What are Money Mules ?

‍

A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions.

In October 2023, CloudSEK identified a critical loophole within India's banking infrastructure. This loophole was actively exploited by Chinese cybercriminals to orchestrate a large-scale money laundering scheme targeting Indian citizens. The scheme leveraged a network exceeding hundreds of thousands of compromised "money mule" accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.

Link to the Report: Chinese Scammers Launder Money via Fraud Payment Gateways: A New Threat to India's Digital Payment Ecosystem

‍

‍

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem. This report focuses on a malicious mobile application (APK) identified as a key tool for onboarding and managing these money mules. Through in-depth analysis, we reveal the functionalities of this APK and the vulnerabilities it exploits, shedding light on the inner workings of this criminal operation.

Businesses that Automates Money Laundering

Threat actors have intricately crafted a sophisticated application known as XHelper which functions as a crucial tool for efficiently managing a network of money mules. It serves as the technological backbone for fake payment gateways used in various scams, such as Pig Butchering , Task scams , Loan scams, E-Commerce scams, Illegal gambling apps, etc. The app is distributed through websites posing as legitimate businesses under the guise of "Money Transfer Business."

‍

‍

‍

‍

Funds transferred from mule accounts undergo a complex process, reaching threat actors who convert the funds into cryptocurrencies. After deducting their commission, threat actors pay scammers in USDT. Mules also have the option to receive their commissions in USDT. 

The XHelper app offers various features, including a ranking list for mules to track earnings and compete with others. Additionally, the app incorporates a dedicated support system operating through the binding of Telegram accounts to the APK.

‍

‍

While XHelper serves as a concerning example, it's crucial to recognize this is not an isolated incident. CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams.

‍

‍

‍

‍

‍

‍

Exclusive Working of XHelper APK

The XHelper app functions as a central hub for malicious money mules, streamlining the execution of illegal financial transactions. Designed for user-friendly operation, the platform simplifies both payout and collection processes, making it an attractive tool for individuals seeking illegitimate profit.

‍

‍

Collection Orders (Passive Role):

• Collection orders within XHelper involve the acquisition of funds or assets, often through fraudulent activities orchestrated by external actors.
• Importantly, money mules do not directly participate in collection activities. Instead, they passively receive incoming funds from scammers utilizing the XHelper platform.

‍

Payout Orders (Active Role):

• Payout orders within XHelper demand the active participation of money mules. These orders mandate the swift transfer of funds to pre-designated accounts within strict timeframes.
• Essentially, these outgoing transactions from mule accounts to the app operators mark the final stage of the illicit financial cycle facilitated by XHelper.

‍

Onboarding and Initial Setup

• Money mules begin by entering their net banking and UPI information within the app. This grants the app access to transfer funds directly into their UPI account.

‍

‍

‍

‍

Key Operational Instructions for Money Mules during Onboarding 

‍

Pattern of UPI address:

• The individuals acting as money mules are asked to register UPI in a specific format. The format includes the username of the mule on the app. This is because the app is using these UPI addresses in a programmatic way to assign orders.

‍

Net Banking Credentials

• The app in the backend uses net banking to confirm the success of the payout order. Hence it is advised to money mules to ensure that the credentials they are sharing for net banking are correct.

‍

• The individuals acting as money mules are asked to not change the password associated with the net banking.

‍

‍

Link to a video from Xhelper app's LMS, providing Key Operational Instructions for Money Mules during onboarding attached here.

‍

Order Processing Workflow for Money Mules on App

‍

Initiation:vcv

• Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks.
• The system automatically assigns orders, potentially based on pre-determined criteria or mule profiles.

‍

‍

Order Processing:

• Upon receiving a payment order notification, mules review the details (likely containing source, destination, and amount information).
• Following strict adherence guidelines to minimize detection, money mules execute the illicit fund transfer using their linked bank app.

