Anatomy of a Fraud Operation: Mule Account Creation on B2B Fintech Platforms in France

Introduction

Fintech platforms such as Revolut, Wise and N26 offer fast, fully remote account opening, streamlined KYC, and business-grade payment infrastructure — SEPA transfers, invoicing, payment processing, and in some cases cryptocurrency integration. These platforms built for freelancers and individual entrepreneurs have become a significant target for organised fraud networks across Europe. For a legitimate freelancer or micro-business owner, this combination of services are exactly what they need. For a fraud operator, it is exactly what they are looking for.

An individual entrepreneur account sits at an unusual intersection: it is opened using personal identity verification, making it relatively accessible to create, but it carries the financial capabilities of a business account. Once verified and operational, such an account can send and receive SEPA instant transfers, process payments, and move funds across borders — all within a regulated, legitimate-looking financial wrapper. This makes freelancer fintech accounts significantly more valuable to fraud networks than standard consumer accounts, and significantly more dangerous as a money laundering vehicle.

Mule accounts are at the centre of this threat. A mule account is a bank account used to receive and forward stolen funds — a layer between the criminal and the money that obscures the trail. Verified individual entrepreneur accounts, with their business payment capabilities, command premium prices on dark web marketplaces. According to threat intelligence collected by our team, confirmed mule accounts at European freelancer fintech platforms are actively sold between $300 and $700 per account — pricing that reflects both the effort required to create them and their operational value to fraud networks.

The financial stakes are significant. According to the EBA/ECB Joint Report on Payment Fraud (December 2025), credit transfer fraud losses across the EEA reached €2.5 billion in 2024 — a 24% increase from the previous year. Mule accounts are the primary vehicle for these losses: funds land in a verified account and are moved on within minutes via instant payment rails, often beyond recovery. End users bear 85% of credit transfer fraud losses directly.

Figure 1. Total fraud losses across the EEA (2022-2024), with a highlight of credit transfer fraud.

This research documents how mule accounts are created at freelancer fintech platforms operating in France. The patterns described here are not unique to any single platform — they reflect fraud infrastructure and methods observed consistently across the category. The findings are drawn from confirmed mule account data mapped to onboarding sessions captured by Group-IB’s Fraud Platform, and corroborated by dark web intelligence from Group-IB Threat Intelligence team. Together, this data offers a direct view into how fraud networks approach and exploit the freelancer fintech segment at scale.

Key discoveries

• Nearly 1-in-7 business account sign-ups in France is a fraudulent account.
• Verified accounts are sold at premium prices. Confirmed mule accounts at European freelancer fintech platforms sell for $300–$700 per account on dark web marketplaces. Sellers operate across multiple forums with escrow services, replacement guarantees, and daily inventory updates. This is a structured, professional market with a consistent supply.
• Threat actors bypass KYC using real victims. Fraudsters collect personal data through phishing sites, then use it to register an account and socially engineer the victim into completing identity verification themselves. The platform sees a real person completing a legitimate check. At the session level, the fraud is invisible.
• Account creation in France runs as an industrial operation. Operators use SIM modem farms to generate French-looking IP addresses and phone numbers. Timezone signals observed during sessions suggest operators are not located in France — though the precise location cannot be confirmed from this data alone. The technical investment and operational structure point to a professional setup, not opportunistic activity.
• Anti-detect tooling is actively maintained. Threat actors monitor which signals trigger detection and respond. The tooling evolves in direct response to what works — suggesting ongoing feedback loops between operators and their detection environment.
• Single-session analysis is insufficient. Each phase of the operation — sign-up, KYC, operational handover — can appear clean in isolation. Detection requires linking sessions across the full account lifecycle and identifying patterns at the network level. Accounts that pass individual checks can still be flagged through their connections to other accounts.

Who may find this blog interesting:

• Risk Managers
• Compliance Officers
• Anti-Money Laundering Officers
• Customer Onboarding Specialists

Group-IB Threat Intelligence Portal: @astarta_seller1 / ASGARD Network

Group-IB customers can access our Threat Intelligence portal for more information about @astarta_seller1, the main fraud actor targeting France as described in this blog.

Who Are The Herders?

An overview of @astarta_seller1 / ASGARD Network

@astarta_seller1 operates as part of the larger ASGARD fraud network — a structured, multi-actor organization specializing in the creation and sale of verified European business and individual entrepreneur accounts.

The actor maintains a primary Telegram channel and backup contacts, with distribution through multiple dark web marketplaces. Forum presence spans xss[.]is, center[.]bz, wwh-club[.]net, and darkweb[.]su. Multi-language operation in Russian and English suggests an Eastern European operational base. Escrow services and verified seller status across platforms indicate an established, trusted position within the fraud ecosystem.

Figure 2. Screenshot of verified mule accounts listing by @astarta_seller1.

Geographic focus

The scale of this operation is significant. Intelligence records covering a five-month window document over 40 targeted financial institutions across six European countries. France is the primary target, with a specific emphasis on freelancer and entrepreneur accounts — particularly French EI (Entrepreneur Individuel) registrations. These accounts carry the highest price point in the actor’s portfolio, reflecting both strong buyer demand and the operational complexity involved in creating them. Germany, Spain, Italy, Poland, and the UK are secondary markets.

