Identity Fraud in Southeast Asia: The Maldives Surge and What It Signals for APAC

The Maldives: A 2,100% Deepfake Surge

The Maldives' extraordinary deepfake surge demands context. The country has a small population (approximately 521,000) and a rapidly digitizing financial services sector. This combination — small user base, new digital infrastructure, limited fraud detection maturity — creates an environment where sophisticated attacks can overwhelm defenses quickly.

The surge was driven primarily by deepfake-assisted account creation on financial platforms. Fraudsters targeted newly launched digital banking and payment services that had implemented basic liveness detection but lacked forensic deepfake analysis. The attacks exploited a common pattern across emerging digital markets: platforms rush to launch, implement minimum viable verification, and discover too late that minimum viable is not viable at all.

The Maldives case is a leading indicator for other small APAC markets undergoing rapid digitization — Bhutan, Myanmar, Cambodia, and Laos all face similar vulnerability profiles as their financial services sectors go digital.

India: The Most Targeted Document Market

India presents the most complex identity verification landscape in APAC — and arguably in the world. The country's 1.4 billion people are connected to the world's largest biometric identity system (Aadhaar), but the sheer scale of the population and the diversity of identity documents create verification challenges that no other market matches.

The Aadhaar Ecosystem

Aadhaar is a 12-digit unique identity number issued to every Indian resident, linked to biometric data (fingerprints and iris scans) and demographic information. Over 1.4 billion people are enrolled. The system enables eKYC — electronic Know Your Customer — where identity can be verified against the Aadhaar database through biometric authentication or OTP-based verification.

Aadhaar eKYC has transformed financial inclusion in India, enabling hundreds of millions of people to open bank accounts and access financial services for the first time. But it has also created a high-value target for fraudsters. Aadhaar-linked fraud includes biometric spoofing (using silicone fingerprints or manipulated iris images), OTP interception through SIM-swapping, and exploitation of Aadhaar data obtained through breaches.

The Document Fraud Problem

India's Tax ID (PAN card) is the single most targeted identity document globally, accounting for 27% of all document fraud attempts detected in 2024. The PAN card's relatively simple design — compared to the security features on modern passports — makes it easier to fabricate. Combined with the widespread availability of PAN numbers through data breaches, fraudsters can produce convincing PAN card forgeries at scale.

The challenge for verification providers is that legitimate PAN cards also vary in quality. Older cards have different designs from newer versions. Print quality varies by issuing office. And the lamination that protects the card degrades over time, making legitimate cards look suspicious to rigid template-matching systems.

Effective verification in India requires a model trained specifically on Indian document types across their full range of legitimate variation — not a generic global model that treats Indian documents as edge cases.

Pakistan and Bangladesh: NIC Fraud

Pakistan's National Identity Card (NIC), issued by NADRA, accounts for 18% of global document fraud attempts. Bangladesh's NIC accounts for 15%. Together with India's PAN card, these three South Asian document types represent 60% of all document fraud globally.

The pattern is consistent: high population density, widespread digital adoption, large diaspora communities requiring remote verification, and identity documents with moderate security features. Fraudsters target these documents because the return on investment is high — a convincing forgery can be used across multiple platforms and jurisdictions where these diaspora communities are economically active.

For platforms serving South Asian diaspora markets — remittance services, international money transfers, overseas employment platforms — the document fraud risk is acute. Verification infrastructure must be specifically calibrated for these document types, with models trained on the full range of legitimate variations and forgery techniques observed in the region.

The Philippines: Age Verification and POGO Crackdown

The Philippines presents a dual challenge. On one side, the country is implementing new biometric age verification requirements as part of broader child protection legislation. On the other, the Philippine Amusement and Gaming Corporation (PAGCOR) is conducting an aggressive crackdown on Philippine Offshore Gaming Operators (POGOs) — many of which were used as fronts for fraud operations, money laundering, and human trafficking.

The POGO crackdown has exposed significant KYC failures across the offshore gaming sector. Operators that maintained minimal verification to facilitate high-volume account creation are now facing license revocations and criminal investigations. The regulatory message is clear: any platform operating in the Philippines must implement robust identity verification or face exclusion from the market.

PAGCOR's new licensing framework introduces stricter KYC requirements for both online and land-based gambling operations, including biometric verification at registration, ongoing monitoring, and AML screening. These requirements align the Philippines with regional standards set by Singapore's MAS and Japan's FSA.

Singapore: The Gold Standard

Singapore stands apart in APAC as the most mature digital identity market. The Monetary Authority of Singapore (MAS) maintains rigorous KYC requirements for all financial institutions. Singapore's national digital identity system (Singpass) provides high-assurance identity verification that can be integrated into private sector verification flows.

Singapore's approach is instructive for the rest of the region. The country has invested heavily in digital identity infrastructure, established clear regulatory expectations, and built enforcement capacity that makes non-compliance costly. The result is a market where fraud rates are significantly lower than regional averages — not because fraudsters are not trying, but because the verification infrastructure makes attacks economically unviable.

For platforms using Singapore as a regional hub, the challenge is extending Singapore-grade verification to other APAC markets where the identity infrastructure is less mature. The gap between Singapore and the Maldives is not just a matter of technology — it is a gap in infrastructure, regulation, and enforcement capacity that verification providers must bridge.

INTERPOL's Project SynthWave

INTERPOL's Project SynthWave represents the first coordinated international law enforcement response to deepfake-enabled fraud in APAC. The program trains law enforcement officers across Southeast Asia to recognize and respond to deepfake evidence — addressing a critical capability gap where investigators may not recognize that video or audio evidence has been synthetically manipulated.

Project SynthWave focuses on three areas: training investigators to identify deepfake indicators in digital evidence, building forensic analysis capabilities within national police forces, and establishing information-sharing protocols for cross-border deepfake fraud investigations.

The program acknowledges a fundamental reality: law enforcement capacity to investigate deepfake-enabled fraud is lagging far behind the criminals' capacity to deploy it. Closing this gap requires not just technology but institutional investment in skills, tools, and coordination.

What APAC Businesses Must Prepare For

Three trends will define identity fraud in APAC through 2026 and beyond.

First, document fraud will intensify in South Asian markets. The combination of high-population countries, moderate-security documents, and large diaspora communities creates an attack surface that fraudsters are actively exploiting. Platforms serving these markets need verification models trained specifically on South Asian document types.

Second, deepfake attacks will spread from early-adopter markets (Maldives, India) to digitizing markets (Myanmar, Cambodia, Laos, Bhutan) as those countries launch digital financial services. Platforms entering these markets should build deepfake detection into their verification flows from day one — not as a retrofit.

Third, regulatory enforcement will accelerate across the region. The Philippines' POGO crackdown, Japan's crypto reclassification, and Singapore's MAS enforcement all signal a regional trajectory toward stricter compliance with real penalties. Platforms that build verification infrastructure proactively will have a competitive advantage over those that wait for enforcement to force compliance.