September 18, 2014 By Steven D'Alfonso 4 min read

For a more recent article on money mules, read “How Cybercriminals Use Money Mule Accounts to Profit From Online Fraud.”

Money mules are an important element in the process to cash out compromised financial accounts. A money mule is a person who receives and transfers illegally acquired money on behalf of others and receives a commission in return. Cybercriminals, often located in Eastern European countries, require the help of accomplices located in-country to cash out compromised accounts.

Money mules may be knowing, witting accomplices or unknowing, unwitting accomplices. The use of mules is low-risk for the criminals, who remain anonymous while the mules acting on their behalf run a high risk of being exposed, arrested, convicted and sent to prison.

Schemes for Targeting Knowing Money Mules

The old-fashioned method for fraudsters to recruit a mule was through real-world interactions. Low-level players in organized crime groups (OCGs) or individuals looking to make a quick buck would be tasked with this job. Their job would entail moving money from point A to point B. These professional mules still exist, though anti-money-laundering laws and regulations have become the norm, and financial institutions have created methodologies to better catch these instances. Thus, it is now harder for traditional professional mules to complete their tasks.

OCGs adapted to this new environment by creating a number of schemes focused on unknowing money mules. The role of the professional mule became the mule herder. A mule herder is someone who recruits people to carry out the fraudulent transactions. With technology and the Internet, mule herders no longer have to rely on being physically close to mules to ensure their schemes are completed.

“A single mule herder can run multiple mule operations, each focusing on a different country and language,” writes Idan Aharoni for SecurityWeek. “If in the past most mules were accomplices, today they’re mostly unwitting mules, regular Joes who get scammed into being mules and are not necessarily less innocent than the actual victims of the fraud.”

Professional Mules

Professional mules are adapting to today’s technologies and utilizing commercially available crimeware to complete their fraud. Crimeware is a type of malicious software designed to carry out or facilitate illegal online activity.

A well-known case involved a cyber-ring of 70 money mules that defrauded millions of dollars from U.S. and U.K. banks by utilizing the Zeus Trojan crimeware. The Zeus Trojan operates through Microsoft Windows operating systems and is used to carry out criminal tasks such as stealing banking information and installing CryptoLocker ransomware. It spreads through phishing schemes and malicious downloads.

The majority of the criminals were from Russia, Kazakhstan, Belarus and the Ukraine and comprised a mule organization of mule herders, individuals who obtained false passports and the mules themselves. While some of the individuals in this scheme were unaware of the fraud, the majority of the players were knowing parts of the operation. The controllers of the malicious Trojan spread it to victims’ PCs through email. Once a victim’s computer was infected, the malware let the attackers steal victims’ banking information, thus allowing for the transfer of money from victim accounts to mule accounts. The mules would then withdraw the funds and send them to their accomplices, keeping a small portion for themselves.

Another example of a professional mule situation is auto auction fraud schemes. Criminal groups, often in Romania, establish online auctions for nonexistent cars or merchandise. Victims who respond to the fraudulent listings are instructed to send payment to a mule account. The mule then transfers the proceeds overseas to his or her co-conspirators. One of the most well-known professional auto auction money mules is Romanian Adrian Ghighina, who pleaded guilty to wire fraud in 2011. According to the U.S. Department of Justice, Ghighina acted as a money mule for four years, moving around the United States and opening bank accounts under fake names. The accounts were used to receive the illicit proceeds from victims of fraudulent auto auction fraud.

J-1 Visa Money Mules

The State Department’s J-1 Visa Exchange Visitor Program is a cultural exchange initiative. There are many subprograms for purposes such as au pair work, visiting physicians, scholarly research and internships. The program also includes the Summer Work Travel and University Student programs, which have been exploited by OGCs to recruit and place money mules within the United States.

Young adults are recruited in their home countries through social networking sites, online advertisements and personal contacts to serve as money mules while working or studying in the United States. The mules open an account and provide that number to their handler or to the OCG. The OCG hackers use various online techniques to compromise the online banking credentials of consumers. Once they are compromised, the OCG may initiate an Automated Clearing House (ACH) transfer to the account of the mule, who will then transmit the funds electronically to the OCG or will withdraw it in cash and smuggle it back to his or her home country for delivery to the OCG.

Perhaps the largest and most famous take down of a J-1 Visa operation was Operation ACHing Mules in 2010. Charges against 37 people acting as mules or mule herders were filed in the Southern District of New York. The international fraud ring, based in Eastern Europe, was responsible for stealing more than $3 million from small businesses and municipalities.

The ring recruited young adults who had J-1 Visas through Russian social network sites. The mules were then provided with fake passports. Once in the United States, they opened bank accounts under aliases. The accounts were destination points for ACH transfers from compromised victims’ accounts. The illicit funds were either sent back to Eastern Europe via ACH or the mules withdrew cash from an ATM and smuggled it overseas.

Be On the Lookout

The unequivocal knowing mules are those who enter the illicit arrangements fully aware of the illegal nature of what they are doing. Money mule transactions, particularly from mules acting complicity with the crime group, represent a serious anti-money-laundering compliance threat to which financial institutions may be subject to punitive fines. Identifying money mule accounts is a challenge for anti-money-laundering programs. The Federal Deposit Insurance Corporation has highlighted additional red flags that can be used to help identify mule activity, which can be found in a previously reported Security Intelligence article, “Money Mule Targets: The Extremely Gullible and Financially Distressed.”

More from Banking & Finance

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today