‍

‍

Verification and Reward:

• After completing the transfer, mules capture and upload screenshots as proof of execution, indicating success or error.
• The XHelper system or designated team automatically verifies the screenshots, streamlining the order validation process.
• Successful order completion translates to financial rewards within the app, incentivizing continued participation.

‍

‍

‍

Link to a video from Xhelper app's LMS on Order Processing Workflow for Money Mules on App attached here.

‍

Key Operational Instructions for Money Mules while Processing Orders

‍

Transfer of OTP ( One time password):

• The individuals acting as money mules are presented with two alternatives for submitting a One Time Password (OTP), known as "OTP work" and "No OTP work."
• In OTP work, the money mule can either manually send the SMS to the Mule to finalize the transaction, or the Mule agent offers an application that automatically forwards SMS for all outgoing transactions.
• On the other hand, in No OTP work, the money mules alter the mobile number linked to the Mule account to match the agent’s mobile number.

‍

Order Completion Timeframe:

• Time-Sensitive Rewards: Money mules are incentivized to complete payout orders within a strictly enforced 10-minute window. Faster processing translates to higher commissions and rewards, promoting rapid and potentially reckless transaction behavior.

‍

Bank Account Selection:

• Matched Bank Application: To avoid raising red flags and incurring potential penalties, mules are instructed to strictly use the bank app corresponding to the assigned order. This implies the app might track or verify linked accounts.

‍

‍

Payment Method Prioritization:

• IMPS/UPI Preference: Based on the order type, the XHelper app prioritizes specific payment methods, likely IMPS or UPI. This suggests potential order variations and targeted use of specific financial channels to obscure transactions.

‍

‍

Recruitment of Money Mules

Money mules, recruited by individuals called "Agents," operate within a network established through multiple Telegram channels. Agents pose as thriving businesses seeking efficient fund management due to a high transaction volume. The recruitment often occurs through personal connections, with recruiters or agents persuading individuals in their social circles. Crucially, these so-called mules show a distinct preference for corporate bank accounts, which typically have higher transaction limits. This strategic choice allows the illicit network to move large sums of money more efficiently, maximizing the potential gains from their criminal activities.

‍

The xhelper app incorporates an invitation feature:

‍

Referral System: Agents can invite others to join as agents.

Bonuses and Rewards: Referring agents earn bonuses for each successful recruitment.

‍

This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities. Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.

‍

Inviting process and managing money mule agents by the top level Mule agents 

‍

‍

‍

Link to a video from Xhelper app's LMS showing money mules referral system attached here.  

Training of Money Mules

Learning Management System (LMS) for the XHelper APK, an app used by cybercriminals to onboard money mules provides a concerning glimpse into their recruitment and training tactics.

‍

• Target Audience: Money mules recruited to launder stolen funds using their bank accounts.
• App Functionality: XHelper app facilitates uploading bank and UPI details, processing orders (likely money laundering transactions), and withdrawing "earnings."
• Content Focus:

• Streamlining money laundering process (uploading cards, processing orders).
• Maximizing profits (adding more cards, strategic card usage).
• Justifying activity (showcasing success stories, addressing concerns).
• Overcoming obstacles (handling frozen accounts, exceeding limits).
• Handling cryptocurrency transactions (using USDT on Binance P2P).

• Overall Goal: Induce new recruits and equip them to efficiently launder stolen funds through the XHelper app.

‍

‍

Movement of Money From the Mule Account

Financial Transactions and Fund Transfer Process:

‍

• Incoming Funds to Mule Accounts: Mules receive funds in their linked bank accounts through the payment gateway integrated into the XHelper app.

‍

• Transfer to Corporate Mule Accounts:  Mules are mandated to transfer the received funds to specific predetermined corporate mule accounts within a stipulated time frame, typically around 10 minutes.These corporate accounts, controlled by the XHelper application providers, have higher transaction limits.

