings of traditional bot management to provide immediate and enduring protection for web, mobile, and API channels. Its invisible, dynamic defenses provide a seamless user experience and eliminate the need for ineffective, annoying CAPTCHAs. Our team handles the bots so clients have freedom to focus on growing their businesses, not defending it. Kasada is based in New York and Sydney, with hubs in Melbourne, Boston, San Francisco, and London. For more information, please visit https://www.kasada.io and follow on X, LinkedIn, and Facebook.
View source version on businesswire.com: https://www.businesswire.com/news/home/20250505468601/en/
“While the security world often focuses on protecting high-value assets, groups like ALTSRUS remind us that no target is off-limits,” said Sam Crowther, CEO and founder of Kasada.