In India, cybercriminals are using a network of hired money mules who use an Android-based application to orchestrate a massive money laundering scheme.
The malicious application, called XHelperit is a “key tool for onboarding and managing these money mules,” CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew and Santripti Bhujel said in a report.
Details about the scam first emerged in late October 2023, when Chinese cybercriminals were found to be taking advantage of the fact that Indian Unified Payments Interface (UPI) service providers are operating without coverage under the Anti-Crime Prevention Act. money laundering (PMLA) to initiate illegal transactions. under the guise of offering an immediate loan.
The illicit proceeds of the operation are transferred to other accounts belonging to mercenary mules, recruited by Telegram in exchange for commissions ranging from 1 to 2% of the total transaction amount.
“At the heart of this operation are Chinese payment gateways precisely exploiting the UPI QR code functionality,” the cybersecurity firm noted at the time.
“The scheme exploited a network of more than hundreds of thousands of compromised ‘money mule’ accounts to funnel illicit funds through fraudulent payment channels, ultimately moving them to China.”
These mules are efficiently managed using XHelper, which also facilitates the technology behind fake payment gateways used in pig slaughter and other scams. The app is distributed via websites masquerading as legitimate companies under the guise of “Money Transfer Business”.
The app also offers mules the ability to track their earnings and streamline the entire payment and collection process. This involves an initial setup process where they are asked to register their unique UPI IDs in a particular format and set up their online banking credentials.
While payments mandate the rapid transfer of funds to pre-designated accounts within 10 minutes, collection orders are more passive in nature, with registered accounts receiving incoming funds from other scammers using the platform.
“Money mules activate order capture within the XHelper app, allowing them to receive and carry out money laundering activities,” the researchers said. “The system automatically assigns orders, possibly based on predetermined criteria or mule profiles.”
Once an illicit fund transfer is performed using the linked bank account, mules are also expected to upload proof of the transaction in the form of screenshots, which are then validated in exchange for financial rewards, thus incentivizing continued participation.
XHelper’s features also extend to inviting others to join as agents, tasked with recruiting mules. It manifests as a referral system that allows them to gain bonuses for each new recruit, thus leading an ever-expanding network of agents and mules.
“This referral system follows a pyramid structure, fueling mass recruitment of both agents and money mules, amplifying the scope of illicit activity,” the researchers said. “The agents, in turn, recruit more mules and invite more agents, perpetuating the growth of this interconnected network.”
Another of XHelper’s notable features is to help train mules to efficiently launder stolen funds using a learning management system (LMS) that offers tutorials on opening fake business bank accounts (which have higher transaction limits), different workflows and ways to earn more commissions.
Apart from facilitating UPI functionality built into legitimate banking apps for making transfers, the platform serves as a hub to find ways to bypass account freezing and allow mules to continue their illegal activities. They are also given training to handle customer care calls made by banks to verify suspicious transactions.
“While XHelper is a troubling example, it is critical to recognize that this is not an isolated incident,” CloudSEK said, adding that it had discovered a “growing ecosystem of similar applications that facilitate money laundering through various scams.”
In December 2023, Europol announced that 1,013 people had been arrested in the second half of 2023 as part of a global effort to tackle money laundering. The international law enforcement operation also led to the identification of 10,759 money mules and 474 recruiters (i.e. herders).
The disclosure comes as Kaspersky revealed that malware, adware and riskware attacks on mobile devices increased steadily from February 2023 through the end of the year.
“Android malware and riskware activity increased in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year,” the Russian security vendor noted. “Adware accounted for the majority of threats detected in 2023.”