Executive Summary

Money mule networks have become a critical component of modern cybercrime and financial fraud ecosystems, enabling threat actors to launder and monetize proceeds generated through phishing, Business Email Compromise (BEC), banking malware, ransomware, investment scams, and account takeover operations. In recent years, traditional mule recruitment has increasingly evolved into professionalized Mule-as-a-Service (MaaS) ecosystems that provide scalable laundering infrastructure to cybercriminals.

This report highlights how mule operations increasingly rely on stolen identities, synthetic identities, compromised accounts, and AI-assisted onboarding techniques rather than solely recruiting human participants. Threat actors leverage forged documentation, deepfake-enabled KYC bypass methods, account takeover techniques, and automated account “warming” activity to create resilient laundering infrastructures across multiple financial platforms.

KELA identified extensive underground activity related to mule operations across Telegram channels, cybercriminal forums, and encrypted messaging platforms, including advertisements for verified bank accounts, fintech wallets, cryptocurrency exchange accounts, forged identity documents, and full-service laundering operations.

The report also highlights the growing relevance of Latin America, particularly Brazil, within the global money mule landscape. The rapid adoption of real-time payment systems such as PIX has created favorable conditions for laundering activity involving rented, stolen, or fraudulently created “Contas Laranja” (“Orange Accounts”).

As money mule ecosystems become increasingly automated and AI-enabled, financial institutions will likely need to shift from reactive transaction monitoring toward identity-focused intelligence collection, behavioral analytics, infrastructure monitoring, and advanced fraud detection capabilities.

What Are Money Mules and How Do They Operate?

Money mules primarily serve as intermediaries that facilitate the laundering and movement of illicit funds on behalf of cybercriminals and organized criminal groups. Their main purpose is to obscure the origin and ownership of stolen or fraudulent proceeds, complicating attribution and reducing operational risk for the primary threat actors. Mule accounts are used to receive fraudulent transfers and disperse funds across multiple financial institutions.

Ultimately, money mules create additional layers of separation between victims and threat actors, making it harder for law enforcement to trace money trails. According to public reporting fraud represents a major and growing financial crime challenge, accounting for over 40% of all recorded crime in England and Wales. In the United States, an estimated 0.3% of accounts at financial institutions are believed to be mule-controlled, a trajectory that surpassed $3 billion annually in baseline historical filings, scaling exponentially with the rise of automated generative AI toolkits.

This activity represents a critical financial fraud vector in which threat actors leverage human proxies to obscure the audit trail of illicit funds. By using a distributed network of personal bank accounts, cybercriminals can bypass traditional Anti-Money Laundering triggers and automated fraud detection systems.

The 3 Stages of Money Laundering Explained: Placement, Layering, Integration

Money mule operations generally follow the traditional three-stage money laundering model, though modern cybercriminal ecosystems have adapted these mechanisms to operate at greater speed and scale through digital financial platforms.

The first stage, placement, involves introducing illicit funds into the financial system through mule-controlled accounts. These funds are commonly derived from cyber-enabled crimes. Threat actors transfer stolen funds into accounts controlled by complicit, deceived, or stolen-identity mules to distance themselves from the original fraudulent transaction and reduce direct attribution risk.

The second stage, layering, is the core operational phase of the laundering process. During this phase, money mules rapidly disperse funds across multiple financial platforms and intermediary accounts to complicate forensic tracing. One observed technique is smurfing, in which large sums are fragmented into smaller transactions intended to remain below Currency Transaction Report (CTR) thresholds or other AML monitoring triggers. This reduces the likelihood of automated compliance alerts while allowing threat actors to move substantial illicit funds over time.

The final stage, integration, involves reintroducing laundered funds into the legitimate economy or consolidating them into assets controlled by the threat actor. Funds may be withdrawn as cash through ATMs, used for high-value purchases, or converted into cryptocurrency, including privacy-focused coins. Once funds reach wallets or financial assets perceived as “clean,” threat actors can use or redistribute the proceeds with reduced exposure to detection or seizure.

