🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a Demo
A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions.
In October 2023, CloudSEK identified a critical loophole within India's banking infrastructure. This loophole was actively exploited by Chinese cybercriminals to orchestrate a large-scale money laundering scheme targeting Indian citizens. The scheme leveraged a network exceeding hundreds of thousands of compromised "money mule" accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.
Link to the Report: Chinese Scammers Launder Money via Fraud Payment Gateways: A New Threat to India's Digital Payment Ecosystem
CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem. This report focuses on a malicious mobile application (APK) identified as a key tool for onboarding and managing these money mules. Through in-depth analysis, we reveal the functionalities of this APK and the vulnerabilities it exploits, shedding light on the inner workings of this criminal operation.
Threat actors have intricately crafted a sophisticated application known as XHelper which functions as a crucial tool for efficiently managing a network of money mules. It serves as the technological backbone for fake payment gateways used in various scams, such as Pig Butchering , Task scams , Loan scams, E-Commerce scams, Illegal gambling apps, etc. The app is distributed through websites posing as legitimate businesses under the guise of "Money Transfer Business."
Funds transferred from mule accounts undergo a complex process, reaching threat actors who convert the funds into cryptocurrencies. After deducting their commission, threat actors pay scammers in USDT. Mules also have the option to receive their commissions in USDT.
The XHelper app offers various features, including a ranking list for mules to track earnings and compete with others. Additionally, the app incorporates a dedicated support system operating through the binding of Telegram accounts to the APK.
While XHelper serves as a concerning example, it's crucial to recognize this is not an isolated incident. CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams.
The XHelper app functions as a central hub for malicious money mules, streamlining the execution of illegal financial transactions. Designed for user-friendly operation, the platform simplifies both payout and collection processes, making it an attractive tool for individuals seeking illegitimate profit.
Link to a video from Xhelper app's LMS, providing Key Operational Instructions for Money Mules during onboarding attached here.
Initiation:vcv
Link to a video from Xhelper app's LMS on Order Processing Workflow for Money Mules on App attached here.
Money mules, recruited by individuals called "Agents," operate within a network established through multiple Telegram channels. Agents pose as thriving businesses seeking efficient fund management due to a high transaction volume. The recruitment often occurs through personal connections, with recruiters or agents persuading individuals in their social circles. Crucially, these so-called mules show a distinct preference for corporate bank accounts, which typically have higher transaction limits. This strategic choice allows the illicit network to move large sums of money more efficiently, maximizing the potential gains from their criminal activities.
The xhelper app incorporates an invitation feature:
Referral System: Agents can invite others to join as agents.
Bonuses and Rewards: Referring agents earn bonuses for each successful recruitment.
This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities. Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.
Inviting process and managing money mule agents by the top level Mule agents
Link to a video from Xhelper app's LMS showing money mules referral system attached here.
Learning Management System (LMS) for the XHelper APK, an app used by cybercriminals to onboard money mules provides a concerning glimpse into their recruitment and training tactics.
Financial Transactions and Fund Transfer Process:
Mules getting paid and punished based on how fast the incoming money is transferred to Xhelper owned accumulator accounts
Mue agents offering to pay the commissions in USDT and INR
Link to a video from Xhelper app's LMS showing movement of money from the mule account attached here.
The app employs a hierarchical structure for mules, with new mules initially limited to adding up to 2 banks. mules can increase their limits through leveling up, based on their performance, unlocking additional commissions and benefits
Link to a video from Xhelper app's LMS showing how mules can earn money within the app by adding an additional bank account attached here.
Agents and money mules demonstrate a distinct preference for corporate and merchant bank accounts. This preference is driven by the higher transaction limits associated with corporate accounts. Corporate accounts offer greater flexibility, enabling the processing of larger sums of money. The allure of these accounts lies in their capacity to accommodate substantial transactions, making them particularly attractive for the illicit activities conducted through the money mule network.
The Xhelpers app provides LMS training for money mules on opening corporate/merchant accounts. The process involves:
Besides the guidance provided by Xhelper training, money mules and agents also purchase accounts with higher limits, equipped with net banking and MQR, through Telegram.
Link to a video from Xhelper app's LMS showing how money mules are taught to open fake corporate and merchant accounts within the app is attached here.
Despite law enforcement efforts and frozen accounts, agents constantly devise methods to circumvent these blockages, enabling money mules to continue their illicit activities.
When a mule's UPI is already blocked by PhonePe or Google Pay, they are advised to take specific steps to address the issue:
However, if the UPI support apps do not respond or the UPI is not unblocked:
Apply for Merchant VPA:
Link to a video from Xhelper app's LMS showing how money mules are guided to Bypass Account Freezes is attached here.
Seek a No Objection Certificate (NOC) after making the repayment.
This narrative is presented to convince mules that their activities are not illegal.
Link to a video from Xhelper app's LMS showing how money mules are taught to deal with cyber complaints is attached here.
CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.
CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/
On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
7
min read
CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.
A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions.
In October 2023, CloudSEK identified a critical loophole within India's banking infrastructure. This loophole was actively exploited by Chinese cybercriminals to orchestrate a large-scale money laundering scheme targeting Indian citizens. The scheme leveraged a network exceeding hundreds of thousands of compromised "money mule" accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.
Link to the Report: Chinese Scammers Launder Money via Fraud Payment Gateways: A New Threat to India's Digital Payment Ecosystem
CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem. This report focuses on a malicious mobile application (APK) identified as a key tool for onboarding and managing these money mules. Through in-depth analysis, we reveal the functionalities of this APK and the vulnerabilities it exploits, shedding light on the inner workings of this criminal operation.
Threat actors have intricately crafted a sophisticated application known as XHelper which functions as a crucial tool for efficiently managing a network of money mules. It serves as the technological backbone for fake payment gateways used in various scams, such as Pig Butchering , Task scams , Loan scams, E-Commerce scams, Illegal gambling apps, etc. The app is distributed through websites posing as legitimate businesses under the guise of "Money Transfer Business."
Funds transferred from mule accounts undergo a complex process, reaching threat actors who convert the funds into cryptocurrencies. After deducting their commission, threat actors pay scammers in USDT. Mules also have the option to receive their commissions in USDT.
The XHelper app offers various features, including a ranking list for mules to track earnings and compete with others. Additionally, the app incorporates a dedicated support system operating through the binding of Telegram accounts to the APK.
While XHelper serves as a concerning example, it's crucial to recognize this is not an isolated incident. CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams.
The XHelper app functions as a central hub for malicious money mules, streamlining the execution of illegal financial transactions. Designed for user-friendly operation, the platform simplifies both payout and collection processes, making it an attractive tool for individuals seeking illegitimate profit.
Link to a video from Xhelper app's LMS, providing Key Operational Instructions for Money Mules during onboarding attached here.
Initiation:vcv
Link to a video from Xhelper app's LMS on Order Processing Workflow for Money Mules on App attached here.
Money mules, recruited by individuals called "Agents," operate within a network established through multiple Telegram channels. Agents pose as thriving businesses seeking efficient fund management due to a high transaction volume. The recruitment often occurs through personal connections, with recruiters or agents persuading individuals in their social circles. Crucially, these so-called mules show a distinct preference for corporate bank accounts, which typically have higher transaction limits. This strategic choice allows the illicit network to move large sums of money more efficiently, maximizing the potential gains from their criminal activities.
The xhelper app incorporates an invitation feature:
Referral System: Agents can invite others to join as agents.
Bonuses and Rewards: Referring agents earn bonuses for each successful recruitment.
This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities. Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.
Inviting process and managing money mule agents by the top level Mule agents
Link to a video from Xhelper app's LMS showing money mules referral system attached here.
Learning Management System (LMS) for the XHelper APK, an app used by cybercriminals to onboard money mules provides a concerning glimpse into their recruitment and training tactics.
Financial Transactions and Fund Transfer Process:
Mules getting paid and punished based on how fast the incoming money is transferred to Xhelper owned accumulator accounts
Mue agents offering to pay the commissions in USDT and INR
Link to a video from Xhelper app's LMS showing movement of money from the mule account attached here.
The app employs a hierarchical structure for mules, with new mules initially limited to adding up to 2 banks. mules can increase their limits through leveling up, based on their performance, unlocking additional commissions and benefits
Link to a video from Xhelper app's LMS showing how mules can earn money within the app by adding an additional bank account attached here.
Agents and money mules demonstrate a distinct preference for corporate and merchant bank accounts. This preference is driven by the higher transaction limits associated with corporate accounts. Corporate accounts offer greater flexibility, enabling the processing of larger sums of money. The allure of these accounts lies in their capacity to accommodate substantial transactions, making them particularly attractive for the illicit activities conducted through the money mule network.
The Xhelpers app provides LMS training for money mules on opening corporate/merchant accounts. The process involves:
Besides the guidance provided by Xhelper training, money mules and agents also purchase accounts with higher limits, equipped with net banking and MQR, through Telegram.
Link to a video from Xhelper app's LMS showing how money mules are taught to open fake corporate and merchant accounts within the app is attached here.
Despite law enforcement efforts and frozen accounts, agents constantly devise methods to circumvent these blockages, enabling money mules to continue their illicit activities.
When a mule's UPI is already blocked by PhonePe or Google Pay, they are advised to take specific steps to address the issue:
However, if the UPI support apps do not respond or the UPI is not unblocked:
Apply for Merchant VPA:
Link to a video from Xhelper app's LMS showing how money mules are guided to Bypass Account Freezes is attached here.
Seek a No Objection Certificate (NOC) after making the repayment.
This narrative is presented to convince mules that their activities are not illegal.
Link to a video from Xhelper app's LMS showing how money mules are taught to deal with cyber complaints is attached here.