.png)
Fraud Intel
Explore what truly drives modern fraud in our compelling podcast series, where we unpack the business models and motivations fueling today’s most sophisticated scams.
Each episode delves beyond the headlines to reveal how attackers are innovating at breakneck speed, leveraging cutting-edge technology, fraud-as-a-service, organized networks, and behavioral insights to outpace traditional defenses.
Fraud Intel
The Mule Network: Inside the Industrialization of Digital Fraud
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Digital fraud has evolved into a sophisticated, industrial-scale operation. Behind every fraudulent transaction lies a complex web of mule accounts, coordinated networks, and advanced evasion tactics designed to bypass traditional defenses.
In Episode 3 of our Fraud Series, we take a deep dive into the mechanisms powering modern financial crime and uncover how fraudsters are scaling their operations globally.
In this episode, we explore:
- The new age of account scams and how fraud operations are becoming increasingly organized
- Evolving fraud evasion tactics used to bypass financial safeguards
- Financial network tracking, including how mule accounts are leveraged to move illicit funds
- The multilayered tactics used by modern fraudsters to orchestrate large-scale digital fraud
Understanding how mule networks operate is critical for organizations looking to strengthen their fraud detection and disruption capabilities.
Watch the full episode to uncover how today’s digital fraud ecosystem works and what it takes to stay ahead.
👉 Stay tuned for more episodes.
Welcome back to another episode of Froud Intel Series. I'm your host, Maxim Baldakov, head of fraud and financial crime solution covering Meta Region. And today with us we have Andri Loshev, a team leader for the Fraud Analytics Group at Group IB. So Andrew, could you please tell us a little bit about yourself and what does your team do?
SPEAKER_00Hello everyone. Yeah, thank you, Max, for inviting me today. And uh yeah, I'm uh working as a like uh team lead of uh fraud analytics team related to development and research, focused on local research in the Middle East region specifically. Our team is working on currently on uh really interesting uh mood scoring assessment algorithm, and also we're uh probably launching soon uh machine learning biometrics algorithms, trained on supervised and and supervised uh data we have currently. And hope, yeah, we can just continue our work and fight you know cybercrime in group AB.
Maxim BaldakovThat's pretty cool. Thank you for sharing. Uh Andrea, I want to hear your story uh on how did you end up in the fraud prevention industry.
SPEAKER_00Yeah, it was uh pretty interesting, not like uh I can say standard-like way, because my first degree was related to neuropsychology, because I really enjoyed you know uh kind of science like uh biology, chemistry, and something like that. And no, you know, like when you have your final project in university, you're supposed to do some statistical research. So I've uh remember I've collected uh some interesting data of uh Sportman uh Sportsman Group before tournament, so including some uh psychological test screening and just maybe some height, weight of sportsmen, uh heart rate, blood pressure, and after that just collected the results and then found like to apply just a simple regression model and just was really excited to get uh accuracy more than like 80% from my research that I could predict results of another unseen testing group. So, you know, I felt like the power of the data that I can predict the future, can I predict stocks and be reef and stuff like that? So I decided to apply my next degree already related to information technology and computer science, and got an invitation from one university in New Zealand. So it was a really interesting experience to work and study, you know, like in a multicultural, really diverse society. So after it, like uh during my study, like everything like uh app development, uh gaming development, VR development, and of course I worked on uh data science and machine intelligence uh projects. And after completing my graduation in New Zealand, I strongly decided to be uh some maybe data scientist or analyst, just basically to work in data space. But faced with you know like typical problem like all fresh-graded people have. It's like uh not a lot of experience, not enough to apply, especially in such competitive, you know, space like data science and data analytics. So I just made like really, I can say one of the my most emotional and random decisions in my life. Just I was really frustrated that I can find like any good position. So I just you know made kind of simple search, like internship, United States information technology, and just apply it on the kind of first website. And after that, you know, I got an invitation. So probably you will agree with me, like that. Uh environment. And so I got an invitation from a company in New York, OneCube. They were working about some kind of advertisement, uh, digital advertisement industry. But firstly, I just work on some NLP projects, uh, some kind of simple data analysis, not related to fraud prevention or anything like that. But then uh I know they have uh they had some kind of like shared office space, like we have in some, you see, in some American movies, and just another company. Uh I joined uh that office space where I was an intern. And we had some discussions, they just approached me and just asked, If you would like to join us as an internship for one year. And this company was named Kubient. They were deciding uh real-time ad-fraud prevention, like in advertisement fraud industry. So it was really cool just to try it out. And basically, after completing the internship, they just offered me a junior data scientist position. And I can say it's where my career path started in fraud prevention industry. I just really got interesting experience. So I just built in a kind of specific mindset, skill set, tool set needed for fraud prevention. And about two years ago, got like an interesting and amazing opportunity to join Group IB and ready to work on uh in financial and banking fraud, which I was really interested to try.
