Money Mule’s definition

Money mule operations are a part of the expanding chain of money laundering by criminals, including drug traffickers and organized crime. The cumulative losses due to money laundering are estimated to be around $1.6 trillion, or 2.7 percent of the global GDP. Fraud scams that use mule accounts potentially link your organization to organized crime financing, a serious Anti-Money Laundering (AML) offense by targeting the vulnerable who knowingly, or unknowingly transfer illicit profits.

The money mule victims are ‘groomed’ by scammers and become enablers of criminal activities before they know it.

What are money mules by definition? To put it simply, it is any person who is asked to transfer money from their bank account to another bank account. You can also become a money mule if you allow someone to take control of your bank account.

The underlying intent is to make criminal activity origins harder to pin down. While the entire process is carried out to mimic a legitimate business activity, there are red flags to watch out for.

Money mules: the tipping point

Money comes to cybercriminals as a result of various forms of fraud. The reaction of the money mule victims usually does not come immediately. Depending on specific phishing schemes, this time lag can range from a few minutes to a few weeks.

The fraudsters plan operations with stolen money based on an anticipated timeframe for when a person realizes that they have become the victim of a fraudulent scheme.

But what gives scammers an understanding of how much time they have for money withdrawal? Let’s look at the most commonly used money mule approach.

Scheme overview and execution stages

Money mule Money mule operator
Adding to the definition above, it is a person (witting) who receives money from a third party in their bank account and transfers it to another or takes it out in cash and gives it to someone else, obtaining a commission. A person responsible for selecting money mule victims and organizing their work process.
  1. Account creation
    The organizer convinces the money mule to create an account or provide his own at the first step. New accounts are often created on financial service applications that require a minimum of documents. People for this step can be selected – among the unemployed or those with low income who are not concerned about the possible risks of participating in fraudulent schemes.
  2. Warm-up
    This stage is often called “warming up” the account among criminals. To do this, small amounts of money are transferred to the account, and payments are made to increase the trust level of the account.
  3. Account takeover and money transfer
    The fraudster takes control of the victim’s account/or the entire network depending on the nature of the attack
  4. Money withdrawal
    Withdrawing funds from ATMs or transferring them to cryptocurrency through exchange services. The last approach becomes more popular because the operator can do it independently, having all the necessary data about mule accounts.

Mitigation strategies

The countermeasures below can enhance your Anti-money laundering (AML) prevention procedure by mitigating such activity.

During the account creation, if the money mule account and the victim are in the same bank, then the money mule account preparation can be detected by the following non-transactional indicators:

  • access from one device to multiple bank accounts
  • the intersection between devices and user accounts that aren’t related to work, family, and other relationships

The Group-IB’s Fraud Protection visual below shows an organized money mule network with over 70 user accounts and 30 devices.

money mule network

Figure 1 – The graph enables you to see all the information (devices, customers, and IP addresses) attached to 70 accounts flagged as mule accounts.

During the account takeover and money transfer, the following non-transactional indicators can help to prevent the activity:

  • access to the legitimate user account of a new device that the user did not previously use
  • access through the general or high-risk VPN services
  • access from a known scam device
  • checking payment details with a list of compromised or money mule accounts

Here is Group-IB’s Fraud Protection depicting a graphical representation of a device connected to multiple bank accounts.

money mule - associated transaction record

Figure 2 – Dive deeper into the investigation with a detailed overview of each device and its associated transaction record.

Is crypto the most prevalent means of exploitation?

According to Group-IB, the number of scammers who withdraw money usually correlates with the growth of fraudulent groups and their activity. This is because money withdrawal is the final goal of most fraudulent schemes. In the last 2 years, there has been a trend in withdrawing stolen funds through cryptocurrencies using small and medium crypto exchange services.

Why? Because, in most countries, cryptocurrency is not a genuine payment instrument. As a result, apart from large and well-known crypto services, the KYC process is less mature in small and medium ones. Therefore, they must provide reliable information about the clients who have made suspicious transactions.

A look into OPERA1ER’s money mule accounts scam

Group-IB nabbed the very pulse of threat actor OPERA1ER – who repeatedly attacked banks to execute fraudulent transactions and seized millions. Group-IB’s leading team of cybersecurity experts tracked its most frequent victims and their geographies, vulnerabilities utilized, and the actor’s maneuvers over the years.

key numbers from opera1or report

The final phase of the attack often took place on a weekend, where OPERA1ER would utilize the banking infrastructure to fraudulently transfer money from the bank’s customers’ accounts to the mule accounts. Mules, hired by OPERA1ER would conduct “cash out” exercises, withdrawing money from numerous ATMs.

Read how we uncovered the threat actor’s malicious activities in the full report here.

Mitigate the risk of such highly-replicable attacks with Fraud Protection

As cybercrimes become more sophisticated, tactical improvements alone won’t suffice to keep you secure. That said, with banks being on top of the radar for phishing attacks, the need to invest in a full-scale solution for complete fraud protection is an absolute must.

To help brands build resilience, Group-IB offers Fraud Protection, a proprietary technology that blocks 10-20% more fraud attempts than the current suite of solutions in the market; all through its cutting-edge prowess of crime detection and deep knowledge of criminal schemes.

Fraud Protection

Tailored specifically for industries, learn how Fraud Protection offers unbeaten detection and protection against modern attacks.

If you or your organization have been a victim of a money mule scam, you can contact the local authorities to seek immediate assistance.