In 2024, the FBI's Internet Crime Complaint Centre received 859,532 complaints — an average of 2,355 per day. The reported losses totalled $16.6 billion, a 33% increase from 2023's $12.5 billion, and a new record. The FBI estimates that between 15 and 20% of victims actually file reports. The true loss figure, extrapolating from that range, sits somewhere between $80 billion and $110 billion. These are the contours of an industry, not a crime wave.
The crimes themselves are not new. Business email compromise, investment fraud, romance scams, and identity theft have existed in recognisable form for decades. What changed between 2022 and 2024 was the cost structure on the attacker's side. The most expensive inputs to fraud at scale have historically been human: skilled writers able to produce convincing English across multiple registers, operators capable of maintaining dozens of simultaneous relationships, researchers who could build plausible financial platforms from scratch. Generative AI reduced the marginal cost of all three to near zero.
Business email compromise accounted for $2.77 billion in losses across 21,442 incidents in 2024 — a category defined by fraudulent requests for wire transfers or credential capture sent in the credible voice of a known person or institution. Since 2015, cumulative BEC losses reported to the FBI's IC3 exceed $17.1 billion. The drafting of a convincing BEC email once required a competent writer, preferably a native speaker, with knowledge of the target organisation's internal vocabulary and relationship structures. A jailbroken large language model with no content restrictions produces a first draft in seconds and iterates on feedback.
The tool that formalised this capability for criminal markets was WormGPT — a model based on GPT-J, stripped of safety restrictions and marketed specifically on cybercriminal forums for business email compromise drafting. It launched in mid-2023. FraudGPT, tied to the same threat actor group, followed — marketed with the explicit claim that it could produce phishing emails at a high level of persuasiveness. Both were available as subscription services on dark web forums. By 2024, criminal usage of dark AI tools had surged by 219%, as jailbroken chatbots and purpose-built variants proliferated across the underground market.
The Investment Fraud Category
The costliest category in the 2024 FBI data was not BEC. It was investment fraud — specifically, the scheme known as pig butchering, or sha zhu pan in its original Chinese-language form. Pig butchering accounted for $6.57 billion in losses in 2024, nearly doubling from $3.3 billion in 2022. The average loss per victim was $238,000.
The mechanics are straightforward. An operator — or, increasingly, an AI-assisted operator managing hundreds of simultaneous contacts — establishes a romantic or personal relationship with a target over weeks or months. The target is gradually introduced to a cryptocurrency investment platform controlled by the operator. Small initial investments show spectacular returns. The target increases their exposure, often borrowing against assets. When they attempt to withdraw, the platform introduces fees, holds, or regulatory delays until the target has transferred the maximum extractable sum. The platform then disappears.
The bottleneck in pig butchering has always been the relationship maintenance phase — the sustained, emotionally convincing correspondence that builds the trust sufficient to override a target's financial judgement. A human operator can maintain perhaps a dozen simultaneous relationships at high quality. An AI-assisted operator can maintain hundreds, with the model generating personalised responses calibrated to each target's communication style and investment appetite. The FBI investigated over 12,000 fake cryptocurrency platform cases in 2024, with average losses of $127,000 per victim across that subset.
The demographic distribution of losses is significant. Americans over 60 filed 147,127 complaints in 2024 — a 46% increase from 2023 — and reported $4.885 billion in losses, with over 7,500 individuals losing more than $100,000 each. The concentration reflects targeting strategy: older adults with accumulated savings, lower familiarity with digital fraud vectors, and greater susceptibility to the sustained emotional engagement that pig butchering requires. AI-assisted operators do not have to spend more time on this demographic. They simply do not have to spend less.
The fraud did not become more sophisticated. It became more patient — patient at a scale no human operation could previously sustain.
Synthetic Identity and the KYC Problem
Cryptocurrency-related fraud accounted for $9.32 billion in IC3-reported losses in 2024 — a 66% increase from 2023. A significant portion of that figure is attributable not to investment scams alone, but to synthetic identity fraud enabled by AI-generated documents and deepfake video used to bypass know-your-customer verification at financial institutions and cryptocurrency platforms.
Javelin Strategy & Research found that new-account fraud losses in the US reached $6.2 billion in 2024, up from $5.3 billion in 2023, and that 73% of financial institutions reported a rise in synthetic identity attempts. A synthetic identity — constructed from a combination of real and fabricated personal data, or generated entirely from AI — that passes initial KYC enters the financial system as a clean account. Every transaction that follows is the attacker's operational activity inside a legitimised structure. The fraud is not discovered at the point of account opening; it is discovered, if at all, when the account is used at a scale that triggers behavioural monitoring, by which point the proceeds have often already moved.
