Cybercriminals launder stolen funds through ordinary people, thanks to a small ecosystem of user-friendly apps that can turn any mobile user into an unwitting money mule.
A new report from Cloud SEK details one such app: “XHelper,” an Android platform that connects fraudsters with citizens of India, whose job it is to quickly receive and forward stolen funds to shadowy third parties. It has a clean, user-friendly interface that makes the whole process quite simple and serves to disguise the nature of the payment and who is on the other side of each transaction.
The application enables pig slaughterhouse, assignment, loan and e-commerce scams and illegal gambling operations, on a large scale. It currently has around 37,000 active users with around 16,000 verified bank accounts and moves a whopping 160 million rupees per day (just under US$2 million).
And beyond XHelper, CloudSEK researcher Sparsh Kulshehtra notes, “Our research has identified similar schemes in other countries, highlighting the need for a united front against money laundering by exploiting unsuspecting individuals.”
How XHelper works
Last summer, Chinese cybercriminals were caught 40,000 individuals on five continents in credit fraud. In order to hide so much ill-gotten gains, they called a network of hundreds of thousands of online payment accounts.
Thus, the researchers noticed for the first time that, apart from the fraud itself, something underneath it was deeply wrong. This led them to XHelper, an application designed not only to hide the sources of money, but also its own purpose from its users.
XHelper is distributed online by fake “money transfer” companies. New members are recruited by “agents” — individuals on Telegram who pose as representatives of successful companies that need help managing large volumes of daily transactions. Agents earn bonuses for each new employee so that the laundry network becomes bigger and bigger and thus more powerful.
As with any other gig economy application, recruiters register their details (payments) and then start taking jobs: in this case, they receive money from one party and within minutes pass it to another.
Users earn a small portion of the loot (between 0.2-0.3%), which increases as they complete more jobs, get good grades for them, and add more bank accounts. Beginner users can move as little as 10,000 or 20,000 rupees a day through one or two bank accounts and earn a few hundred rupees (less than five dollars) for their trouble. Top level users move tens of millions in an average day and earn thousands. The app’s top three users — “shahbaz,” “Register26” and “Ranjan1982” — have earned more than 12 million rupees (~$145,000) and counting.
Can money mules be stopped?
The fact that ordinary people are making large amounts of almost instantaneous money transfers begs the question: why aren’t they caught?
For one thing, the app offers a series of helpful tutorials that cover not only how to use its various features — accompanied by upbeat music — but also how to deal with adverse situations, accompanied by eerie, darker tunes.
The most important of these is a guide that guides users in registering corporate bank accounts, posing as small businesses. These corporate accounts allow them to process large volumes of transactions without raising the kinds of red flags that the same activity would on a personal account.
Mules also have other tricks up their sleeve, such as using different payment systems for incoming and outgoing transfers. “Though funds can enter the mule’s account through UPI (a popular Indian payment system), the app directs them to transfer through IMPS (Instant Payment Service) [an Indian interbank transaction system]. This layering of transfer methods could be an attempt by criminals to hide transaction history and avoid detection using tagging mechanisms,” explains Kulshehtra.
Banks, governments and regulators need to recognize and combat this behavior, says Kulshehtra everyone has a role to playas well as the organizations targeted by these frauds.
“Educating employees and customers through training and awareness campaigns empowers them to recognize and avoid these schemes. This combined focus on understanding the threat, strengthening internal defenses and raising customer awareness creates a strong shield against cyber fraud,” he concludes.