Where Money Mules Fit in the Cybercrime Kill Chain

Although mule networks are not typically involved in the initial intrusion or fraud activity, they serve as a key post-compromise capability that allows threat actors to extract value from cyber-enabled operations. In many financially motivated campaigns, laundering infrastructure is as critical as intrusion capability, as failure to move or cash out stolen funds can significantly reduce operational profitability.

Within the cybercrime kill chain, money mule activity typically begins after a compromise or fraud event has generated illicit proceeds. In Business Email Compromise (BEC) schemes, fraudulent wire transfers are directed to mule-controlled accounts. Phishing campaigns, banking trojans, investment scams, and e-commerce fraud operations similarly rely on mule infrastructure to receive and redistribute stolen assets before victims or financial institutions can intervene.

Conceptual updates to Lockheed Martin’s original seven-stage framework have expanded the cyber kill chain to include an eighth stage focused on monetization. This stage covers activities threat actors use to profit from attacks, such as deploying ransomware for extortion or selling sensitive data on the dark web. 

The Three Types of Money Mules Explained (and How Criminals Recruit Them)

Money mule networks rely on multiple categories of participants that differ in terms of awareness, motivation, and operational value to criminal organizations. These categories range from fully complicit individuals who knowingly participate in laundering activities to victims whose identities are abused without their knowledge, or those who are involuntarily involved after their personal accounts have been hijacked. The recruitment and acquisition methods used by threat actors vary significantly depending on the type of mule being targeted and the operational requirements of the laundering scheme.

Complicit Money Mules: The Knowing Participants

Individuals who knowingly participate in money laundering operations in exchange for financial compensation. These actors are fully aware that their bank accounts or financial services are being used for illicit activity, although they may not know the exact source of the funds. Recruitment of complicit mules frequently occurs through Telegram channels, underground forums, WhatsApp groups, and social media advertisements promoting “easy money” opportunities.

As observed across multiple discussions collected from the KELA platform, cybercriminal forums contain numerous examples of users exchanging operational advice, laundering techniques, and security precautions related to mule activity.

As seen on the Dread forum, a user involved in this scheme shares his concerns about being caught.

In one observed case, a forum user described receiving Canadian dollars from Kenya through an international remittance platform while acknowledging awareness of the illicit nature of the activity.

In some cases, recruitment also occurs through personal referrals within criminal communities. Threat actors often target financially vulnerable individuals, including students, unemployed people, gig economy workers, migrants, or people facing economic hardship. Complicit mules may provide access to existing accounts, create new accounts under their own identities, or directly participate in cash-out operations and fund transfers.

As seen on the Dread forum, a user involved in this scheme shares his concerns about being caught.

It is also important to note that these ecosystems are not exempt from internal scams and fraudulent behavior targeting other criminals. Underground forums frequently contain complaints involving operators who disappear after receiving illicit funds without completing the agreed laundering process. 

In parallel, these communities often share detailed operational guides and instructional material explaining how to conduct laundering activity, evade AML controls, reduce the likelihood of account freezes, and interact with financial institutions during fraud investigations.

As seen on the Dread forum, a user involved in this scheme shares his concerns about being caught.

Deceived Money Mules: The Unwitting

Also referred to as unwitting muleindividuals are manipulated into participating in laundering operations without fully understanding the criminal nature of the activity. These victims are commonly recruited through fake job offers, fraudulent remote employment opportunities, romance scams, or advertisements for “financial processing” roles. Threat actors frequently impersonate legitimate companies, recruiters, or e-commerce businesses to establish credibility and reduce suspicion. Victims are instructed to receive payments into their accounts and transfer the funds elsewhere while retaining a small commission as payment for their “services.” Social engineering plays a central role in these operations, with attackers leveraging urgency, financial incentives, and professional-looking documentation to maintain compliance.

In many cases, victims may still face legal or financial consequences despite being unaware of the criminal nature of the scheme. Individuals involved in these operations risk account freezes, banking restrictions, financial losses, and potential legal investigations related to money laundering activity.

