Money mules, the people whose accounts are used to receive and pass on the proceeds of crime, are the critical transfer point in almost every modern fraud scheme. The money is made by the scam itself, be that authorised push payment (APP) fraud, account takeover or business email compromise. The mule carries it. Without the mule layer, criminals would have had money stolen sitting in an account directly connected to the crime, frozen and recoverable.
The lifecycle is short and stable. A victim is socially engineered into authorising a payment, or an account is taken over and drained. Money goes into a mule account. They are dispersed within hours, split across layered accounts, passed to second and third hop mules, converted into cryptocurrency, cashed out or spent on resalable luxury goods. Next, they leave the traceable financial system completely. Average mule cycle, from inbound receipt to untraceable exit, ranges from 15 minutes to several hours.
That one fact alters the whole problem. Mule detection is not a leisurely investigative task. It's a matter of speed. You got hours, not days. And the systems that catch mules gotta run on that clock. This article is about what works.
- The Role of the Mule in the Fraud Lifecycle
- The Fraud AML Overlap: Why Mule Detection Requires Both Capabilities
- The 50/50 Liability Shift: Why Mule Detection Is Now a Financial Obligation
- Mule Account Detection Patterns
- Mule Network Analysis: Not enough Detection per Account
- The Crypto Off Ramp: Where Mule Schemes End
- Regulatory and Enforcement Context
- How to Build a Mule Detection Program: Operational Checklist
The Role of the Mule in the Fraud Lifecycle
Knowing the exact place of the mules in the chain helps in detecting them.
The predicate offense is stage one. Someone pretending to be from the retiree's bank tricks them into authorising a transfer of £40,000 to a “safe account”. A finance clerk wires six figures to a fake supplier. A customer’s credentials are phished and a series of rapid payments drain their account. In any situation the criminal has a problem, which is the money is sitting in an account that leads straight back to the fraud.
The mule is phase two. The stolen funds are transferred into one or more accounts controlled directly or through a recruited proxy by the criminal network. This is the inflection point. The receiving account is a real person with real KYC, opened with real (or plausibly synthetic) documents, often with no prior fraud history. For the receiving bank, money has just arrived.
The third stage is dispersion. The money is not in the mule account. It moves fast to other mules, into crypto, out as cash, into goods. With each step, the victim is further removed from the ultimate recipient. By the time a traditional investigation is ready, the money has moved several times and left the system.
The whole challenge is compressing this timeline. A detection model that surfaces a suspected mule four days after the inbound transfer is describing a crime, not preventing it. The institutions that will actually stop mule activity are the institutions that can flag the receiving account during or immediately after the inbound event, and then act on it in the same cycle.
The Fraud AML Overlap: Why Mule Detection Requires Both Capabilities
This is the structural reason why mule detection so often goes wrong. Every mule incident is, from the receiving bank’s point of view, two problems at once, and most organizations are built to see only one problem at a time.
It’s a fraud problem. The account is receiving proceeds from an APP scam, an account takeover, or a BEC attack. The fraud team’s signals, such as sudden inbound from an unfamiliar counterparty, rapid outbound dispersal, device and session anomalies, are exactly the signals a mule account throws off.
It’s an anti money laundering (AML) problem as well. The same account in the regulated banking system is being used to launder criminal proceeds. The AML team’s typologies such as pass through activity, layering, structuring on the outbound side, high risk counterparty exposure are describing the very same behaviour from a different angle.
In a siloed organization, the fraud team logs it as downstream fraud, the AML team logs it as a money laundering pattern and the two records never meet. The fraud analyst sees an unusual transfer, but not the pattern of structuring that is developing across the customer's history. The AML analyst detects a suspicious flow but not the fraud onboarding flag set off 3 months ago. Each has half of the picture. The mule works in the space between them with ease.
In a converged organization the two sets of signals support each other. A fraud side onboarding flag (thin file, device shared with other recently opened accounts) plus an AML side transaction pattern (rapid in, rapid out, no economic rationale) is not two weak alerts. This is one high confidence mule alert. This combination is much more accurate than either signal alone, which means fewer false positives on legitimate customers and faster, more confident action on actual mules.
The industry is taking notice. More than half (53%) of US mid-market banks and credit unions surveyed said they are planning to increase consolidation of AML and fraud, with 40% currently in the process of converging systems and processes. Mule detection is one of the clearest cases for why: It is a typology that lives precisely on the fraud/AML seam and is best caught by a platform that treats fraud and AML signals as one risk surface rather than two queues. This is the essence of the converged, or “FRAML,” approach, and what makes unified platforms like Sanction Scanner Fusion so well designed, where sharing signals across modules is not an integration project but the default.
The 50/50 Liability Shift: Why Mule Detection Is Now a Financial Obligation
The receiving bank’s incentive to spot mules had been soft for years. Reputation. Regulatory requirement. Good citizenship in general. A missed mule had a direct financial consequence for someone else, either the sending bank or the victim.
That changed on 7 October 2024 in the UK.
