GM, Welcome Back to The Dead Drop.

The apartment had everything. Hardwood floors, natural light, walkable neighborhood, rent $400 below market rate. The listing looked professional. The agent's license checked out. The lockbox code worked.

She signed the lease, transferred the deposit, packed her life into boxes, and showed up with her keys on move-in day to find the real owner standing in the doorway asking who the hell she was.

The FTC released data this morning showing rental scams have stolen $65 million from nearly 65,000 victims since 2020. Half of those scams originated on Facebook.

That same morning, Reuters published internal Meta documents revealing the company earns $16 billion annually from scam advertising. Ten percent of Meta's total revenue comes from fraud.

This isn't coincidence. This is business model.

The FTC data is devastating in its clarity. In the 12 months ending June 2025, 50% of rental scam victims who reported their losses said the fraud started with a fake listing on Facebook. Another 16% came from Craigslist. Two platforms account for two-thirds of all reported rental fraud.

Young adults aged 18-29 are three times more likely than other age groups to lose money. The median loss: $1,000. But that's just the deposit. Many victims pay security deposits, first and last month's rent, application fees, and credit check charges before discovering they've been defrauded. Total losses often exceed $3,000 per victim.

The criminals aren't random. They're systematic. They join local housing groups where college students search for apartments near campus. They participate in discussions, build perceived legitimacy, then post fake listings perfectly calibrated to what desperate renters need.

But here's what the FTC data doesn't capture: Facebook knows. Facebook profits. Facebook refuses to stop it.

Reuters obtained internal Meta documents spanning 2021 through 2025 showing the company's leadership made explicit calculations about fraud revenue versus enforcement costs. The numbers should trigger congressional hearings.

Meta serves users 15 billion scam advertisements every single day. Not per year. Per day. Those ads generate approximately $7 billion in annual revenue from what Meta internally classifies as "higher risk" scam content showing clear signs of fraud.

The company's total scam ad revenue: $16 billion annually, representing 10% of Meta's overall advertising income. Internal documents from late 2024 show executives projected this exact figure, then made strategic decisions to preserve it.

Here's how the system works: Meta's automated systems flag suspicious advertisers and calculate fraud probability. If the probability exceeds 95%, the account gets banned. Below 95%? The advertiser keeps running ads. Meta just charges them higher rates.

This isn't a bug. This is policy. Internal documents call it "penalty bidding." Suspected fraudsters pay premium prices to win ad auctions, reducing their profit margins while preserving Meta's revenue stream. The company positions this as fraud deterrence. It functions as a profit center for systematic criminal activity.

The revenue calculations are explicit. One November 2024 document notes that Meta earns $3.5 billion every six months from scam ads that "present higher legal risk," including those falsely impersonating consumer brands or public figures. That figure "almost certainly exceeds the cost of any regulatory settlement involving scam ads."

Translation: regulatory fines are cheaper than lost fraud revenue. Compliance is a line item, not a mandate.

Meta established what internal documents call "revenue guardrails" limiting how much income the company would sacrifice for enforcement. In the first half of 2025, the team responsible for vetting questionable advertisers couldn't take actions costing more than 0.15% of total revenue. That's approximately $135 million out of $90 billion in earnings. The manager overseeing enforcement wrote, "Let's be cautious. We have specific revenue guardrails."

When enforcement staff proposed shutting down fraudulent accounts, documents show they sought assurance that growth teams wouldn't object "given the revenue impact." When asked whether Meta should penalize high-spending Chinese partners running scams, the answer was "No," citing "high revenue impact."

This is legal fraud dressed as risk management.

Meta claims it fights fraud aggressively. The company's spokesman told Reuters they've removed 134 million pieces of scam ad content in 2025 alone. Sounds impressive until you calculate what that means.

Meta shows 15 billion scam ads daily. That's 5.5 trillion scam ad impressions annually. Removing 134 million is like arresting 134 shoplifters while operating a store where 5.5 trillion items get stolen every year.

The 95% certainty threshold isn't a technical limitation. It's a business decision. Fraud detection systems can flag suspicious activity at lower confidence levels. Meta chose 95% because anything more aggressive would impact revenue too severely.

For context: small advertisers must accumulate at least eight violations before Meta blocks them. "High Value Accounts," meaning big spenders, can accrue more than 500 strikes without consequences. Four fraudulent campaigns removed earlier this year generated $67 million in monthly advertising revenue.

Internal documents note that Meta ignored or incorrectly rejected 96% of valid user reports about fraud. The company's goal: reduce that dismissal rate to "only" 75%. Three-quarters of legitimate fraud reports still get ignored under the improvement plan.