According to the United Nations, recruitment efforts typically exploit vulnerabilities such as financial hardship, emotional fragility, or lack of awareness. Recruitment methods continue to evolve and increasingly rely on digital platforms and large-scale social engineering campaigns. Common approaches include deceptive job offers, social media lures, and romance scams. Young adults between the ages of 18 and 24 are considered particularly vulnerable to recruitment due to financial pressures, high social media exposure, and limited familiarity with financial crime schemes.

Stolen & Synthetic Identity Money Mules: The Invisible

Stolen identity mules, a subtype of unwitting mules, represent one of the most operationally valuable and increasingly common models within modern cybercrime ecosystems. In these operations, threat actors use stolen or synthetic identities to open financial accounts without the knowledge or participation of the victim. The personal information used is obtained through data breaches, phishing campaigns, infostealer malware, SIM-swapping attacks, insider leaks, or underground identity marketplaces. Criminal actors then leverage this data to bypass KYC procedures at banks, fintech platforms, and cryptocurrency exchanges.

Unlike traditional mule recruitment, stolen identity operations reduce criminals’ exposure to human error, cooperation with law enforcement, or operational leaks. The onboarding process may involve forged documents, manipulated selfies, synthetic identities, or AI-generated deepfakes to evade remote verification systems. Financial institutions with simplified onboarding workflows or weak identity validation controls are particularly vulnerable to this type of abuse.

Another common approach involves compromising legitimate existing accounts using exposed credentials or banking access data. Threat actors may also compromise legitimate aged bank accounts through account takeover (ATO) techniques obtaining usernames, passwords, session cookies, banking tokens, or device fingerprints. Rather than creating new accounts, criminals hijack legitimate accounts and temporarily repurpose them for laundering activity, fund transfers, or cash-out operations. Because these accounts already possess verified identities and established transaction histories, they may generate less suspicion from fraud detection systems.

What is the Mule-as-a-Service (MaaS) Business Model?

The transition from traditional money mule operations toward Mule-as-a-Service (MaaS) ecosystems represents a significant evolution in modern financial crime and cyber-enabled fraud. “MaaS represents a specialized segment within the broader Fraud-as-a-Service (FaaS) ecosystem, has transformed laundering activity from an ad hoc support function into a structured, scalable, and highly specialized criminal service economy. Rather than recruiting and managing mule networks internally, threat actors can now outsource laundering infrastructure through dedicated providers that offer verified accounts, onboarding services, cash-out capabilities, and cross-border fund movement. This model increasingly functions as the monetization engine of the cybercrime kill chain, enabling financially motivated actors to rapidly extract, disperse, and launder illicit proceeds.

Across different markets, it is common to find actors advertising the sale of bank accounts from multiple financial institutions.

User in a Telegram channel offering bank accounts from various U.S. banks.

Recent investigations into MaaS infrastructure have exposed the existence of centralized mule management platforms designed to coordinate thousands of accounts simultaneously. These ecosystems increasingly mirror legitimate digital service industries, featuring tiered offerings, automation, reputation systems, and customer support models. 

As observed in KELA sources, users in carding forums view building networks of money mules and offering money laundering services as a potentially profitable business.

In a thread on CarderUK, users debate the different stages of money laundering as a service.

MaaS providers advertise their services through Telegram channels, underground forums, encrypted messaging groups, and dark web marketplaces. Offerings may include verified bank accounts, fintech wallets, cryptocurrency exchange accounts, pre-registered SIM cards, identity kits, or fully operational cash-out services.

KELA identified multiple Telegram channels advertising money mule services as part of a broader service to cybercriminals.

User in carding Telegram channel offering money mule services

Mule Management Panels: The Command & Control of MaaS

Recent technical investigations into MaaS operations have revealed the existence of centralized Mule Management Panels, which function as web-based command-and-control interfaces used by mule operators and “mule herders” to coordinate laundering operations at scale.