Maxim BaldakovIn fraud prevention, not in fraud. Just a small correction here. Yeah, yeah. Uh it's very interesting. So um I I agree. Like at that age, you make a lot of emotional decisions that can later on shape your whole career uh in the future. It's uh I I get what you're saying. Uh, talking about um advertisement fraud and banking fraud, right? Uh so do you see any similarities between those two different domains, or uh these are you know completely different environment, completely different uh uh field uh when it comes to fraud prevention in advertisement or fraud prevention in banking and financial sector?
SPEAKER_00Yeah, it's a really great question. And uh first things I have in mind, you know, it's like a clear difference between who they target, you know, these two types of fraud. For ad fraud, it's advertisers, companies, corporations, or they're trying to buy some you know, traffic, buy some user impressions, colleagues just to advertise some products because they like to attract new customers. But you know, like in bracking and financial fraud, it's like pretty clear that here uh the main target is financial institutions, and most importantly for me, it's like uh real customers, real individuals. So here the fraud is uh like about like stealing money, doing a counter-cover, or like transfer money through Mool Networks or payment system abuse. So this, I think, like main differences for me. And what about like common? I can say still a lot of uh kind of similar techniques, process use like in both sectors. Like they're designing some using automation tools to design some uh different bots uh to create kind of synthetic and data teeth, especially now with using AI. So, and for us as the defenders, we can detect such you know anomalies, abnormalies in the data to detect such patterns. So I can say, like uh from my experience, what kind of techniques are used in ether uh are really applied in banking fraud as well, and they really work. So I think and yeah, if we can say it's like kind of common some things. And also, I think one interesting like difference between these two types of frauds in ad fraud, legal framework uh is not so clearly defined. Uh so for example, in financial banking fraud, it's clear like it's a real crime. So I know like in Group AB a lot of investigations which led to like real uh arrests and prosecutions with criminals. In ad fraud, uh, such success stories also you know happen, but rarely. So usually in ad fraud, uh this kind of uh attackers they are like sometimes more aggressive.
Maxim BaldakovThank you for sharing, Andrew. I think that's uh pretty interesting what what you're saying. Uh, another distinguishing factor, uh in my personal opinion, that banking uh fraud prevention industry has is focus on mule accounts and meal account prevention. So I know your team is working really hard to you know detect meal accounts, prevent them at the onboarding stage. Uh you know, it's it's your day-to-day operations. But before we dive into the topic of meal accounts, could you please share a little bit uh with the audience what is a mule account in general and what role does uh does it play when it comes to fraud operations?
SPEAKER_00I would start like uh basically from the word uh you know mule just came from animal world and bulls, kind of cute animals, which we used for kind of transferring heavy load goods and some other stuff, sometimes even financial stuff like uh silver, gold. But basically, they were transferring some stuff uh which not uh this stuff don't belong, you know, to them. So, same, actually, exactly the same thing, I think, in fraud. So uh Mool and Mull accounts, they try to transfer money, which of course they don't own, and they usually transfer some kind of thing related to criminal income, like uh from phishing attacks, scams, or like any other illegal source of money they have. Uh it's like sometimes for bank perspective it looks like just a normal account. Yeah, but uh based on transactions, based on how this account creates, we can detect is it like normal behavior or it's like mool behavior. And of course, for frosters, I think it's one of the crucial you know things to have such mole networks because they can just send money directly. They need to have some sophisticated money laundering network. So it's uh uh that's why they just hire like sometimes it can be like individuals as they don't as they uh know that they are like kind of part of the fraud the and they're having some fees, bonuses. Sometimes it can be a kind of victim scenario. Maybe people you know just became unwillingly mules, and sometimes it's just uh uh process they're using like stolen uh identities, some kind of national IDs, like passport data, and just just created as much as possible accounts to create a really large uh scaled Mul network.
Maxim BaldakovAndrew, I think that's pretty cool. Uh thank you for sharing. Uh, another distinguishing factor, in my opinion, that uh banking fraud prevention industry has is a focus uh on mule accounts and uh mule account detection and prevention. I know your team is uh personally heavily involved in uh data operations when it comes to meal detections. And uh talking about you know in general, what is a meal account, could you please share with our audience the definition of a meal account and what role does it play when it comes to fraud operations?
