Cybercriminals are laundering stolen funds through ordinary people, thanks to a small ecosystem of user-friendly apps that can turn any mobile user into an unwitting money mule.
A new report from Cloud SEK details one such app: “XHelper,” an Android platform that connects scammers with citizens of India, whose job is to quickly receive and pass on stolen funds to shadowy third-parties. It sports a clean, user-friendly interface that makes the entire process rather simple, and serves to obscure both the nature of the payments, and who’s on the other end of each transaction.
The app is enabling pig butchering, task, loan, and ecommerce scams, and illegal gambling operations, at a massive scale. It currently sports around 37,000 active users with around 16,000 verified bank accounts, and moves a massive 160 million rupees per day (just under US $2 million).
And besides XHelper, CloudSEK researcher Sparsh Kulshehtra notes, “Our research has identified similar schemes in other countries, highlighting the need for a united front against money laundering using unsuspecting individuals.”
How XHelper Works
Last summer, Chinese cybercriminals caught around 40,000 individuals in five continents in a loan scam. To obscure so many ill-gotten earnings, they called upon a network of hundreds of thousands of online payment accounts.
This was how researchers first caught whiff that, besides the scam itself, something underneath it was deeply wrong, too. It led them to XHelper, an app designed not just to hide the sources of money, but also its own purpose from its users.
XHelper is distributed online by fake “money transfer” businesses. New members are recruited by “agents” — individuals on Telegram posing as representatives of successful businesses, which need help managing their high volumes of daily transactions. Agents earn bonuses for each new recruit so that the laundering network grows larger and larger and, therefore, more robust.
Like any other gig economy app, recruits register their (payment) information and then begin taking on jobs: in this case, receiving money from one party, and within minutes passing it on to another.
Users earn a cut of the spoils (between 0.2-0.3%), which scales as they complete more jobs, earn good ratings for them, and add more bank accounts. Beginner users might only move 10,000 or 20,000 rupees a day via one or two bank accounts, and earn a few hundred rupees (less than five dollars) for their troubles. The highest-level users move tens of millions in an average day, and earn back thousands. The app’s top three users — “shahbaz,” “Register26,” and “Ranjan1982” — have earned themselves more than 12 million rupees (~$145,000) and counting.
Can Money Mules Be Stopped?
That regular people are executing large volumes of near-instant money transfers begs the question: Why aren’t they getting caught?
Firstly, the app offers a series of helpful tutorials that cover not just how to use its various features — accompanied by cheery stock music — but also how to deal with adverse situations, scored by eerie, more somber tunes.
Most important of them all is a tutorial that guides users in registering corporate bank accounts, by posing as small businesses. These corporate accounts enable them to process high volumes of transactions without raising the kinds of red flags that the same activity would in a personal account.
Mules also have other tricks at their disposal, like using different payment systems for incoming and outgoing transfers. “While funds may enter the mule’s account through UPI (a popular Indian payment system), the app instructs them to transfer them out via IMPS (Immediate Payment Service) [an Indian interbank transaction system]. This layering of transfer methods could be an attempt by criminals to obfuscate the transaction history and evade detection by the flagging mechanisms,” Kulshehtra explains.
To identify and curb this behavior, Kulshehtra says, banks, governments, and regulators all have a role to play, as do the organizations targeted by these scams.
“Educating employees and customers through training and awareness campaigns empowers them to recognize and avoid these schemes. This combined focus on understanding the threat, strengthening internal defenses, and building user awareness creates a robust shield against cyber scams,” he concludes.