Cybercriminals are laundering stolen funds through ordinary people, thanks to a small ecosystem of intuitive apps that can turn any mobile user into an unwitting money mule.
A new report from Cloud SEK details one such app: “XHelper,” an Android platform that connects scammers with Indian citizens, whose job is to quickly receive and transfer stolen funds to shadowy third parties. It features a clean and intuitive interface that makes the entire process quite simple and serves to obscure both the nature of the payments and who is on the other end of each transaction.
The app is enabled pig slaughter, business, lending and e-commerce scams, and large-scale illegal gambling operations. It currently has around 37,000 active users with around 16,000 verified bank accounts and moves as much as 160 million rupees a day (just under $2 million).
And over at XHelper, CloudSEK researcher Sparsh Kulshehtra notes: “Our research has identified similar patterns in other countries, highlighting the need for a united front against money laundering using unsuspecting individuals.”
How XHelper works
Last summer, Chinese cybercriminals were discovered 40,000 individuals on five continents in a loan scam. To obscure so much ill-gotten gains, they called on a network of hundreds of thousands of online payment accounts.
This was how researchers realized for the first time that, in addition to the scam itself, there was also something profoundly wrong. It led them to XHelper, an app designed not only to hide sources of money, but also its purpose from its users.
XHelper is distributed online by fake “money transfer” companies. New members are recruited by “agents” – individuals on Telegram posing as representatives of successful companies, who need help managing their high volumes of daily transactions. Agents earn bonuses for each new recruit so that the money laundering network becomes bigger and, therefore, more robust.
Like any other gig economy app, recruits register their (payment) information and then start accepting jobs: in this case, they receive money from one party and within minutes pass it on to another.
Users earn a portion of the loot (between 0.2 and 0.3%), which increases as they complete more jobs, get good ratings, and add more bank accounts. Beginner users could move just 10,000 or 20,000 rupees a day through one or two bank accounts and earn a few hundred rupees (less than five dollars) for their troubles. The highest level users move tens of millions on an average day and earn thousands. The app’s top three users – “shahbaz”, “Register26” and “Ranjan1982” – have earned more than 12 million rupees (~$145,000) and counting.
Is it possible to stop Money Mules?
The fact that normal people perform large volumes of near-instantaneous money transfers begs the question: why aren’t they getting caught?
First, the app offers a series of helpful tutorials that explain not only how to use its various features, accompanied by cheerful stock music, but also how to deal with adverse situations, accompanied by disturbing and dark songs.
Most important of all is a tutorial that guides users in registering business bank accounts, posing as small businesses. These business accounts allow them to process high volumes of transactions without raising the types of red flags that the same business would in a personal account.
Mules also have other tricks at their disposal, such as using different payment systems for incoming and outgoing transfers. “While funds can enter the mule’s account via UPI (a popular Indian payment system), the app instructs them to transfer them via IMPS (Immediate Payment Service) [an Indian interbank transaction system]. This layering of transfer methods could be an attempt by criminals to obfuscate transaction history and evade detection by reporting mechanisms,” explains Kulshehtra.
To identify and curb this behavior, Kulshehtra says, banks, governments and regulators everyone has a role to playas well as the organizations targeted by these scams.
“Educating employees and customers through training and awareness campaigns allows them to recognize and avoid these patterns. This combined focus on understanding the threat, strengthening internal defenses and raising user awareness creates a solid shield against cyber scams,” he concludes.