Organized fraud networks are exploiting French fintech accounts to rapidly move stolen money, often before detection can occur. These sophisticated operations create fake business accounts on freelancer fintech platforms and utilize them as money mules to launder illicit funds, bypassing traditional security measures. This trend highlights a growing challenge in combating financial crime within the rapidly evolving digital payments landscape.
This sophisticated approach is not the work of lone actors but a structured fraud network designed for maximum evasion. Fintech platforms, lauded for their convenience and speed, are increasingly becoming targets. Services offering streamlined Know Your Customer (KYC) processes and rapid, remote account opening, such as Revolut, Wise, and N26, provide the ideal infrastructure for these illicit activities. The features that benefit legitimate entrepreneurs—instant payments, cross-border transactions, and business-grade payment processing—are precisely what cybercriminals need to operate undetected.
Cybercriminals Exploit French Fintech Accounts for Money Laundering
According to analysts and researchers from Group-IB, confirmed mule accounts on European freelancer fintech platforms are being openly sold on dark web marketplaces for prices ranging from $200 to $1,000 per account. These verified business accounts are significantly more valuable to fraudsters than standard consumer bank accounts due to their enhanced transactional capabilities.
The European Banking Authority (EBA) and European Central Bank (ECB) Joint Report on Payment Fraud revealed that credit transfer fraud losses across the European Economic Area reached $2.5 billion in 2023. This represents a significant 25 percent increase from the previous year, with mule accounts being the primary conduit for these losses. Funds are frequently moved within minutes via instant payment rails, making recovery exceptionally difficult.
The specific threat actor identified behind this operation is known as “Bastardaseller,” reportedly part of the larger ASGARD fraud network. This network is organized and specializes in the creation and sale of verified European business accounts. Bastardaseller primarily operates through a Telegram channel and distributes these accounts across various dark web marketplaces. Data from Group-IB customer analysis suggests that approximately 1 in 5 registered users in France on these platforms may be a mule account, a figure extrapolated nationwide and likely an underestimate.
The true scale of this operation is likely even greater. The method is ingeniously designed to remain invisible at each individual checkpoint. It only becomes apparent when the entire lifecycle of an account is analyzed as a connected sequence of events, revealing a pattern that isolated checks would miss.
Mule Account Creation: Inside the Three-Phase Scheme
The observed fraud operation unfolds across three distinct phases, each meticulously planned to exploit vulnerabilities in account creation and verification processes.
Phase 1: Personal Information Gathering
In the initial phase, fraudsters execute phishing campaigns to acquire victim Personally Identifiable Information (PII). These phishing sites are often disguised with plausible cover stories. One documented instance involved a fake mortgage consultation service, where unsuspecting victims submitted personal details in exchange for financial advice. This allows fraudsters to obtain information that appears to originate from a legitimate check, while the victim remains unaware that their data will be used for fraudulent purposes.
Phase 2: Account Registration and Verification
The stolen PII is then employed by fraudsters to register the fraudulent account. Group-IB researchers have observed operators utilizing SIM modem farms to generate French-like IP addresses and phone numbers. These systems rotate IP addresses within the same carrier’s dynamic pool during registration attempts. Moreover, device timezone signals during these sessions suggest that the operators are not physically located in France.
The crucial KYC stage typically requires a real person to present a genuine identity document, often accompanied by a live selfie or video verification. In this scheme, the victim is contacted via social engineering, usually through phone calls or messaging apps. They are then prompted to click on a KYC link and complete what they believe to be a routine verification step for an unrelated service, unknowingly participating in their own identity’s exploitation. This phase cleverly leverages the victim’s own biometrics and documents to pass stringent verification checks.
Phase 3: Handover and Money Movement
Once the KYC verification is successfully completed, control of the account is transferred to the fraud operation. This is achieved through the platform’s mobile application, often using low-cost Android devices. Continuity within the network subnet links this new login event back to the initial sign-up infrastructure. This confirms that the handover is a deliberate operational maneuver rather than a legitimate access event by the account holder.
Fintech platforms and their fraud detection teams should consider implementing enhanced monitoring strategies. Flagging IP addresses from Mobile Virtual Network Operators (MVNOs) during desktop sign-up sessions and closely monitoring sign-up velocity by network, city, and Internet Service Provider (ISP) are crucial steps. Treating fingerprint spoofing artifacts as high-confidence fraud signals and flagging device downgrades that occur between the KYC process and the subsequent operational handover are also vital measures. Effective detection requires linking sessions across the entire account lifecycle and identifying patterns at the network level, rather than evaluating accounts in isolation.