The Payment Systems Regulator’s mandatory regime for reimbursement has fundamentally altered the cost of APP fraud. From that date payment service providers are required to reimburse in-scope customers who fall victim to APP fraud in most cases, with the cost of reimbursement shared equally between sending and receiving payment firms. Following consultation, the cap on reimbursement was reduced from the proposed £415,000 to a limit of £85,000 per claim. The £85,000 cap is in line with the limit under the Financial Services Compensation Scheme and covers more than 99% of claims by volume. Reimbursement must be paid immediately and the sending PSP may charge an optional excess of up to £100 per claim (but this does not apply to vulnerable consumers).
The phrase that counts for compliance budgets is shared equally between the sending and receiving payment firms. The receiving institution (the one that held the mule’s account) now pays 50% of the cost of the reimbursement on every claim that falls within scope, up to the £85,000 limit.
Do the math at a mid-sized institution. Let's say, it's the receiving PSP on 1,000 APP fraud claims in a year. Assume conservatively that 30% of them are due to mule accounts at the institution. Even well below the cap, with an average claim value well short of £85,000, the institution’s 50% share across those cases is a material, recurring profit and loss line, not a rounding error, and not a cost that sits with someone else any longer.
Here’s the change in one sentence: A missed mule used to be a reputational and regulatory issue; now it is a direct, measurable loss on the receiving institution’s own books. The day that the receiving leg of reimbursement became mandatory, mule detection moved from the “nice to have” column into the “must have” column. Other jurisdictions are looking closely at the UK model and the direction of travel is clear.
Mule Account Detection Patterns
This is the part that practitioners really want to know: The specific signals that distinguish a mule account from a legitimate account, sorted by where in the customer lifecycle they occur.
Onboarding signals. There is some mule risk in sight before any deal. A thin or new credit profile for an adult applicant. A client profile where the declared profession and income do not match the transaction activity that appears a few days later. Several accounts opened from the same device or IP address within a short period of time. No engagement with any other banking product, no card use, no savings behaviour, no direct debits, an account that only exists as a conduit for transfers.
Behavioral indicators. Most of mule risk comes out after onboarding, in how the account behaves. High velocity inbound transfers from a variety of different, unrelated sources. Fast outbound transfers to one or a few destinations, sometimes within hours of receipt. Inbound and outbound amounts are very similar with a near zero resting balance in the account. Geographic improbability, logging in from London and authorizing transactions in Lagos on the same day. Time of day anomalies, such as a constant 3 a.m. transaction activity on an account that’s profile is a nine to five worker.
Network signals. The strongest indicators are often invisible at the single account level and only show up across accounts. Shared device fingerprints among multiple supposedly unrelated customers. Shared phone numbers, email domains, or physical addresses Not independent customers. Fund flows that hop between accounts that have these identifiers, the signature of a controlled cluster.
The table below shows the highest value indicators, how a modern platform detects them, and what the response should be.
|
Signal Type |
Specific Indicator |
Detection Method |
Response Action |
|
Onboarding |
Thin/new file with mismatched profile |
Onboarding risk scoring; KYC/expected-activity consistency check |
Elevated monitoring tier from day one; lower alert thresholds |
|
Onboarding |
Multiple accounts, same device/IP |
Device intelligence; cross-account fingerprint correlation |
Link accounts into one review; hold for manual onboarding check |
|
Behavioral |
Rapid in/out, near-zero resting balance |
Transaction monitoring (pass-through scenario) |
Real-time alert; consider hold on outbound pending review |
|
Behavioral |
Many-to-one inbound, fast outbound dispersal |
Velocity and counterparty-fan-in analytics |
High-priority mule alert; 24-hour escalation pathway |
|
Behavioral |
Geographic implausibility / odd-hour activity |
Session geolocation vs. transaction location; behavioral baseline |
Step-up authentication; freeze pending customer contact |
|
Network |
Shared device/IP/phone across "unrelated" accounts |
Entity resolution and graph/network analysis |
Cluster-level investigation; coordinated freeze where confirmed |
|
Network |
Hub-and-spoke fund flow across a cluster |
Cross-customer flow graphing |
Treat as single network case; SAR/STR on confirmed activity |
No single row in that table should be enough to freeze an account, legitimate customers occasionally trip individual indicators. Accumulation is the thing. It is not a coincidence that a thin file account was opened on a shared device that triggered many to one inbound activity with same hour outbound dispersal. It’s a mule, the system should be scoring it as such before the cycle is complete.
Mule Network Analysis: Not enough Detection per Account
There is a structural ceiling to per account detection, and it is low. If you look at each account in isolation you will miss the vast majority of coordinated mule activity, because modern mule operations are not built on a per account basis.
One mule herder will open 20 to 200 accounts for control of a typical cluster, often involving multiple institutions, multiple names and sometimes synthetic identities. Each account individually might not seem anything special: Modest balances, credible activity, and no single indicator serious enough to trigger a per account rule. The cluster is unmistakable. The same device fingerprint seen behind 50 “different” customers, hub and spoke flows where dozens of accounts feed one consolidation point, synchronized timing across supposedly independent parties.