Many MaaS operators integrate their platforms directly with banking applications, payment processors, or cryptocurrency services through APIs and automated scripts. This enables near real-time laundering operations in which funds are automatically transferred or dispersed immediately after reaching a mule account.

How MaaS Providers Operate: Account Provisioning, Laundering, and KYC Bypass

One of the most common service models involves Account Provisioning services, in which operators sell pre-verified, or “pre-warmed” accounts created using stolen identities, synthetic identities, or compromised credentials. These accounts may include established transaction histories, linked phone numbers, verified KYC documentation, and device fingerprints intended to reduce fraud detection risk.

In less sophisticated schemes, providers offer individual accounts and KYC bypassing for other threat actors to use. In many cases, these providers sell a wide range of platforms, including cryptocurrency exchanges and traditional bank accounts.

User offering banking, crypto exchange, and casino accounts for sale

User on a Russian forum offering KYC services and selling platform accesses

Another prominent model involves full-service Laundering-as-a-Service operations. Under this approach, the client simply transfers “dirty” funds into the laundering pipeline while the MaaS provider handles the entire layering and cash-out process. Funds are typically moved across multiple jurisdictions and financial platforms before being returned to the client as “clean” assets.

Given that KYC procedures represent one of the primary barriers to large-scale mule account creation, KELA has identified threat actors that specialize exclusively in providing forged or synthetic documentation designed to bypass identity verification processes. These services commonly include fake identity documents, manipulated selfies, proof-of-address documents, and AI-generated verification materials intended to facilitate the creation of verified bank, fintech, or cryptocurrency accounts.

An actor, in this case on the Russian-origin Telegram channel GrossInfo, is selling edited documents.

Based on this detection, it is evident that not only are money mule services being sold, but there are also offers covering the various steps required to complete the lifecycle of the account creation and the extraction of funds.

How is AI Reshaping Money Mule Operations: Deepfakes, Synthetic IDs, and KYC Bypass?

Artificial intelligence is transforming money mule operations by enabling threat actors to automate identity fraud, bypass KYC procedures, and optimize laundering workflows at a scale previously unattainable through manual activity alone. The convergence of Large Language Models (LLMs), diffusion models, deepfake technologies, and agentic AI systems allows cybercriminals to industrialize mule account creation and management while reducing operational exposure and detection risk.

One significant development is the creation of synthetic or “Frankenstein” identities using AI-generated content. In these operations, threat actors combine stolen Personally Identifiable Information (PII), such as national identification numbers, tax IDs, or dates of birth, with AI-generated supplemental data, including fake names, addresses, profile photos, employment histories, and supporting documentation.

Threat actors also use AI to generate algorithmic digital footprints designed to manipulate bank trust-scoring systems and fraud detection models. By establishing artificial behavioral histories before laundering activity, these operations reduce the likelihood of triggering onboarding or transaction monitoring alerts. Such “pre-warmed” digital identities are increasingly valuable within Mule-as-a-Service ecosystems due to their lower fraud risk profiles and longer operational lifespans.

AI-assisted document forgery has also become a major enabler of mule operations. Modern generative AI tools can produce high-resolution identity documents that replicate complex security features, including holograms, watermarks, micro-textures, and metadata consistency markers. These forged documents may bypass Optical Character Recognition (OCR) validation and automated authenticity checks used by fintech platforms and digital banking applications. According to public reporting in the last year, 2% of all detected fake documents were created using generative AI tools.

In various cases, threat actors may exploit editable files exfiltrated from dark web forums to automatically generate falsified documents with the potential to bypass KYC procedures.

A post offering PSD templates for KYC

It is important to note that the post has received more than 400 replies and continues to report interactions from users interested in downloading the information.

Threat actors share manuals and techniques to exploit AI in order to bypass KYC. As seen in the example below, one actor shares a manual on how to circumvent verification by using a variety of programs together with easily accessible LLMs such as ChatGPT and RunwayML. The actor also suggests prompts to generate videos that mimic realistic movements, such as: “Ask ChatGPT for prompts like ‘create a realistic person turning head left to right slowly’ or ‘generate natural facial movements for verification’.

