For a more recent article on money mules, read “How Cybercriminals Use Money Mule Accounts to Profit From Online Fraud.”

Money mules are an important element in the process to cash out compromised financial accounts. A money mule is a person who receives and transfers illegally acquired money on behalf of others and receives a commission in return. Cybercriminals, often located in Eastern European countries, require the help of accomplices located in-country to cash out compromised accounts.

Money mules may be knowing, witting accomplices or unknowing, unwitting accomplices. The use of mules is low-risk for the criminals, who remain anonymous while the mules acting on their behalf run a high risk of being exposed, arrested, convicted and sent to prison.

Schemes for Targeting Knowing Money Mules

The old-fashioned method for fraudsters to recruit a mule was through real-world interactions. Low-level players in organized crime groups (OCGs) or individuals looking to make a quick buck would be tasked with this job. Their job would entail moving money from point A to point B. These professional mules still exist, though anti-money-laundering laws and regulations have become the norm, and financial institutions have created methodologies to better catch these instances. Thus, it is now harder for traditional professional mules to complete their tasks.

OCGs adapted to this new environment by creating a number of schemes focused on unknowing money mules. The role of the professional mule became the mule herder. A mule herder is someone who recruits people to carry out the fraudulent transactions. With technology and the Internet, mule herders no longer have to rely on being physically close to mules to ensure their schemes are completed.

“A single mule herder can run multiple mule operations, each focusing on a different country and language,” writes Idan Aharoni for SecurityWeek. “If in the past most mules were accomplices, today they’re mostly unwitting mules, regular Joes who get scammed into being mules and are not necessarily less innocent than the actual victims of the fraud.”

Professional Mules

Professional mules are adapting to today’s technologies and utilizing commercially available crimeware to complete their fraud. Crimeware is a type of malicious software designed to carry out or facilitate illegal online activity.

A well-known case involved a cyber-ring of 70 money mules that defrauded millions of dollars from U.S. and U.K. banks by utilizing the Zeus Trojan crimeware. The Zeus Trojan operates through Microsoft Windows operating systems and is used to carry out criminal tasks such as stealing banking information and installing CryptoLocker ransomware. It spreads through phishing schemes and malicious downloads.

The majority of the criminals were from Russia, Kazakhstan, Belarus and the Ukraine and comprised a mule organization of mule herders, individuals who obtained false passports and the mules themselves. While some of the individuals in this scheme were unaware of the fraud, the majority of the players were knowing parts of the operation. The controllers of the malicious Trojan spread it to victims’ PCs through email. Once a victim’s computer was infected, the malware let the attackers steal victims’ banking information, thus allowing for the transfer of money from victim accounts to mule accounts. The mules would then withdraw the funds and send them to their accomplices, keeping a small portion for themselves.

Another example of a professional mule situation is auto auction fraud schemes. Criminal groups, often in Romania, establish online auctions for nonexistent cars or merchandise. Victims who respond to the fraudulent listings are instructed to send payment to a mule account. The mule then transfers the proceeds overseas to his or her co-conspirators. One of the most well-known professional auto auction money mules is Romanian Adrian Ghighina, who pleaded guilty to wire fraud in 2011. According to the U.S. Department of Justice, Ghighina acted as a money mule for four years, moving around the United States and opening bank accounts under fake names. The accounts were used to receive the illicit proceeds from victims of fraudulent auto auction fraud.

J-1 Visa Money Mules

The State Department’s J-1 Visa Exchange Visitor Program is a cultural exchange initiative. There are many subprograms for purposes such as au pair work, visiting physicians, scholarly research and internships. The program also includes the Summer Work Travel and University Student programs, which have been exploited by OGCs to recruit and place money mules within the United States.

Young adults are recruited in their home countries through social networking sites, online advertisements and personal contacts to serve as money mules while working or studying in the United States. The mules open an account and provide that number to their handler or to the OCG. The OCG hackers use various online techniques to compromise the online banking credentials of consumers. Once they are compromised, the OCG may initiate an Automated Clearing House (ACH) transfer to the account of the mule, who will then transmit the funds electronically to the OCG or will withdraw it in cash and smuggle it back to his or her home country for delivery to the OCG.

Perhaps the largest and most famous take down of a J-1 Visa operation was Operation ACHing Mules in 2010. Charges against 37 people acting as mules or mule herders were filed in the Southern District of New York. The international fraud ring, based in Eastern Europe, was responsible for stealing more than $3 million from small businesses and municipalities.

The ring recruited young adults who had J-1 Visas through Russian social network sites. The mules were then provided with fake passports. Once in the United States, they opened bank accounts under aliases. The accounts were destination points for ACH transfers from compromised victims’ accounts. The illicit funds were either sent back to Eastern Europe via ACH or the mules withdrew cash from an ATM and smuggled it overseas.

Be On the Lookout

The unequivocal knowing mules are those who enter the illicit arrangements fully aware of the illegal nature of what they are doing. Money mule transactions, particularly from mules acting complicity with the crime group, represent a serious anti-money-laundering compliance threat to which financial institutions may be subject to punitive fines. Identifying money mule accounts is a challenge for anti-money-laundering programs. The Federal Deposit Insurance Corporation has highlighted additional red flags that can be used to help identify mule activity, which can be found in a previously reported Security Intelligence article, “Money Mule Targets: The Extremely Gullible and Financially Distressed.”

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…