‍

‍

‍

‍

• Preventing Accumulation in Mule Accounts: The time-sensitive nature of the fund transfer aims to prevent the accumulation of funds in individual mule accounts. This ensures that the application providers are not defrauded by the mules.

Mules getting paid and punished based on how fast the incoming money is transferred to Xhelper owned accumulator accounts 

‍

• Transfer Mechanism to Application Providers: Funds transferred from mule accounts are directed to dedicated accounts provided by the threat actors or application providers.  These accounts are added as beneficiaries by the mules for performing IMPS transaction, enabling swift and controlled fund transfers.

‍

.

‍

• Crypto Conversion and Commission Deduction: The funds transferred out from the mule accounts are sent to threat actors, who subsequently convert this money into cryptocurrencies. After deducting their commission, threat actors remunerate scammers in USDT, a stablecoin pegged to the US Dollar.

‍

• Mule Commissions in USDT: Mules, as active participants in the illicit financial operations, have the option to receive their commissions in USDT. This adds a layer of anonymity to the transactions, as cryptocurrencies provide a degree of privacy.

Mue agents offering to pay the commissions in USDT and INR

‍

Link to a video from Xhelper app's LMS showing movement of money from the mule account attached here.

‍

Earnings of Money Mules on App

The app employs a hierarchical structure for mules, with new mules initially limited to adding up to 2 banks. mules can increase their limits through leveling up, based on their performance, unlocking additional commissions and benefits

‍

‍

‍

‍

‍

‍

‍

.

‍

Link to a video from Xhelper app's LMS showing how mules can earn money within the app by adding an additional bank account attached here. 

‍

How Money Mules Open Fake Corporate and Merchant Accounts 

Agents and money mules demonstrate a distinct preference for corporate and merchant bank accounts. This preference is driven by the higher transaction limits associated with corporate accounts. Corporate accounts offer greater flexibility, enabling the processing of larger sums of money. The allure of these accounts lies in their capacity to accommodate substantial transactions, making them particularly attractive for the illicit activities conducted through the money mule network.

‍

The Xhelpers app provides LMS training for money mules on opening corporate/merchant accounts. The process involves:

1. Obtaining necessary documents:

• Business name with proprietorship
• Business location
• Form C (advising to consult a CA)
• Verifying the need for a GST certificate with the bank, suggesting consulting a CA if required (takes up to 4 days)

‍

‍

2. Registering KYC Aadhar card and PAN card with suggested small-scale businesses (e.g., XYZ enterprise, XYZ computer services, XYZ shop and stop).

‍

‍

3. Submitting all prepared documents to the bank, with recommended banks provided by Xhelpers.

‍

‍

4. Instructing money mules to inform bank executives about specific requirements for app access:

• CMS
• Bulk payment option
• VPA

‍

‍

5. Emphasizing the potential for high daily income by uploading their corporate account information to the app.

‍

Besides the guidance provided by Xhelper training, money mules and agents also purchase accounts with higher limits, equipped with net banking and MQR, through Telegram.

‍

Link to a video from Xhelper app's LMS showing how money mules are taught to open fake corporate and merchant accounts within the app is attached here.

‍

‍

Why Money Mule Apps Favor Bank-Specific UPI Applications

• Stealthy Transactions: Bank UPI apps provide scammers with a platform for conducting transactions discreetly, mitigating the risk of immediate detection or suspicion by leveraging the relative lack of visibility associated with bank-specific platforms.

‍

‍

• Bypassing Third-Party Monitoring: The choice of bank UPI apps allows scammers to circumvent potential monitoring mechanisms associated with popular third-party applications. This avoidance of third-party oversight enhances the scammers' ability to involve money mules in unauthorized transactions without triggering immediate alerts or security measures.

‍

• Perceived Lower Security Standards: Money mules may perceive bank-specific UPI apps as having lower security standards compared to well-established third-party platforms. Scammers exploit this perception to encourage money mules to adopt bank apps, fostering an environment where fraudulent activities can occur with a diminished risk of detection.