This is where graph and network analysis comes into its own. Instead of asking “is this account suspicious?”, network analysis asks “which accounts are connected, and what does the connected structure look like?” Shared identifiers become edges. Fund flows are cast as directed edges. The clusters that were invisible to any per-account model resolve into clear topologies, and mule networks have characteristic topologies.
The harder problem underneath is entity resolution: Realizing that Account A, Account B and Account C are all controlled by the same actor even though they have different names, different documents and different contact details. Criminal networks intentionally vary the surface attributes. Entity resolution goes beyond them and correlates behavioural signals, device signals and relational signals to collapse many apparent customers into one real controlling entity. Once the controlling entity is visible, the whole cluster can be actioned together, instead of one slow account at a time.
The Crypto Off Ramp: Where Mule Schemes End
The rise of mule schemes that don’t pay out cash or goods. They end in crypto because it’s where the trail that can be most reliably traced goes cold.
The pattern continues. The mule gets the fiat. In the same short cycle, the fiat is used to buy cryptocurrency, often a stablecoin for stability of value, through a peer to peer exchange, a virtual asset service provider (VASP) with lax KYC, or a way into a decentralised finance protocol. The crypto is then transferred to an external wallet outside the institution's view. The bank’s story ends at “customer bought crypto.” The investigator’s story ends at “the trail goes cold.”
Detection must be at the point of conversion, because that is the last point at which the institution can see both sides. High value signals: Rapid conversion from fiat to crypto post a large inbound transfer; outbound transfers to exchange deposit addresses within hours of receipt; repeated funding of VASPs on elevated risk lists; and a customer with no consistent history of crypto purchasing behavior and only seen in close temporal proximity to suspicious inbound activity. Screening counterparties and deposit destinations against VASP risk intelligence closes this gap, and we treat "large inbound followed quickly by crypto on ramp" as a composite scenario, not two unrelated events. This is directly tied to wider crypto AML and Travel Rule controls, which are discussed separately.
Regulatory and Enforcement Context
Examiners no longer leave mule detection unmentioned. It is now explicitly at the intersection of fraud reporting and AML reporting, and supervisors are increasingly asking institutions, “what is your mule detection capability?”
The enforcement picture has been scaled up accordingly. Europol has coordinated the European Money Mule Action (EMMA) in partnership with Eurojust and the European Banking Federation since 2016 and this has become the largest operation of its kind. Its latest results included the identification of 10,759 money mules, 474 recruiters and herders, and 1,013 people facing jail time, with 2,822 banks and financial institutions partnering with law enforcement. Europol runs the public facing #DontBeaMule awareness campaign, available in 26 languages, to educate the public about how recruiters work and how to spot the signs. National initiatives run in parallel including UK awareness campaigns specifically targeting the recruitment of young people and students, a demographic that mule recruiters disproportionately target.
FinCEN has issued advisories on money mule activity in the United States, describing the schemes and red flags, and reiterating that mule related activity is subject to suspicious activity reporting obligations. It is in the reporting dimension that the fraud AML overlap becomes a regulatory fact, not just an operational preference: Confirmed mule activity generally calls for a SAR or STR filing, and that filing has to reflect both the fraud predicate and the laundering behavior. The hard problem is solved by an institution that is good at finding mules, but reporting them in a way that is under documented and only half the picture.
The throughline across all of these regimes is the same expectation: Timely, network-aware detection that is joined up across fraud and AML, not a quarterly batch report describing money that left months ago.
How to Build a Mule Detection Program: Operational Checklist
All of the above goes into an operating program that boils down to a defined set of capabilities. Use this as a working checklist. Each item maps to a function of our converged platform Sanction Scanner Fusion.
- Onboarding process, add mule risk scoring. Score thin file, device shared and profile mismatch risk at account opening, prior to any transaction.
- Implement transaction monitoring for mule behavior patterns. Velocity, fast in/out, near zero resting balance, counterparty fan in.
- Allow cross account network analysis. Shared devices, IPs, phones, and identifiers clustered through entity resolution.
- Implement 24 hour escalation paths. Alerts on suspected mules have to get to a decision maker within the mule cycle, not next business week.
- Establish account freeze authority and procedures. Pre-approved authority to hold outbound transfers on high confidence alerts, with documented thresholds.
- Establish procedures for SAR/STR filing of confirmed mule activity. Filings identifying the predicate for the fraud and the pattern of laundering.
- Combine fraud and AML alert queues. 1 high confidence case = fraud flag + AML pattern + cross module signal sharing.
- Monitor crypto off-ramp trends. Composite scenarios linking large inbound with fast Fiat to Crypto conversion and risky VASP exposure.
- Train frontline staff on signs of mule recruitment. Specifically for branch and onboarding teams who work with younger and financially vulnerable customers.
- Record all detection and response actions. A clear, examinable record of what was detected, when and what was done, because supervisors now ask.
The program that works isn’t the one with the most rules. It is the one where the onboarding risk, behavioral monitoring, network analysis and fraud AML signal sharing work together as a single system fast enough to act within the several hours window the mule is counting on. Here speed and convergence are not separate goals. They are one goal away from two sides.
