Cybersecurity researchers have uncovered a highly organised fraud ecosystem in which cybercriminal networks exploit French fintech platforms to move stolen funds before detection systems can respond. The operation relies on creating or hijacking verified business accounts on popular fintech services and converting them into mule accounts for rapid laundering of illicit funds.
According to threat intelligence findings, fraud groups are actively targeting platforms such as Revolut, Wise, and N26 that offer fast remote onboarding, simplified KYC verification, and instant cross-border payments via SEPA transfers. While these features are designed for legitimate financial efficiency, they are being systematically misused by cybercriminal networks.
Three-phase fraud model driving large-scale laundering
Investigators describe a structured three-phase attack chain behind the mule account ecosystem. In the first phase, criminals run phishing campaigns to collect personally identifiable information (PII). These campaigns often disguise themselves as legitimate financial services such as loan applications, mortgage consultations, or investment advisory platforms, tricking victims into submitting sensitive data.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
In the second phase, the stolen identity data is used to register accounts on fintech platforms. Fraud operators employ infrastructure such as SIM farms, proxy networks, and rotating IP addresses to simulate legitimate French-based user activity. Victims are often manipulated through social engineering techniques, unknowingly completing KYC verification steps that ultimately validate fraudulent accounts.
Once verification is complete, the third phase begins: operational control is transferred to fraud handlers. The newly verified accounts are then accessed on mobile devices and used to quickly move funds across borders. This transition is designed to avoid detection by blending into normal user behavior patterns.
Mule accounts sold on underground markets
Security analysts have also reported that verified mule accounts are being sold on dark web marketplaces for prices ranging between $200 and $1,000 per account. These accounts are particularly valuable because they are already KYC-verified, enabling instant transactions and reducing the risk of immediate platform suspension.
Reports suggest that structured fraud groups, including networks tracked under names such as “Bastardaseller” and ASGARD-linked operations, coordinate the distribution of these accounts through encrypted channels and underground forums, including Telegram-based marketplaces.
Rising financial losses across Europe
The scale of the problem is significant. According to European financial crime reports, credit transfer fraud losses across the European Economic Area have reached approximately $2.5 billion in 2023, marking a sharp increase compared to the previous year. Experts note that mule accounts are a primary mechanism enabling these losses, as funds are transferred within minutes using instant payment infrastructure, leaving minimal recovery time.
Detection challenges and systemic vulnerabilities
One of the key challenges researchers highlight is the difficulty of detecting fraud at the individual account level. Each step in the process—identity theft, KYC verification, and transaction execution—can appear legitimate in isolation. However, when analyzed across the full lifecycle, clear patterns of coordinated abuse emerge.
Fraud signals include rapid account-creation bursts, inconsistent device fingerprints, SIM-based IP anomalies, and sudden behavioural shifts after verification. Analysts emphasize that effective detection requires network-level monitoring rather than isolated account checks.
Call for stronger fintech security frameworks
Cybersecurity experts are urging fintech companies to strengthen fraud detection systems by integrating behavioural analytics, device intelligence, and cross-platform risk-sharing. They also recommend stricter monitoring of virtual mobile network operators (MVNOs), abnormal login patterns, and rapid post-KYC device changes.
The growing abuse of fintech infrastructure highlights a critical vulnerability in modern digital banking ecosystems. While instant financial services have improved global accessibility, they have also created new opportunities for organized cybercrime networks to exploit trust-based verification systems at scale.
As investigations continue, authorities warn that without stronger coordination between fintech firms and regulators, mule account-based laundering operations will likely expand further, making stolen funds even harder to trace and recover.