Actor on CrackedTo offering a KYC bypass with AI

Threat actors increasingly bypass controls through deepfake-enabled injection attacks rather than simple visual spoofing. Instead of presenting manipulated imagery to a physical camera, attackers may use malware, emulators, or custom software to inject synthetic video streams directly into the mobile operating system’s video pipeline. By feeding high-fidelity deepfake content into a banking application’s input stream, they can circumvent traditional liveness checks while avoiding many environmental inconsistencies associated with physical spoofing.

Voice cloning is also becoming operationally relevant in advanced mule operations. If financial institutions require callback verification or voice-based authentication, threat actors may use Retrieval-based Voice Conversion (RVC) systems or similar AI-driven voice synthesis tools to replicate a victim’s speech patterns in real time.

Another emerging trend is the integration of agentic AI systems into the account management lifecycle. Traditionally, mule handlers, or “mule herders,” manually coordinated onboarding, account warming, transaction execution, and fraud response workflows. Increasingly, autonomous AI agents can manage these activities without continuous human supervision. Once a mule account is established, AI systems may conduct low-risk “warming” transactions, such as paying utility bills, to simulate legitimate behavior. This enables threat actors to scale and maintain larger account networks with reduced human involvement.

Artificial intelligence is also being used to optimize layering and transaction obfuscation. Predictive smurfing algorithms can analyze transaction thresholds, AML monitoring behaviors, and bank-specific detection patterns in real time, dynamically adjusting transfer sizes, frequencies, and routing strategies to remain below fraud detection thresholds. This allows threat actors to maximize laundering efficiency while minimizing the likelihood of triggering automated compliance controls.

Why Has Latin America Has Become a Money Mule Hot Spot?

Although the money mule phenomenon is widespread globally, particularly across regions such as Asia and Eastern Europe, Latin America has experienced a significant increase in related fraud activity in recent years. According to public reporting, scam attempts increased by approximately 155% in 2025, reflecting the growing scale and sophistication of financial fraud operations targeting both individuals and financial institutions.

In many cases, fraudsters continue to rely on relatively simple techniques such as phishing campaigns, credential theft, and account compromise to bypass basic fraud prevention controls. At the same time, KELA has detected that more sophisticated actors are increasingly offering Mule-as-a-Service (MaaS) capabilities, allowing less experienced cybercriminals and fraudsters to outsource laundering infrastructure and operational support.

Currently, one of the primary drivers of fraud activity in the region involves Account Takeover operations and the growing use of AI-generated synthetic identities. According to specialized industry reporting, Mexico experienced a 324% increase in these types of attacks between 2024 and May 2026. Regional data further indicates that malware-related attacks increased by 225%, while fraud cases involving stolen devices surged by 344% during the same period. Although some countries in the region have demonstrated limited progress in strengthening fraud prevention and digital identity protections, the broader regional trend continues to indicate a sustained increase in money mule activity.

Messages on KELA sources also highlight Telegram posts claiming to sell bank accounts from different countries, suggesting that actors are seeking to create and market fraudulent accounts globally.

User on Russian Telegram channeling for selling illegal services.

The rapid adoption of Real-Time Payments and digital wallets transformed the "money mule" landscape. While traditional bank transfers are still used, the speed and friction-less nature of platforms like Pix (Brazil), immediate CBU/CVU transactions in Argentina, Nequi (Colombia), and Yape (Peru) have made them the primary hotspots for illicit fund movement.

Brazil: How PIX Enabled the 'Contas Laranja' Money Mule Crisis

Brazil remains one of the most active and mature money mule ecosystems globally, largely driven by the rapid adoption of the PIX instant payment system and the scale of the country’s digital banking infrastructure. Criminal organizations frequently rely on so-called “Contas Laranja” (“Orange Accounts”), which are bank accounts rented, sold, compromised, or fraudulently created for the purpose of laundering illicit funds.