Account types and pricing

The actor’s portfolio spans personal accounts, freelancer and business accounts, and cryptocurrency exchange accounts. Premium-tier accounts — including French freelancer fintech accounts — are priced at $450–$700 per account. Budget-tier fintech accounts are available from $140. Accounts are sold with full credential access, mobile application access, associated payment cards, and SEPA transfer capabilities.

Link to session findings

The ASGARD network’s dominance in French individual entrepreneur account creation is consistent with the industrialised, infrastructure-heavy operation identified in French onboarding sessions — a coordinated, high-volume approach requiring significant technical investment. The premium pricing for French accounts reflects the sophistication of the creation process, including the two-actor KYC bypass documented in the Scheme Description.

Main Phases to Obtain a Verified Mule Account

Figure 3. Breaking down the sophisticated, multi-stage French mule account creation scheme.

Phase 1 – Preparation

Before any account is created, the operation requires a real person’s identity. French fraudsters obtain this data by running phishing campaigns designed to collect victim Personal Identifiable Information (PII). Phishing sites are built under various narratives — the documented example is a mortgage consultation service, where victims are invited to submit personal details in exchange for financial advice.

Figure 4. Screenshot of a French phishing page to collect victim PII, with English translation.

These narratives are merely a pretext; the goal is to harvest enough identity data to register a bank account on the victim’s behalf.

The victim at this stage has no awareness that their information will be used for fraud. They interact with what appears to be a legitimate service and voluntarily submit their details.

Phase 2 – Sign-up

With victim PII in hand, the fraudsters proceed with account registration. At this stage, Group-IB researchers observed two persistent signals pointing to SIM modem farm infrastructure as the dominant technique: Windows desktop sessions routing through mobile carrier IPs — a combination with no legitimate consumer explanation — and IP addresses rotating between attempts within the same carrier’s dynamic pool, consistent with a dongle reconnecting between account creation attempts to bypass velocity checks.

A third signal — device timezone — tells a story of operational evolution. Throughout 2025, sessions showed a device timezone inconsistent with France, indicating a remote operation from a different geographic location (Eastern Europe / Middle East). Fraudsters were running French SIMs, but had not configured their environment to match the identity they were presenting. This misconfiguration was a reliable detection signal.

At some point, the fraudsters corrected this oversight. More recent sessions report a legitimate French timezone, removing the mismatch as a standalone indicator. SIM farm infrastructure remains the primary network connectivity method — the adjustment was purely to the anti-detect configuration.

Figure 5. Corroborating fraud signals during sign-up phase.

This refinement did not go undetected. With the timezone signal suppressed, mid-session canvas fingerprint behaviour became the primary observable anomaly. Multiple distinct canvas fingerprints within a single session — both before and after account sign-in — are not consistent with legitimate user behaviour and indicate automated environment rotation during the onboarding flow.

The following image shows an overview of the techniques used by the fraudsters during the sign-up phase, which is derived from client data of verified mule accounts captured by Group-IB Fraud Protection.

Figure 6. Overview of techniques used in the sign-up phase.

Phase 3 – KYC Verification

Once an account is created, the fraudsters cannot complete identity verification themselves — KYC requires a real person presenting a real identity document, often accompanied by a live selfie or video check. The victim, whose PII was used during sign-up, is now contacted directly by the fraudsters. Through social engineering — typically via phone or messaging — they are instructed to follow a KYC link and complete what they are told is a routine verification step. The victim complies, believing the process is legitimate.

From the platform’s perspective, the KYC session is a new session tied to the same account identity, but originating from an entirely different device, IP address, and ISP though geographically in the same country. The victim connects from their real home network, in their real timezone, on their own device. Taken in isolation, this session looks legitimate. Taken in context — linked to the preceding sign-up session — the discontinuity is the signal.

Figure 7. Key discontinuity signals during KYC as indicators of two-actor structure.

This two-actor structure is a deliberate design choice. By separating the technical infrastructure from the KYC step, fraudsters insulate the modem farm from detection during the most scrutinised part of the onboarding flow, while placing the identity verification burden on the unwitting victim, who will likely pass it cleanly.

Phase 4 – Accessing the Verified Account

Once KYC passes and the account is verified, control is transferred back to the fraud operation via the platform’s mobile app. This transition is visible in the session data as a distinct third profile on the same account identity — and the first mobile app session on that account.

The handover session originates from a budget Android device. Session data consistently shows low-cost Android hardware — entry-level phones in the $75–100 range — being used to access the mobile app for the first time on verified accounts. These are commodity devices, not sophisticated tools, and their use reflects the economics of the operation: cheap, replaceable hardware that keeps operational costs low. In one documented instance, the platform string identified the device as a Redmi A5 4G or POCO C71 — both released in March 2025 — suggesting active procurement of newly available budget hardware shortly after market launch.