SPEAKER_00Yeah, basically we can say like uh Mule account is this type of account which is used for disguise stolen funds or like funds or to transfer funds related to uh illegal uh income like phishing, scam attacks, or any other source of uh criminal you know income. So processors are using uh this account is a middle layer, just to have a complicated uh mole network and money laundering schemes, just to have uh to cover their trails because they can't send receive money directly. So I think it's the main purpose of mole account.
Maxim BaldakovI see. Um I think this is pretty clear. Uh I think one of the reasons why there is so much focus on mule account detection and mill account prevention is because it's a crucial piece uh of uh fraud operations, because without those accounts, pretty much uh you are unable to you know uh cash out the stolen, uh stolen money, right? You can have uh multiple ways of how you can you know do account takeover, do you know social engineering attacks, uh, vision and so on. But if you don't have meal accounts, if you are unable to cash out the money that you have stolen, it's pretty much all become useless. So I think that's why why uh that's why there is so much focus uh when it comes to you know uh meal account detection in the banking uh fraud prevention industry. And uh talking about again the history of um uh uh meal detections back in the day when when I was a fraud analyst uh myself, I remember that uh back then fraud starts used some basic um you know defensive agent uh techniques like ITP spoofing through VPNs, uh, open proxies, uh, you know, other tools and so on, um, to create uh meal accounts through digital onboarding or to you know uh bypass uh various controls where you need to sign in from uh foreign country and and uh transfer you know funds uh to to another account or cash them out. Um what happened after that? Uh because I I heard that a lot of banks, a lot of uh foundation institutions implemented multiple ways when it comes to IP analysis. Uh so VPNs, uh open proxies is no longer a silver bullet to bypass um different controls implemented by the banks.
SPEAKER_00Yeah, totally. Like uh as we discussed before, like when Group IB just started operating, uh especially in the Middle East, uh we started kind of arm race. Uh so now forsters are using more sophisticated techniques. So now they are using uh roaming mode for SIM cards. So usually basically they purchase even physical SIM cards or maybe a ESIM, I think in most cases, and try to mask the IP address, yeah, using roaming. In middle list, usually like uh the IP address, public IP address will be the same as your uh country issued uh SIM card. So if you issue in one country, so it will be the same IP we will see in group IB and in banking systems as well. So for most of the defensive uh system, it looks like a just normal IP address from this trusted region or trusted country.
Maxim BaldakovSo it's pretty cool. So you can mask your your uh IP just uh by shipping a SIM card, a physical SIM card abroad, um then the traffic, as you correctly said, right, it will be uh completely normal from the perspective of the financial institution, just from the IP address analysis alone. Uh now in cybersecurity there is uh this very well-known concept of uh tracking certain threat actor groups, right? Uh in cyber fraud, uh in your case, like uh do you do something similar when it comes to groups related to meal accounts or related to you know uh frousters accounts that use this particular technique, uh SIMCART in the roaming mode?
SPEAKER_00Yeah, of course, yeah, because for us it's important to detect and uncover the whole mole network. And here in the Middle East, I think the largest group uh which are using uh this kind of uh methods uh are really located in Syria. Because on the first kind of stage of their evolution, yeah, they used uh SIM cards and USIMs in roaming mode, but they were accessing from their real geo hashes. And we found this group particularly located in Syria. But now they just go smarter. Now they're using also GPS spoofing to hide their real GPS location. So usually they spoof as the trusted country they target. And now as uh they're using also Starlink connections. So basically now they can just you know uh simulate like any location, like any IP address to be like legitimate user for European Union or for any Middle Eastern country. And this group is like really, really scaled and seems uh this small network they're having really important for them. So they're trying really hard to bypass kind of defensive solutions to constantly evolve. So it's also for us, it's important to be kind of step ahead just to predict the next steps.
Maxim BaldakovUm Andrew pro uh extremist group financing.
SPEAKER_00Yeah, definitely. We are tracking uh such threat groups and the largest group uh in the Middle East related to molecular located in uh Syria. They're using this kind of advanced method to IP mask using like roaming mods and ESMs. Also, they're using GPS spoofing to hide the real you know locations and geo hashes. Uh, but based on our additional like research and analysis, we found that uh uh the geo hashes located in really high-risk regions and probably the activity related possibly to financing extremist group in the region. So here we it's not longer the fraud, but also it's I think it's touch the national security of the Middle East region.