In response to the growing abuse of these accounts, the Brazilian government introduced new legislation amending the Penal Code and increasing penalties for several financial and cyber-enabled crimes. Notably, the law criminalizes for the first time the “rental” of bank accounts used to move illicit funds, formally recognizing the role of money mule networks in the country’s fraud ecosystem.

Data collected through the KELA platform identified nearly 250,000 messages across Telegram channels in which threat actors expressed interest in acquiring, selling, or using these “Orange Accounts.” In many cases, this underground ecosystem follows a MaaS-like model, where more sophisticated actors obtain or manage large volumes of accounts and subsequently rent or sell access to other criminals. These services are often leveraged by less sophisticated fraudsters conducting phone scams, social engineering campaigns, or Account Takeover operations.

A ‘Laras’ bot was being offered within a Brazilian carding channel.

As can be observed in the message, the threat actor actively advertises their money mule services and even offers technical support to potential customers.

The Brazilian ecosystem is particularly notable due to the existence of dedicated Portuguese-language underground forums focused on financial fraud and money mule operations. In one such forum monitored by KELA, users openly exchange advice and operational guidance on how to carry out these operations in Brazil, including discussions* related to account rentals, transaction methods, and techniques to avoid detection by financial institutions.

*hXXp://exiliow4ctlzrvaglkgwqnpxdlvrxmdgvuy2hkbzqoziebfim6q5hwid.onion/30896/conseguir-empregos-deepweb-empregos-laranja-lavagen-dinheiro?show=30896#q30896

Post on “Exillio404” a Brazilian specialized forum.

The “rental” market has become an increasingly common component of the fraud ecosystem. Rather than solely stealing accounts, criminals now frequently rent access to legitimate bank accounts through platforms such as Telegram and Facebook Groups. In these schemes, individuals, often referred to in Brazil as “laranjas” (“money mules” or “orange accounts”), allow their accounts to be used for laundering fraudulent proceeds in exchange for payment. Compensation typically ranges from 10% to 20% of the transferred amount, or a fixed weekly fee of approximately R$ 200 to R$ 500.

Argentina: CBU/CVU Accounts and the Rise of Mule Networks

Due to its high adoption of digital financial services, active cryptocurrency ecosystem, and growing exposure to cyber-enabled fraud, Argentina represents a relevant jurisdiction for money mule activity. The widespread use of fintech services, combined with prolonged economic instability and a large informal economy, has created favorable conditions for both mule recruitment and account monetization.

One of the most common underground products observed in Argentina involves the sale or rental of accounts linked to CBU (Clave Bancaria Uniforme) and CVU (Clave Virtual Uniforme) identifiers. These accounts are associated with both traditional banking institutions and virtual wallet providers and are widely used to receive, transfer, and disperse illicit funds. Because individuals can create multiple digital wallets and banking accounts with relative ease, these accounts may voluntarily or involuntarily fall into the hands of threat actors for use in laundering operations.

As observed across multiple underground communities monitored by KELA, more than 100,000 Telegram messages referenced the sale, rental, or exchange of bank and fintech accounts linked to the Argentine financial ecosystem. Within these channels, threat actors openly advertise accounts capable of receiving transfers, conducting peer-to-peer payments, facilitating cryptocurrency purchases, or supporting broader laundering operations.

Message on an Argentine Telegram channel selling bots, bank accounts and carding.

In many cases, threat actors offer a wide range of fraudulent services that include fake medical prescriptions alongside bank and fintech accounts. Notably, the actor openly claims to maintain a large inventory of fraudulent accounts available for laundering and other illicit activities.

User on an Argentinean Telegram channel offering bank accounts and medical prescriptions.

In a clear example of Mule-as-a-Service (MaaS) activity, a threat actor advertises a wide variety of accounts capable of receiving local currency and converting it into cryptocurrency. These services are commonly used to transfer funds obtained through fraud operations into anonymous or difficult-to-trace crypto wallets.