‍

• Mitigation of Account Blocking Risk: Scammers are cognizant of the potential consequences of account blocking by popular third-party services. Advising the use of bank applications allows them to strategically lower the risk of account suspension, providing a more sustained opportunity for money mules to execute fraudulent transactions before intervention.

‍

‍

‍

• Reduced Suspicions: Money mules and authorities may be more accustomed to transactions through bank apps, potentially leading to reduced suspicions. Scammers may exploit this familiarity to involve money mules in their fraudulent activities with a lower likelihood of raising alarms.

‍

• Payout Order Verification via Net Banking: Scammers favor bank apps because they utilize net banking to receive automated confirmations upon the completion of payout orders.

‍

Strategies Employed by Money Mules to Bypass Account Freezes

Despite law enforcement efforts and frozen accounts, agents constantly devise methods to circumvent these blockages, enabling money mules to continue their illicit activities. 

‍

‍

When a mule's UPI is already blocked by PhonePe or Google Pay, they are advised to take specific steps to address the issue:

‍

• Contact Support Through App: Mules are instructed to contact support through the respective app and create a ticket to unblock the UPI.
• Provide Business Proof: Once the support executive responds, mules are required to provide business proof, including Udhyam, GST, trade license, and PAN card.
• Wait for 24 Hours: After submitting the necessary documents, the UPI apps are expected to unblock the UPI within 24 hours.

‍

However, if the UPI support apps do not respond or the UPI is not unblocked:

‍

• Visit the Bank: Mules are advised to go to the bank and request unblocking the UPI. Before doing so, scammers are encouraged to check their daily transaction limit to confirm whether the freeze was due to transaction limits.
• Use Current Accounts: Current accounts are recommended as they are less prone to freezing compared to saving accounts, which have fewer features and a shorter lifespan.

‍

Training for Bank Customer Support Calls:

‍

• Bank Customer Support Communication: Mules undergo training to communicate effectively with bank customer support in response to suspicious transactions. When called for security reasons, mules provide information such as their real name (answered with the mule account name), purpose of transactions (sending money to a friend), self-execution of the transaction (answered with yes), transaction method (net banking using IMPS mode), and familiarity with the beneficiary.
• Verification Process: During bank customer support interactions, mules may encounter questions regarding the amount being transferred, date of birth, and mother's name for verification purposes. It is crucial for mules to respond accurately to maintain the appearance of legitimacy in their transactions.

‍

‍

‍

Apply for Merchant VPA:

‍

• Apply for Merchant VPA: If using a current account or applying for one, mules are advised to visit the bank and apply for a Merchant VPA (Virtual Payment Address). This reduces the chance of UPI getting blocked, as transactions are less likely to be flagged as suspicious.

• Merchant VPA Application Process: Mules need to visit a branch, express the need for a merchant VPA for their business (e.g., CSC Center, Grocery Wholesale, Auto Parts, Cement Workshop), provide business proof, and fill out the application form for the merchant VPA. Upon submitting all necessary details, the bank will issue the merchant VPA.

‍

Link to a video from Xhelper app's LMS showing how money mules are guided to Bypass Account Freezes is attached here.

‍

Dealing with Cyber Complaints:

‍

• Visit Home Branch or Nearest Branch: Mules are instructed to go to their home branch or the nearest branch where they hold their bank account.
• Convince Banker: Attempt to persuade the bank personnel to resolve the issue and lift the freeze on the account.
• Help Find the Complaint Person: Work towards identifying the individual who lodged the complaint against the mule.
• Contact Complainant and Negotiate: Reach out to the complainant, discussing the issue and attempting to negotiate a resolution. Propose a settlement and express a willingness to rectify any concerns.
• Provide Complaint Report and Repay: Present a complaint report to the complainant and repay the claimed amount.

 Seek a No Objection Certificate (NOC) after making the repayment.

