Cybercriminal groups are increasingly using Telegram channels and encrypted platforms to sell verified bank and fintech mule accounts, signaling a major shift in how illicit funds are laundered at scale.
According to recent threat intelligence findings, money mule operations have evolved into structured Mule-as-a-Service (MaaS) ecosystems, allowing attackers to outsource financial laundering just as easily as they rent malware or phishing kits.
Money mules play a central role in cybercrime by acting as intermediaries who receive and transfer stolen funds. These funds typically originate from phishing campaigns, Business Email Compromise (BEC), ransomware attacks, banking trojans, and investment scams.
By routing money through multiple mule-controlled accounts, threat actors obscure transaction trails and reduce the risk of detection. This laundering process generally follows three stages: placement, where stolen funds enter mule accounts; layering, where funds are fragmented and transferred across systems; and integration, where the money re-enters the legitimate economy.
In one observed case, a Telegram seller offered pre-verified U.S. bank accounts complete with transaction history and linked identities, enabling buyers to immediately process fraudulent transfers without raising suspicion.
A key development is the transition from human-recruited mules to identity-driven laundering infrastructure. Instead of relying solely on complicit or deceived individuals, cybercriminals now use stolen personal data, synthetic identities, and compromised accounts.
Investigations by KELA reveal that Telegram has become a primary marketplace for mule-related services. Threat actors openly advertise verified bank accounts, fintech wallets, cryptocurrency exchange profiles, and even full-service laundering operations.
Recruitment of complicit mules frequently occurs through Telegram channels, underground forums, WhatsApp groups, and social media advertisements promoting “easy money” opportunities.
These accounts are often created using forged documents or AI-generated deepfakes to bypass Know Your Customer (KYC) verification systems. In more advanced operations, attackers inject synthetic video streams directly into onboarding processes, evading liveness detection mechanisms used by financial institutions.
Artificial intelligence is accelerating this transformation. Threat actors are using AI tools to generate realistic identity documents, create synthetic personas, and simulate transaction behavior.
Verified Bank Mule Accounts
For example, “pre-warmed” accounts are artificially aged through low-risk transactions such as bill payments, making them appear legitimate before being used for laundering. AI-driven systems can also automate transaction flows, dynamically adjusting transfer amounts to avoid triggering Anti-Money Laundering (AML) thresholds.
The MaaS model has introduced a high level of professionalization into the cybercrime ecosystem. Providers now offer tiered services, customer support, and even guarantees for replacement accounts if access is lost.
Forged documents may bypass Optical Character Recognition (OCR) validation and automated authenticity checks used by fintech platforms and digital banking applications.
Centralized mule management panels act as command-and-control systems, allowing operators to coordinate thousands of accounts and automate fund transfers in near real time.
Latin America has emerged as a significant hotspot for mule activity, particularly Brazil, Argentina, and Colombia. The rapid adoption of real-time payment systems such as Brazil’s PIX has made it easier for criminals to move funds بسرعة with minimal friction.
In Brazil, so-called “Contas Laranja” or “orange accounts” are widely traded or rented for laundering purposes. KELA identified hundreds of thousands of Telegram messages linked to these accounts, highlighting the scale of the underground market.
Similarly, Argentina’s CBU and CVU-linked accounts and Colombia’s Nequi and Daviplata platforms are frequently exploited due to simplified onboarding processes and high transaction volumes.
These regional ecosystems are increasingly integrated into global laundering networks, with accounts marketed to international cybercriminal buyers.
As mule operations become more automated and AI-driven, traditional fraud detection methods are proving insufficient. Financial institutions are now under pressure to adopt identity-centric security models, behavioral analytics, and real-time intelligence to detect suspicious activity earlier in the attack lifecycle.
The growing convergence of AI, social engineering, and financial fraud infrastructure suggests that mule networks will remain a critical enabler of cybercrime operations worldwide.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