The device timezone reverts to Eastern Europe or Middle East — the pretense of a legitimate French timezone used during sign-up is no longer maintained, revealing the fraudster’s real location. Despite the device change, the session connects through the same ISP and subnet as the sign-up session. The account has changed hands operationally, but the network footprint ties both sessions to the same physical SIM farm infrastructure.

Figure 8. Subnet continuity links back to sign-up infrastructure.

This subnet continuity is a key detection signal. It links what might otherwise appear to be an unrelated new login back to the sign-up infrastructure, confirming the handover is a deliberate operational transition rather than a legitimate account access event. The full device profile — cheap Android hardware, Eastern European timezone, SIM farm connectivity — paints a consistent picture of a cost-conscious remote operation.

Once in the hands of the fraud operation, the verified business account — with its SEPA transfer capabilities, payment processing infrastructure, and legitimate IBAN — becomes operational for fund movement and layering.

Conclusion

Mule account creation on freelancer and b2b fintech platforms in France is not opportunistic fraud. It is a structured, multi-phase operation with defined roles, professional tooling, and an active response to detection. The findings in this report point to a threat actor profile that is operationally mature: it runs in shifts, procures infrastructure systematically, monitors detection signals, and updates its tooling when those signals become effective.

The scale of this campaign is significant. Nearly 1 in 7 sign-up users in France was confirmed as a mule account. This figure is derived from Group-IB customer data in France, reflecting only confirmed account-compromise cases that have been added to the blocklist, and then extrapolated nationwide.  The true exposure is likely higher. High dark web market activity and active listings contrast with a relatively contained number of confirmed cases, suggesting strong operational security on the threat actor side and an unknown volume of undetected accounts.

The attack is designed to be invisible at every individual checkpoint.

• The sign-up looks like a user with a French SIM.
• The KYC looks like a real person completing a legitimate check.
• The first login looks like a new device accessing a verified account. None of these events, reviewed in isolation, triggers an obvious alert. The fraud only becomes visible when the full account lifecycle is analysed as a connected sequence — and when accounts are examined as a network rather than individually.

This has a direct implication for the detection strategy: point-in-time controls are insufficient against an operation of this design. The threat requires a different analytical frame.

Recommendations

• Treat account lifecycle as the unit of analysis. Sign-up, KYC, and handover are designed to appear clean in isolation — detection requires linking all three as a connected sequence, not evaluating them independently.
  Read more about how Group-IB Fraud Protection solutions solve this problem for our customers.
• Flag MVNO IP addresses on desktop sign-up sessions. A desktop device connecting through a mobile carrier IP has no legitimate consumer explanation and is the primary indicator of SIM farm infrastructure.
• Monitor sign-up velocity by network, city, and ISP. SIM farm operations generate registration clusters invisible per account but detectable at the network level — elevated rates from a shared subnet or ISP within a time window indicate coordinated activity.
• Treat fingerprint spoofing artifacts as a high-confidence fraud signal. These artifacts are not produced by legitimate user behaviour and indicate deliberate environment manipulation during onboarding.
• Flag device downgrades between KYC and operational handover. A transition from the KYC device to a low-cost Android on first mobile login is a reliable indicator of account takeover at the handover phase.
• Focus on cross-account network analysis. Shared browser fingerprints and subnet overlap across accounts are invisible per user but clear at the population level — the primary mechanism for surfacing undetected mule accounts linked to confirmed ones.
• Do not treat a clean KYC as a fraud-free signal. The two-actor model produces a KYC session that passes all checks by design — post-KYC device and network signals carry material detection value and should be part of the onboarding risk assessment. Read more about Deepfake Fraud here.
• Invest in a comprehensive Threat Intelligence solution that can help your business monitor dark web pricing as an early warning signal. A sustained drop in verified account prices indicates that operators have streamlined account creation — treat price compression as an early indicator of onboarding control gaps, not a neutral market event.
• Share confirmed and suspicious account data within your antifraud consortium. Early sharing of tokenized account indicators across members exposes mule networks before they scale and prevents reuse across platforms. Read more about Group-IB Cyber Fraud Intelligence Platform here.
• Assume fraud operations will adapt. Detection rules built on static signals will degrade — sustained effectiveness requires continuous monitoring of signal performance and refinement of detection logic in response to observed operator behaviour.

Group-IB Fraud Matrix

Indicators of Compromise (IOCs)

Network Intelligence

• MVNO IP on desktop at sign-up: Desktop device type over mobile carrier IP — no legitimate consumer explanation.
• Sign-up velocity anomaly: Elevated registrations from the same ISP, subnet, or city within a rolling time window.
• Sign-up to KYC discontinuity: KYC session originates from a different device, IP, and ISP than the sign-up session on the same account.

Device Intelligence

• Fingerprint spoofing artifacts: Anti-detect tooling traces in browser or device fingerprint data during sign-up.
• Device downgrade at handover: First mobile login on a low-cost Android following KYC on a different device class.
• Cross-account infrastructure overlap: Identical browser fingerprints or subnet overlap across multiple accounts in the onboarding dataset.

Threat Intelligence

• Dark web price compression: Sustained drop in verified account prices — indicator of reduced friction in account creation.

DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.

Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.

This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.

This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.

All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.