Maxim BaldakovI see. So you are mentioning a multitude of different defensive agent techniques here, right? Uh so uh as you correctly said, trade actor group is very advanced. They're using both GPS spoofing, uh SIM card uh roaming, uh IP masking technique, uh some other tools. And uh you mentioned a very important point that um based on your latest research and analysis, you link this particular threat actor group to financing of the extremist group. How do you do that?
SPEAKER_00Uh, how do you find that link? Yeah, like even now, of course, like uh on the later stages they use really advanced techniques. Now, even they're using Sterling to connect and uh IP mask to have as a European IP address. But on early stages, uh they were not so accurate. So they used their real locations. So we could really track them like every day, like to understand how they move, how they operate. And we could say the most, you know, like uh occurring Geochash, the most kind of heat zone like of the activity located in Raqqa, Syria. It's important uh to remember that actually back in the years, uh Raqqa was the capital of ISIS. So, of course, now uh ISIS uh doesn't control this territory, but still maybe some kind of financial networks still exist in the region. And Halalak is it's still active because we see really, you know, like they have a budget, they have a strategy, they're really uh centralized, they have long-term plans to keep doing these things and these small networks, and we see transferring a large amount of money for these accounts.
Maxim BaldakovUh uh it's it's uh uh I think it's very important what you said, uh because it shows how important this overall effort to detect and prevent meal accounts, not just from the perspective of a banking industry, but you know, from the perspective, as you said, of national and regional security. I think that's uh very important. I think what you said here is very important because it shows how critical it is for the banking industry to focus on mule accounts and uh mule accounts prevention. Because again, it highlights that this overall effort is not just about safety of the banking industry, it's about the safety of uh the region. It's about you know national security, uh so to speak. And uh one of the first things that comes to my mind when we are thinking about industry response and how banks can protect themselves against such detractors groups that use GPS poofing, ECM roaming, and so on, is uh by using uh by detecting the tools and tracking the tools that these fraudsters, that these uh mule accounts operators are using. So, particularly, you know, if you're uh you should you should be able to detect GPS poofing on the mobile application, you should be able to detect uh roaming, uh roaming mode, and so on. From your perspective, right, would that be enough from uh would that be enough to protect uh the bank, or Frosters would find a way eventually to even bypass uh these controls?
SPEAKER_00Of course, like uh this kind of methods can detect like large amount of uh accounts, especially new created, because we are focusing to detect such kind of uh patterns on early stage on onboarding or maybe first logins. Uh but now they're using, of course, another they have another schemes as well. So they're using a multi-layered approach. So sometimes they approach some people in uh social media just to rent some account or buy some account or to create, to hire, you know, like residents and nationals of some particular country. So from bank perspective, it looks like absolutely normal demise because in this case it's like no GPS, spoofing detected, no any kind of roaming, VPN or other stuff. So they kind of you know it building trust for the system. So user usually uh does do like anything suspicious, no any transfer, but then they just share or sell their credentials, we can say to a second layer of mole network. Okay. And after that, it's already kind of a suspicious stuff started, like installation of cloning software, spoofing software, large transferring a large amount of money. Usually it's like uh from our perspective, uh, we can detect this because in this case we can detect uh new device and new location. But sometimes mostly for the bank, it seems like maybe some trivial pattern or maybe a new device. But for us, it's clear when we have such different behavior that is something suspicious and we should stop uh and block this account. In the scheme, uh we just recently uh saw and we were able to detect it's when they even ship you know devices across borders. So it was kind of a bunch of cheapest Android devices purchased. And what they did, they just basically opened account as much as possible in every bank in the country, and they just physically ship you know the devices to another country.
Maxim BaldakovSo just to just to correct here, um they shipped those devices to avoid detection uh of a new device, right?
SPEAKER_00Yes, to avoid this kind of device fingerprinting detection. And of course, here, like especially in the Middle East, uh user can travel pretty frequently. So for bank and for some defensive systems, it looks like just normal travel pattern. But how we can detect this? We have uh biometrics related to different you know AI or ML approach, and we are Observed that we could say behavioral profile started to be being totally different. Different, you know, like Swipe behavior, different uh, you know, we can say activity hours of the user. And all this suspicious transfer started, kind of ATM cash withdrawals. And when we just reported uh this kind of suspicious partner to the bank, they confirmed, yeah, really it's like uh money laundering is going is happening currently. And they even uh we're able, it's also important you know to do collaboration between our clients. They were able to contact uh as a user, and they just report uh gave me feedback that actually as a voice and the person is totally different. I see, but we see that it's kind of controlled by the same user, yeah, same device, yeah, same device. I see. Yeah, but actually, yeah, uh huh. It was this kind of interesting uh type of how they can create this interesting mole networks right now.