‍

‍

• Always Pay Complainant: Emphasize the importance of settling the payment with the complainant to resolve the issue.
• Submit NOC to Bank: Take the NOC obtained from the complainant to the bank and submit it for verification.
• Bank Verification and Unfreezing: The bank conducts a verification process and, upon satisfactory results, unfreezes the account.
• Addressing Unresolved Issues: If the problem persists, explore the possibility of unresolved disputes or larger legal issues.
• Understanding Borrowing Situations: Mules are informed that complainants may borrow money from cooperative customers and later file complaints about collection amounts.

This narrative is presented to convince mules that their activities are not illegal.

• Negotiate Settlement: In situations involving disputes, mules are advised to reach a settlement with the complainant.
• Avoid Arguments with Authorities: Mules are strictly cautioned against arguing with bankers or law enforcement, especially regarding the complaint.

‍

‍

‍

• Hiring an Advocate: If needed, mules are advised to engage legal assistance by hiring an advocate to navigate the legal complexities.
• Never Argue with Authorities: Mules are firmly reminded never to argue with bankers or law enforcement, particularly when it comes to addressing complaints.

‍

Link to a video from Xhelper app's LMS showing how money mules are taught to deal with cyber complaints is attached here. 

‍

Impact on Banks

• Financial Losses: Money mule activities can result in financial losses for banks due to fraudulent transactions and compromised accounts.

‍

• Operational Strain: Banks face operational challenges in monitoring and preventing money mule activities, requiring additional resources for security measures.

‍

• Technological Risks: The exploitation of money mule app capabilities poses technological risks, potentially compromising the security of banking systems.

‍

• Customer Trust: Involvement in money mule activities may lead to a loss of customer trust, affecting the bank's reputation and customer relationships.

‍

• Legal and Compliance Issues: Banks may face legal consequences and regulatory scrutiny, resulting in potential fines and penalties.

‍

• Transaction Monitoring Costs: Enhanced transaction monitoring to detect and prevent money mule activities can increase operational costs for banks.

‍

• Resource Allocation: Dealing with the impact of money mule activities requires banks to allocate resources for investigations, security measures, and compliance efforts.

‍

• International Compliance Challenges: Money mule transactions involving the international flow of funds create challenges for banks in adhering to cross-border regulatory compliance.

‍

Proactive Measures for Strengthening Bank Controls Against Money Mule Activities

1. Enhance Merchant Account Opening Procedures:

1. Implement stricter verification protocols to detect forged documents and prevent fraudulent account creation.
2. Consider utilizing digital identity verification solutions for a more robust process.

‍

2. Bolster Netbanking Security Measures:

1. Implement multi-factor authentication (MFA) as mandatory for all netbanking activities, including payment confirmations.
2. Monitor and flag suspicious activity involving frequent beneficiary additions or changes.
3. Educate users on the importance of secure practices and phishing prevention.

‍

3. Address Victim Information Sharing:

1. Strengthen data privacy protocols to prevent unauthorized access to victim information.
2. Implement stricter procedures for responding to requests for victim data, prioritizing victim protection.

‍

4. Leverage External Data for Risk Assessment:

1. Explore partnerships with social media platforms or other data providers to gather insights for identifying high-risk users.
2. Develop risk scoring models that integrate external data sources to improve real-time detection of money mule activity.

‍

5. Integrate Payment Red Flags in Faster Payments:

1. Collaborate with payment service providers to implement red flag indicators within Faster Payment messages.
2. Identify suspicious transactions based on pre-defined red flags, such as unusual recipient names, locations, or high-risk payment patterns.

‍

6. Explore Payment Delays for High-Risk Users:

1. Investigate the feasibility of introducing short payment delays for identified high-risk users.
2. Utilize this "cooling-off" period for further verification and potential intervention before funds are transferred.
3. Carefully consider the potential impact on legitimate transactions and user experience before implementation.

‍

Appendix

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