The rental scams fit perfectly into this ecosystem. Criminals create fake listings, run them as Facebook ads or post them in groups, collect deposits from desperate renters, and disappear. Meta collects ad revenue or engagement metrics. Victims file reports that get dismissed. The cycle repeats.

Rental scammers run three sophisticated playbooks that exploit legitimate processes:

The Listing Clone: Criminals scrape real listings from legitimate rental sites, including professional photos, accurate property details, and actual addresses. They alter only the contact information. The property exists. The photos are real. The price sits slightly below market to create urgency without triggering suspicion. When victims search the address, they find the property listed for sale, not rent. That's the tell. Most victims don't check until money is already gone.

The Identity Harvest: The "application process" requires Social Security numbers, driver's license photos, bank statements, and paystubs. Everything needed for complete identity theft packaged as standard rental verification. Some scammers send victims to credit-check websites where they earn affiliate commissions while simultaneously harvesting financial data. The scam generates revenue three ways: the deposit, the affiliate commission, and the identity theft value.

The Lockbox Con: The most sophisticated operators identify vacant properties listed for sale, change the locks, install their own lockboxes, then facilitate actual property tours through remote access codes. Victims walk through real properties, see legitimate vacant homes, receive keys, and believe they've secured their next apartment. The fraud only surfaces at move-in when they encounter the actual owner or buyer.

These mechanics work because they mirror legitimate rental processes exactly. Real landlords do pull credit. Real applications do require sensitive information. Real properties do use lockbox systems for self-guided tours. The scam version looks identical to the legitimate version until you're already compromised.

Finding housing creates genuine time pressure. Good properties disappear within hours of listing. Miss today's opportunity, lose the apartment. Scammers weaponize this urgency ruthlessly. "Three other applications came in today. I need your deposit by tonight to hold it."

The dollar amounts hit specific psychological thresholds. A $1,500 security deposit feels significant but not catastrophic. Not enough to trigger serious skepticism. Not small enough to ignore if lost. The perfect amount to steal systematically from thousands of victims without individual losses generating major investigations.

Young professionals get targeted because they're moving for new jobs, graduating from college, relocating to unfamiliar cities. They're searching remotely, can't tour in person, need housing immediately, and lack experience spotting manipulation dressed as standard procedure.

The verification requirements feel invasive but normal. This cognitive dissonance prevents people from recognizing fraud until after they've transferred money. "It feels weird, but landlords do check credit. It feels uncomfortable, but applications do require personal information."

By the time the cognitive dissonance resolves into recognition, the money is irreversible and untraceable.

Meta spokesman Andy Stone responded to the Reuters investigation by calling the documents "a selective view that distorts Meta's approach to fraud and scams." He claimed the $16 billion revenue estimate was "rough and overly-inclusive" because it counted "many legitimate ads."

He didn't provide a corrected figure.

Stone emphasized that Meta reduced user reports of scam ads by 58% over 18 months. He didn't mention that the company still serves 15 billion scam ads daily or that the reduction came from dismissing more reports, not removing more scams.

The FTC rental scam data dropped the same day as the Reuters investigation. The timing isn't coincidental. Regulators are coordinating pressure. The SEC is investigating Meta for running financial scam ads. UK regulators found Meta's platforms involved in 54% of all payment-related scam losses in 2023, more than double all other social platforms combined.

Meta's response: establish a three-year plan to reduce scam ad revenue from 10.1% of total income in 2024 to 5.8% by 2027. Not eliminate it. Reduce it. By half. Over three years. While continuing to serve billions of scam ads daily.

This is the same playbook every platform runs when profiting from fraud infrastructure: acknowledge the problem, announce improvement initiatives, implement marginal changes that preserve revenue, repeat when regulatory pressure intensifies.

The fundamental business model remains intact. As long as scam ads generate more revenue than regulatory fines cost, Meta has zero financial incentive to implement enforcement that actually works.

Pre-Contact Intelligence Gathering: Search the exact address across multiple platforms. If you find the same property listed for sale, listed at different prices, or listed with different contact information, stop immediately. Cross-reference agent or landlord names with state licensing databases. Real estate agents must be licensed. Verify the license matches your contact, not just that a license exists.

Communication Pattern Analysis: Legitimate landlords use business email domains or property management company addresses. Personal Gmail or Yahoo accounts warrant extreme caution. Real landlords schedule in-person or video tours. Anyone who can't meet you, won't video call, or only offers self-guided tours is suspect. Pressure for immediate payment without property viewing is a disqualifier.

