Group-IB's Fraud Intelligence: How can you find mule accounts lurking in your digital payments?

Money mule operations are a part of the expanding chain of money laundering by criminals, including drug traffickers and organized crime. The cumulative losses due to money laundering are estimated to be around $1.6 trillion, or 2.7 percent of the global GDP. Fraud scams that use mule accounts potentially link your organization to organized crime financing, a serious Anti-Money Laundering (AML) offense by targeting the vulnerable who knowingly, or unknowingly transfer illicit profits.

The money mule victims are 'groomed' by scammers and become enablers of criminal activities before they know it.

What are money mules by definition? To put it simply, it is any person who is asked to transfer money from their bank account to another bank account. You can also become a money mule if you allow someone to take control of your bank account.

The underlying intent is to make criminal activity origins harder to pin down. While the entire process is carried out to mimic a legitimate business activity, there are red flags to watch out for.

Money comes to cybercriminals as a result of various forms of fraud. The reaction of the money mule victims usually does not come immediately. Depending on specific phishing schemes, this time lag can range from a few minutes to a few weeks.

The fraudsters plan operations with stolen money based on an anticipated timeframe for when a person realizes that they have become the victim of a fraudulent scheme.

But what gives scammers an understanding of how much time they have for money withdrawal ? Let’s look at the most commonly used money mule approach.

The countermeasures below can enhance your Anti-money laundering (AML) prevention procedure by mitigating such activity.

During the account creation, if the money mule account and the victim are in the same bank, then the money mule account preparation can be detected by the following non-transactional indicators:

• access from one device to multiple bank accounts
• the intersection between devices and user accounts that aren’t related to work, family, and other relationships

The Group-IB's Fraud Protection visual below shows an organized money mule network with over 70 user accounts and 30 devices.

During the account takeover and money transfer, the following non-transactional indicators can help to prevent the activity:

• access to the legitimate user account of a new device that the user did not previously use
• access through the general or high-risk VPN services
• access from a known scam device
• checking payment details with a list of compromised or money mule accounts

Here is Group-IB’s Fraud Protection depicting a graphical representation of a device connected to multiple bank accounts.

According to Group-IB, the number of scammers who withdraw money usually correlates with the growth of fraudulent groups and their activity. This is because money withdrawal is the final goal of most fraudulent schemes. In the last 2 years, there has been a trend in withdrawing stolen funds through cryptocurrencies using small and medium crypto exchange services.

Why? Because, in most countries, cryptocurrency is not a genuine payment instrument. As a result, apart from large and well-known crypto services, the KYC process is less mature in small and medium ones. Therefore, they must provide reliable information about the clients who have made suspicious transactions.

Group-IB nabbed the very pulse of threat actor OPERA1ER - who repeatedly attacked banks to execute fraudulent transactions and seized millions. Group-IB’s leading team of cybersecurity experts tracked its most frequent victims and their geographies, vulnerabilities utilized, and the actor's maneuvers over the years.

The final phase of the attack often took place on a weekend, where OPERA1ER would utilize the banking infrastructure to fraudulently transfer money from the bank’s customers’ accounts to the mule accounts. Mules, hired by OPERA1ER would conduct “cash out” exercises, withdrawing money from numerous ATMs.

Read how we uncovered the threat actor's malicious activities in the full report here.

As cybercrimes become more sophisticated, tactical improvements alone won’t suffice to keep you secure. That said, with banks being on top of the radar for phishing attacks, the need to invest in a full-scale solution for complete fraud protection is an absolute must.

To help brands build resilience, Group-IB offers Fraud Protection, a proprietary technology that blocks 10-20% more fraud attempts than the current suite of solutions in the market; all through its cutting-edge prowess of crime detection and deep knowledge of criminal schemes.