Money laundering: how criminal networks exploit “ordinary” bank accounts

The scene takes place in front of a Paris university and is reported by Le Journal du Net. Individuals displaying the logo of an online bank approach students. They offer them the chance to test the new user interface of the mobile application by creating an account. In return, they will receive a bank transfer. The future graduates have just opened a bank account that will be used to launder money of fraudulent origin. Without knowing it, they have become “money mules.”

Still little known to the general public in France, the phenomenon has spread throughout Europe. “In exchange for a commission, these financial mules become key cogs in large-scale fraud systems, managing to bypass traditional anti-money laundering mechanisms because they rely on valid identities,” says Christophe Chaput, Product Director at IDnow, a German company specializing in digital identity verification.

In practice, the accounts created are legal and the sums transferred, a few hundred euros each time, pass under the radar of banks’ Anti-Money Laundering (AML) checks. Below a certain threshold, the bank is not required to ask about the origin of the funds or report a potentially suspicious transaction to Tracfin.

Nearly two million mule accounts

According to BioCatch, a specialist in digital fraud detection and financial crime prevention, nearly two million mule accounts were in operation in 2024. Last year, 4.4 trillion dollars in illicit funds circulated through the global financial system, according to the Nasdaq Global Financial Crime Report. That represents an increase of 1.3 trillion dollars in just two years.

Drug trafficking, human trafficking and racketeering generate staggering amounts of cash. Suitcases full of banknotes traveling by boat or plane are not enough. Criminal networks transfer illicit funds through intermediary accounts belonging to financial mules, which display all the signs of legality, in order to muddy the trail.

“The sums are sent to accounts in countries where the networks operate — in the Maghreb, Eastern Europe or South America — or converted into cryptocurrencies to make them harder to trace,” explains Matthew Platten, Solution Consultant for France & Middle East at BioCatch.

Financial mule accounts are also used by cybercriminals in online scams. In the case of fake bank adviser fraud, the victim is encouraged to make a “security” transfer, after which the funds are redirected to one or several mule accounts. Likewise, funds stolen through phishing, payment diversion fraud or romance scams are spread across different trusted accounts to evade banking controls.

The stakes are far from negligible. “If you remove mule accounts, you remove the possibilities for exfiltrating funds, and, by definition, you disarm a large part of organized crime,” says Matthew Platten. In his view, several types of mules exist. “A criminal can create an account himself, using a synthetic identity or a stolen identity.”

Students, the ideal target

Among receivers, several major profiles stand out. A student is approached on social networks such as Instagram or Snapchat, or on instant messaging services such as WhatsApp and Telegram, with the promise of “easy money.” They are asked to let money pass through their bank account in exchange for a commission. Their account, opened at the age of 16, shows no incidents and will not raise suspicions. Ideally, the target account to which the funds are transferred is in the same bank as that of the mule.

Another scenario: a foreign student opened a bank account during their stay in France and resells their credentials before returning to their country. Finally, there are “naive” mules who become complicit in these illegal actions. They agree to open a bank account to help a friend of a friend, or under the more or less threatening pressure of a stranger they met “by chance.”

People in vulnerable situations, whether physically, psychologically or financially, may also gradually fall into illegality. Europol has published a flyer aimed at these target populations, reminding them of the risks they face, from threats made by the criminal network if they refuse to continue the transfers, to possible criminal prosecution and banking bans.

Bank mule fraud relies above all on a sense of urgency. To avoid unwittingly serving as a relay for organized crime, people need to step back and avoid acting in the heat of the moment. Even if the recruiter appears ordinary, asking for bank details or the PIN code of a bank card is anything but trivial. “The proposal is presented as risk-free,” Europol explains. The recruiter may even promise an additional commission on condition that the person “co-opts” other mules.

According to a 2019 study by Febelfin, the Belgian federation of the financial sector, one young person in ten would lend their account and/or bank card in exchange for money. Boys also appear more receptive to recruiters’ arguments. Fourteen percent of boys would be tempted, compared with 8% of girls. To dissuade them, Europol launches its European Money Mule Action (EMMA) campaign every year, in partnership with banks and banking federations, under the hashtag DontbeaMule.

Under regulatory pressure

“For fraudsters, it is often simpler and faster to exploit real credentials than to create fake profiles based on identity theft or a synthetic identity,” says Christophe Chaput. “These accounts are used for various illicit activities, money laundering of course, but also the online disposal of stolen goods on marketplaces such as eBay.”

Until now, banks had no real incentive to isolate mule accounts. A mule remains a customer: they bring in money, generate commissions and therefore generate revenue for the bank. The ease with which an account can be opened at a neobank such as Revolut, N26 or Nickel also makes the fraudsters’ work easier. They can collect the bank card from the local tobacconist’s shop.

Matthew Platten also points to the risk of automation in money-laundering operations with the rise of autonomous AI agents. AI-powered web browsers, such as Perplexity’s Comet or OpenAI’s ChatGPT Atlas, can carry out financial transactions autonomously.

Regulatory pressure should change the situation. The future Payment Services Directive PSD3, scheduled to come into force in 2027, will strengthen control and anti-fraud obligations. In the event of shortcomings, banking institutions could face financial penalties.

The forthcoming European digital wallet — the EU Digital ID Wallet (EUDI) — introduced by another European regulation, eIDAS 2.0, will also facilitate verification of account holders’ identities. Before December 31, 2026, each Member State must make this European “wallet” available to its citizens.

Behavioral analysis, a paradigm shift

What remains is to provide banks with the means to fight this endemic scourge of money mules. While AML systems are showing their limits, players such as BioCatch and IDnow are highlighting their technology platforms, based on behavioral analysis.

In principle, this involves combining a large number of technical elements — type of device, IP address, etc. — with behavioral signals such as the way a person types on the keyboard, moves the mouse, or the speed at which the transaction is initiated and executed. BioCatch analyzes more than 3,000 factors and claims a mule account detection rate that can exceed 90%.

“A mule under influence will be stressed,” explains Matthew Platten. “If they make an exceptional transaction to a new bank, they will check the IBAN twice, whereas a criminal, used to the exercise, will jump from one field to another using multiple keyboard shortcuts.” According to him, behavioral analysis changes the angle of attack. “It does not focus on the amount, but on the nature of the transaction and the behavior of the person carrying it out.”

Applied to the millions of accounts held by a bank, this analysis of customer interactions can only be performed thanks to advances in artificial intelligence. A bank also correlates the results produced by this type of platform with other internal control systems in order to obtain an overall “scoring.” The whole challenge is to intervene as far upstream of the transaction as possible, from the opening of the account or at the very beginning of its use.