Investigating Stolen and Forged Treasury Checks

The marketplaces I tend to visit are not the quaint kind located in town squares. They're buried in illicit Telegram channels, where the goods and services being peddled are the tools of the fraud trade: identities, forged documents, fraudulent checks, and stolen bank accounts.

At SentiLink, part of my job as Head of Fraud Insights is to observe these underground networks and expose the hidden ecosystem of fraudsters. Since May 2024, we've been monitoring a network of Telegram channels that act as virtual bazaars for fraud-related transactions. Screenshots of stolen bank accounts, complete with balances and login credentials, are openly advertised for sale like items on a shopping site.

In October 2024, we uncovered something even more alarming: hundreds of millions of dollars in stolen U.S. Department of Treasury checks being bought, sold and circulated in these dark web spaces. This began to shed light on the staggering scale of organized check fraud.

In this blog, I will share our findings on the volume and types of stolen and forged Department of Treasury checks that we documented between May 2024 and January 2025. But first, a brief background on Treasury check theft and how it fuels this part of the fraud economy.

Why fraudsters target Treasury checks

Check fraud has become a pressing issue over the past four years, and I first reported on this trend in January 2022. Specifically, since early 2021, check thieves have increasingly targeted USPS collection boxes and residential mailboxes, searching for envelopes containing personal, business, and government checks. Once obtained, criminals either "wash" the checks (removing and altering details), "cook" them (creating replicas), sell them over online fraud markets, or use the stolen information to drain funds from the legitimate account holders while also compromising the identities of the payee and payor.

Stolen checks offered for sale via Telegram channels.

Within the ecosystem of check fraud, Department of Treasury checks are particularly attractive to criminals for several reasons. First, they have a high perceived legitimacy, as they are widely recognized and trusted by banks, businesses, and financial institutions, making them easier to cash or deposit without raising immediate suspicion. Additionally, these checks often involve large payouts, such as tax refunds, Social Security payments, stimulus checks, and other government benefits, making them highly lucrative targets for fraud. Treasury checks also follow predictable formats, with standardized designs and issuance patterns, which criminals can more easily replicate using sophisticated forgery techniques. 

Another key factor is their shorter clearing time compared to personal or business checks. Due to their government-backed guarantee and lower fraud risk, Treasury checks must have the first $5,525 available by the next business day, with any remaining amount held for up to nine business days. In contrast, personal checks typically take two to five business days to clear, with longer holds for large deposits, new accounts, or overdraft risks, while business checks usually clear within one to five business days, though larger amounts may be held for up to seven business days. These factors combined make Treasury checks an ideal target for thieves, forgers, identity thieves, and organized fraud rings seeking to exploit financial institutions and government disbursement systems.

More stolen U.S. Treasury checks for sale in Telegram channels we monitor.

Official reports from financial organizations to the FTC indicate that the volume of forged and stolen Treasury checks is substantial (see the chart below). However, FinCEN reports only account for officially reported incidents; the true scale of Treasury check fraud could be significantly higher. To gain a more comprehensive understanding of this issue, it is essential to examine online fraud markets, where these checks are frequently bought and sold by criminals.

Treasury checks for sale on the dark web: what we found
To capture the magnitude of stolen and forged Treasury checks in the online fraud ecosystem, we monitored 53 Telegram channels from May 2024 through early February 2025. To date, we have cataloged 5,443 Treasury checks shared across 53 different Telegram channels, totaling more than $140 million in value. The earliest of these checks is dated 05/06/24; the latest ones date from early February 2025. (To be clear, this is just a sample of what exists in the online fraud ecosystem. The true size and scale of the online ecosystem of Treasury checks is much larger).

A majority of the checks – more than 70% – were paid to an individual. The total balance on these checks is over $80 million, with an average balance of $18,021 per check and a median balance of $5,761. The remainder of the checks were paid to businesses. The total balance of these checks is around $60 million with an average balance of $48,780 and a median of $12,394. 

In addition to these findings, we discovered ATM deposit slips and screenshots of stolen and forged Treasury checks. After sharing these images with our partners, we confirmed that many of these checks had been deposited into real individuals' bank accounts after the payee's name was altered. In other cases, fraudsters created drop accounts using the payees' names and deposited the fraudulent checks into those accounts to further conceal their activities.

Screenshot shared on Telegram by a stolen-check seller as evidence of a stolen and successfully deposited U.S. Treasury check.

What can financial institutions do?

To make it more difficult for criminals to forge Treasury checks, the Department of the Treasury developed the Treasury Check Verification Service (TCVS). This tool allows check recipients and financial institutions to verify check details. However, a major limitation of the TCVS portal is that it does not allow verification of payee name, making it easy for fraudsters to change the name on a check and avoid detection. Criminals are well aware of this tool and use it to ensure that the details on their counterfeit checks match legitimate Treasury-issued checks, increasing the credibility of their forgeries.

Evidence that fraudsters use TCVS — image shared by a stolen-check seller on Telegram.

In November of 2024, the Treasury Department updated their API to include payee name, but its online portal has not been updated to include this functionality.

In order to support our partners during the transition period, SentiLink has been able to get an API key from Treasury, and has created a free tool for financial institutions to use and verify this key detail in fighting fraud—read more about that here. 

A screenshot of SentiLink's Treasury Check Verification Service tool: