Pay to win? The reality of the ATO game in 2026
Account takeover (ATO) attacks are surging, and their scalability is a byproduct of replicability. Moderately successful fraudsters take over accounts through days or months of intensive actions — the fraud rings who truly lead the way in ATO fraud can procedurally cement control over dozens of accounts and efficiently monetize attacks.
Today, there’s a full industry dedicated to making the ladder easier to accomplish. Pre‑made credential stuffing scripts, step‑by‑step playbooks and automated attack tools are readily available for purchase on the dark web. Some fraud rings even package years of knowledge and innovation into easy‑to‑use kits. The outcome: What once required technical expertise, custom tooling and hours of trial‑and‑error can now be executed by almost anyone willing to spend a little money. Even experienced, tech savvy attackers are often forced to buy their way into new tech to remain competitive in the ATO landscape.
Here, I’ll break down just how “off‑the‑shelf” ATO has become. Each phase of an ATO attack, from gathering data to verifying credentials to bypassing MFA, can now be easily purchased. The question is no longer about if attackers can gain access to tools needed for attacks — rather, it’s how great their return on investment is, and what businesses can do to minimize it.
Phase 1: Acquiring compromised account information or PII
Every ATO begins with one essential ingredient: data. Fraudsters need a starting point — whether that’s breached credentials, scraped personal information or full account packs purchased from dark web marketplaces. This first phase is all about assembling the raw materials for an attack.
Pay to win? Necessary — to an extent. Fraudsters can certainly use a more intensive method, like a cloned app phishing scheme, to steal credentials from consumers. But the most straightforward way to acquire data for an attack is to buy it from other fraudsters who’ve already done the heavy lifting.
Attackers can buy verified accounts, or get more resourceful by buying cheaper PII (names, emails, phone numbers, etc. — not actual account details) and testing to see if they hold accounts at businesses. Neither approach is cost-prohibitive: the supply of compromised data is so great on the dark web, costs for both compromised PII and verified accounts are extremely low.
The price: <$15 for a name and email; ~$20 for account details
Phase 2: Verifying credentials + initial account access
Once data is acquired, fraudsters put it to use. If credentials need to be verified further, that happens at this stage. But, even if the credentials were verified prior to purchase, the initial login serves a major purpose: it builds history between the fraudster’s device and the account, laying the foundation for the remainder of the attack.
Pay to win? Credentials can be manually verified, but doing so at scale requires additional tools. For fraudsters looking to verify loads of credentials quickly, a pre-configured credential stuffing script is attainable for a low, fixed cost — it can be reused, and the cost doesn’t change depending on the number of credentials the fraudster is testing. Alternatively, a more hands-on fraudster may opt for a monthly FraudGPT subscription, which puts AI-generated scripts at their fingertips and allows them to tailor scripts to multiple targets.
The price: $50 for a pre-configured credential stuffing script, or $90/month for Fraud GPT.
Phase 3: Cementing control over accounts
Once attackers have successfully slipped inside an account, their next priority is making sure they can stay there and take actions needed monetize it. This phase is all about entrenchment: fraudsters work to solidify control by binding new authentication methods, manipulating step‑ups or altering profile information.
A deciding factor in this stage is fraudsters’ ability to bypass multi-factor authentication (MFA): if they can, there’s virtually nothing left to stop them from changing profile information or executing transactions; if they can’t, they’ll be stopped before causing severe damage.
Pay to win? It’s a must. Common MFA tools are trusted because they’re hard to crack manually. But, with the help of accessible bypass tools, fraudsters are able to get around them. At scale, costs rack up: Most MFA bypass tools are charged on a per-attempt basis. But, if the tool works, it removes one of the final barriers of security stopping attackers from monetizing attacks.
The price: $15 per MFA bypass attempt
Phase 4: Monetizing successful ATOs
Attackers have already validated credentials, bypassed defenses and secured control. Now comes the payday. Monetization can take many forms, though the most common one we see is the use of new, stolen payment methods on compromised accounts. Fraudsters essentially use stolen accounts as an avenue to steal funds, executing fraudulent transactions with the stolen cards to send money to themselves or their associates.
Pay to win? There are multiple ways fraudsters can go about securing stolen payment methods, but a batch purchase from the dark web is typically the most straightforward way to acquire enough for a large-scale attack. Verified payment cards are relatively inexpensive, making the last barrier to monetizing an attack one of the easiest to clear.
The price: $15 for verified credit card details with CVV
The impact of a complete attack
In total, that’s about $100 to get an ATO attack off and running. Not cheap, but a worthwhile investment: ATO losses average $6,232 per incident and are only rising as attacks grow more powerful and sophisticated.
That ROI is the envy of mainstream businesses of all kinds. It’s enough for fraudsters to keep coming back for more, reinvesting in ATO tools as their efforts scale. That means cooridnated, high-powered attacks aren’t going anywhere — stopping them requires an understanding of how fraudsters’ dark web tools work, the ways in which they’re deployed in a coordinated attack and the adoption of sophisticated defenses to stop advanced ATO attacks.
Want to see it all in action? Go behind the scenes of a modern ATO attack in our latest report.