Maxim BaldakovThat's pretty cool, Andrew. Uh I never thought that uh behavioral biometrics can be used to um uh track mill accounts. I again, right, uh with uh my previous experience here mostly were using it to detect account recover, right? Uh but uh what you're saying here is uh again, you know, really impressive. Uh shows how you can apply that uh same uh behavioral biometric technology to detect changes uh in the customer behavior and detect uh mule accounts cases like this. Um I think that it's pretty cool that you guys managed to you know catch this mule accounts operators by uh detecting uh various deviations in their uh behavior. Uh, I think that's very impressive. Uh back uh when I was uh working as a fraud analyst, uh mostly I was using that technology to detect account record. Uh so it's pretty cool that you managed to uh you know utilize a similar approach but uh for a different uh fraud case. Um in your um description, uh you mentioned that majority of these operations were conducted, or pretty much all of the operations were conducted by the uh fraudsters uh or or mule operators, right? Uh so basically one group of fraudsters would create mule accounts, uh ship uh you know physical devices abroad, and then another group of fraudsters would start uh would start using uh such devices. Uh in your uh experience, have you ever noticed or have you ever seen cases where uh the victims uh were involved in this uh money muling activity without their uh without their notice, without their consent, and uh you know uh basically facilitating uh fraudlend operations?
SPEAKER_00Unfortunately, yes, it's also happening. It's important for our listeners uh to always like stay aware like about some any suspicious offers, about like transfer some money or kind of participate in some kind of interesting investment opportunities. Because now in in the Middle East, yeah, they approach people in social media sometimes uh to participate, yeah, like to start investing in some kind of company, or sometimes one of the recent uh cases, uh the victim just received the money and then got a call. Of course, like it was kind of impossible, not a real bank representative, but yeah, the person thought, oh, it's like was uh error, like sent by mistake, can you just send a refund? Otherwise, you will have a concert license and they just provide the details. So and just victim, yeah, just I was thinking that it's something normal, some kind of maybe a yeah, mistake in the bank, but actually unwillingly he became a move, yeah, and transfer some money. And yeah, it's I think it's I think our listeners and basically should be always aware of such kind of schemes, to be uh always accurate with such kind of suspicious activities. It's better to contact uh the bank and to do like any actions by their own, because uh it can be huge consequences for this person because unwittingly, but he became to be part of the illegal activity. So unfortunately, yeah, such schemes uh pretty common right now in the Middle East.
Maxim BaldakovI think it's uh one of the latest stages uh of the development, right, when uh the fraudsters are unable to uh operate uh accounts uh on their own because uh uh bright people, smart people like you are able to track them through various uh uh characteristics, devices, behavioral profiles. So what I think uh it we it will end up with with uh cases uh that that you have mentioned where victims will be unwillingly or or you know without notice uh that this particular transaction is fraudulent, will be transferring money to to another another mill. Uh thank you for sharing Andrew. Um Andrew, thank you for sharing. I think that's very important for our listeners to you know be aware of of uh such uh scheme uh where you can you know uh accidentally become a part uh in this uh fraud transfer chain. So uh our listeners should be cautious about this. Thank you for sharing. And I think uh we are almost concluding uh our episode. Uh I know that uh podcast recording is not something that you do on a daily basis. How do you feel about this experience in general? Like uh did you enjoy it or uh yeah, actually, yeah, thank you, Max, for invitation just to precipitate.
SPEAKER_00Yeah, because it's the yeah, like first experience in my life to do uh podcast. But personally, I really like uh listen to doesn't look like it.
Maxim BaldakovUh it looks like you already previously recorded a couple of episodes.
SPEAKER_00Yeah, thank you. Yeah, because previously, uh like I personally I really like uh to watch podcasts like about like different kinds of topics, you know, like science, like history, cinema, video games, conspiracy theorists. You know, especially like uh before going to sleep, you know, sometimes it helps. So if someone of our listeners will have a really nice deep sleep while listening today as episodes, yeah. It's like it's a positive outcome as well, yeah, because now it's like pretty stressful times, you know. Sometimes it helps just to listen to some really nice stories. I agree. So thank you very much again for the invitation today, Max. It was really a great pleasure to talk with you.
Maxim BaldakovThank you, Andrew, for uh coming, and uh, hope we'll see you again on uh Frod and Tell Series. And that was uh another episode. Thank you for listening and uh till next episode. Thank you.
SPEAKER_00Yeah, goodbye, everyone. Stay high, stay safe. Thank you.