Financial Transaction Controls: Never wire money, use Venmo, Zelle, or CashApp for rental payments. Legitimate transactions use checks, credit cards, or ACH transfers that create records and offer dispute mechanisms. Never pay application fees before verifying the property and landlord are legitimate. Never provide sensitive personal information until you've physically toured the property and verified ownership.

Verification Redundancy: Contact the property owner directly using information found independently, not provided by your contact. Check county records to verify ownership. Call the property management company using the number from their official website, not the number given to you. If the property is listed for sale, contact the listing agent to confirm it's not also for rent.

The Fraudfather Bottom Line:

Facebook knows 50% of rental scam victims found their fake listings on its platform. Meta knows it earns $16 billion annually from scam advertising. The company's internal documents show leadership chose to preserve fraud revenue rather than implement enforcement that would actually protect users.

This isn't negligence. This is strategy. Rental scams work because Facebook built the infrastructure, monetized the traffic, and established enforcement standards designed to maximize profit while minimizing liability.

You can't fix the platform. You can only refuse to be the next $65 million in reported losses.

Read the FTC Rental Scam Report

Read the Reuters Meta Investigation

The Dead Drop delivers fraud intelligence to 5,250+ readers who know institutions won't protect them. Meta makes $16 billion annually from scam ads. Facebook hosts 50% of rental fraud. Your defense isn't trusting platforms. It's understanding exactly how you're being targeted.

Scammers are hitting Medicare beneficiaries with 50 to 60 fraudulent calls daily during the October 15 to December 7 open enrollment period, rendering victims' phones essentially unusable. Complaints to Better Business Bureaus jumped 40% year over year, with the FCC receiving 5,000 to 6,000 complaints annually.

The mechanics reveal sophisticated fraud infrastructure. Criminals purchase stolen personal data from dark web markets, including addresses, Social Security numbers, and Medicare identification numbers. They use this information to create false billing claims for medical equipment and services victims never ordered or received.

One 80-year-old Texas victim discovered her Medicare account charged $714.83 for unwanted orthopedic braces that appeared on her porch. Investigation revealed five additional fraudulent charges totaling $1,200 for COVID tests and diabetes supplies she never requested. The victim isn't diabetic.

The damage extends beyond financial theft. Fraudulent charges create false medical records showing incorrect diagnoses, fake allergies, and bogus lab results. When hospice services are fraudulently billed, Medicare systems may classify living patients as deceased or dying, blocking access to curative care.

Victims can't block unknown numbers because legitimate medical facilities call from unfamiliar lines. Changing phone numbers becomes impractical when every doctor's office, pharmacy, and home health agency requires notification.

The scammers spoof local area codes, making calls appear legitimate. They already possess enough verified information to sound credible when victims answer. By the time someone realizes they've been compromised, the fraudulent billing has already processed through Medicare and secondary insurers.

Read the Full Story Here

Stanford researchers tested an AI agent called ARTEMIS against 10 experienced penetration testers in identical network environments containing 8,000 devices. The AI outperformed nine of them.

Operating autonomously for 16 hours across Stanford's computer science networks, ARTEMIS identified nine valid security vulnerabilities within the first 10 hours, achieving an 82% valid submission rate. Human testers worked at least 10 hours each on the same systems.

The AI's advantage: scale and speed. When ARTEMIS detects anomalies, it instantly spawns multiple sub-agents to investigate different vulnerabilities simultaneously. Human testers examine potential flaws sequentially. In one case, ARTEMIS bypassed a server that human testers couldn't access because their web browsers refused to load it, using command-line requests to break in successfully.

Cost comparison is stark. ARTEMIS runs at $18 per hour. The advanced version costs $59 hourly. Average US penetration tester salary: $125,000 annually.

The system has limits. ARTEMIS struggled with graphical user interfaces, missing at least one critical vulnerability. It generated more false positives than humans, sometimes mistaking benign network signals for successful breaches. Performance peaks in text-based environments.

The Fraudfather's Take:

The dual-use problem is obvious. Tools that strengthen defense also empower attackers. North Korean hacking groups already use generative AI to create fake military IDs for phishing campaigns. State-linked actors deploy AI for corporate infiltration and cross-border cyberattacks. ARTEMIS proves AI can outperform human hackers at a fraction of the cost. That capability doesn't recognize moral boundaries. Criminal organizations acquire the same tools legitimate researchers use. The question isn't whether AI makes better hackers. It's who deploys them first.

Read the Full Story Here