It is also noteworthy that, according to the actor’s claims, the “accounts are unrecoverable,” suggesting that the accounts are created in a manner intended to prevent legitimate recovery attempts or attribution. The actor further states that the accounts can be created using customer-provided information, such as Gmail addresses and phone numbers, and shares a dedicated Telegram channel containing vouchers and customer references intended to establish credibility within the underground ecosystem.

User on an Argentine Telegram group selling bank accounts.

Colombia: Mule Networks Exploiting Nequi and Daviplata

As in other countries across the region, the expansion of fintech solutions and peer-to-peer payment applications in Colombia has created new opportunities for threat actors seeking fast and low-friction methods to move illicit funds across the financial system. At the same time, economic inequality and widespread informal labor dynamics continue to facilitate mule recruitment and financial fraud operations.

Services such as Nequi and Daviplata, two of the most widely used digital wallet and mobile banking platforms in Colombia, are frequently referenced in underground discussions due to their popularity, ease of onboarding, high transaction volume, and integration within the country’s digital payments ecosystem. Criminal actors often exploit the speed and accessibility of these services to rapidly disperse stolen funds before financial institutions can intervene or freeze suspicious activity.

As observed across discussions monitored by KELA, threat actors sharing carding and fraud-related techniques frequently identify the Colombian banking ecosystem as relatively accessible for account creation, citing what they perceive as lower KYC requirements and simplified onboarding procedures compared to other jurisdictions. In some discussions, actors openly exchange operational advice related to obtaining Colombian accounts, bypassing verification processes, and leveraging local fintech platforms for laundering and cash-out operations.

Post on CarderUK Forum assessing Colombian platforms as part of a money laundering scheme.

KELA also identified Telegram channels advertising fraudulent or synthetic bank accounts across multiple countries, including Colombia. These services commonly offer access to accounts associated with local banks, fintech platforms, and cryptocurrency exchanges intended to support laundering, cash-out, or fraud operations globally.

User on a Telegram channel offering bank accounts across continents.

Notably, some actors explicitly advertise customer guarantees, claiming they will replace accounts if access is lost or if the account becomes restricted or frozen. This type of “customer support” model further reflects the growing professionalization and commercialization of Mule-as-a-Service ecosystems, which increasingly mirror legitimate online service businesses.

Recommendations: What You Need To Know to Detect and Prevent Money Mule Activity

Monitor Underground Forums and Telegram Channels:

Proactive monitoring of dark web forums, Telegram channels, and encrypted messaging platforms remains essential for identifying emerging mule-related threats. Threat actors increasingly rely on these environments to advertise Mule-as-a-Service offerings, sell verified financial accounts, and exchange operational guidance. Continuous visibility into these ecosystems provides valuable intelligence on evolving laundering techniques, fraud trends, and the financial institutions currently targeted by account provisioning services.

Track AI-Enabled Fraud Tradecraft

 Organizations should closely monitor underground discussions related to AI-driven KYC bypass techniques. Threat actors frequently share guides explaining how to leverage large language models, deepfake tools, and video generation platforms such as RunwayML to spoof identity verification systems. KELA recommends using this intelligence to proactively adapt verification processes, strengthen detection capabilities, and refine risk thresholds before these techniques become widespread.

Strengthen Liveness and Identity Verification

Traditional visual spoofing detection mechanisms are increasingly insufficient against modern mule operations. Financial institutions should enhance defenses against deepfake-enabled injection attacks, in which synthetic or manipulated video streams are fed directly into verification workflows. Organizations relying on voice authentication should also implement controls capable of detecting AI-driven voice cloning technologies, including Retrieval-based Voice Conversion (RVC) systems and other synthetic speech frameworks.

Detect AI-Assisted Account Warming

The growing integration of agentic AI into fraud operations requires a more advanced behavioral monitoring approach. Security teams should deploy analytics capable of identifying autonomous “account warming” activity, where AI agents conduct low-risk or seemingly legitimate transactions to gradually build trust and legitimacy. Transaction monitoring systems should also be adaptive enough to identify predictive smurfing techniques and other AI-assisted laundering behaviors specifically to evade static AML and fraud-detection thresholds.