ElevenLabs, the voice synthesis platform, has been identified in several high-profile incidents: the January 2024 Biden robocall deepfake, confirmed at 84% voice match by Pindrop; a Russian influence operation tracked by Recorded Future in December 2024; and the documented $893 million in AI voice scam losses that prompted a US Senate inquiry to voice-cloning companies in April 2026. ElevenLabs has its own terms of service and abuse controls; their adequacy is the subject of ongoing regulatory and legislative scrutiny. The broader point is that the voice synthesis capability itself is now widely distributed across multiple competing platforms, with or without any single provider's cooperation.
The FBI's Response Margin
The FBI's Recovery Asset Team intervened in 3,020 BEC complaints in 2024, attempting to freeze $848.4 million in fraudulent transfers. The success rate on freezing attempts was 66% — a meaningful operational outcome. Against $2.77 billion in total BEC losses, it represents recovery of approximately 20%. The intervention rate reflects both the speed required — financial institutions must act within hours of a fraudulent transfer for a freeze to succeed — and the organisational capacity constraints of a team working against 21,000-plus annual incidents.
The gap between what can be recovered and what is lost reflects a structural asymmetry. The attacker needs one successful transfer per operation. The defender needs to intercept every fraudulent transfer across an institution with thousands of daily legitimate transactions. AI assists the attacker by reducing the cost of crafting the transfer request. It does not yet assist the defender at the same rate; transaction monitoring systems trained on historical fraud patterns are slower to adapt to AI-generated BEC variants than the tools that produce them.
Field note — The practical response to AI-assisted fraud operates at the procedural layer, not the detection layer. For business email compromise: out-of-band verification for any wire transfer request above a defined threshold, regardless of how convincing the request appears. For investment platforms: internal policies requiring independent verification of any cryptocurrency investment opportunity introduced through a personal relationship, regardless of how long that relationship has been maintained. For financial institutions managing KYC: liveness detection that tests for AI-generated media specifically, not just document authenticity. For executives with significant public audio and video presence: awareness that voice and likeness are now attack surface, and that the most effective control is a pre-established verification protocol, not a detection tool deployed after the call has already occurred.
The $16.6 billion figure is a reported number from a country with sophisticated law enforcement and a functioning reporting infrastructure. It captures perhaps a fifth of actual losses in the US alone, and it captures nothing from jurisdictions where reporting mechanisms do not exist or are not used. The through-line is not an escalating crime wave that AI has suddenly created — it is a gradual capacity expansion that AI has accelerated. The crimes were always there. The constraint was always the cost of the human labour required to run them at scale. That constraint has been substantially removed. The response that matches the threat is not primarily technical. It is institutional: the same procedural discipline that prevented wire fraud before email existed, applied with the same consistency to every new channel through which the request now arrives.
Sources & further reading
- FBI IC3 — 2024 Annual Report (primary): https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
- CyberScoop — 10 Key Numbers from IC3 2024: https://cyberscoop.com/fbi-ic3-cybercrime-report-2024-key-statistics-trends/
- Proofpoint — Email Attacks Drive 2024 Losses: https://www.proofpoint.com/us/blog/email-and-cloud-threats/email-attacks-drive-record-cybercrime-losses-2024
- TRM Labs — FBI IC3 2024 Key Findings: https://www.trmlabs.com/resources/blog/a-record-breaking-year-for-cybercrime-key-findings-from-the-fbis-2024-ic3-report
- Wired — WormGPT/FraudGPT Analysis: https://www.wired.com/story/chatgpt-scams-fraudgpt-wormgpt-crime/
- SC Media — FraudGPT/WormGPT Same Group: https://www.scworld.com/news/new-ai-phishing-tool-fraudgpt-tied-to-same-group-behind-wormgpt
- CCN.com — Criminal AI Tools Usage Surged 219%: https://www.ccn.com/news/technology/criminals-use-of-dark-ai-tools-wormgpt-use-soars/
- DuckDuckGoose AI — Video KYC Deepfake Attack: https://www.duckduckgoose.ai/blog/video-kyc-under-attack-how-deepfakes-enter-remote-verification-flows
- Forbes — Senator Hassan ElevenLabs Inquiry: https://www.forbes.com/sites/larsdaniel/2026/04/19/senator-hassan-demands-answers-from-elevenlabs-after-fbi-reports-893-million-in-ai-voice-scams/
- Forbes/Group-IB — AI Bypasses Biometric Security: https://www.forbes.com/sites/daveywinder/2024/12/04/ai-bypasses-biometric-security-in-1385-million-financial-fraud-risk/