Cybercriminals are leveraging Telegram channels to openly market verified bank accounts, fintech wallets, and cryptocurrency exchanges, thus streamlining money laundering into a highly organized criminal operation. This underground marketplace has evolved from informal recruitment to a professional network, offering tiered pricing, customer support, and guarantees for account replacements, making illicit financial activities more accessible.
Structure of the Underground Market
Funds circulating through these networks primarily originate from phishing, ransomware, Business Email Compromise scams, and investment fraud. In the United States, approximately 0.3% of all financial accounts are suspected to be controlled by mules. These operations exploit stolen identities, AI-generated personas, and hacked credentials to create accounts that pass stringent identity checks at banks and fintech platforms.
To bypass fraud detection, criminals utilize forged documents, deepfake videos, and synthetic identity kits. Once these accounts are operational, they receive illegal funds, which are swiftly transferred across multiple institutions and withdrawn before any detection is possible.
Telegram as a Hub for Mule Services
The KELA Cyber Intelligence Center has identified extensive illicit activities linked to mule networks within Telegram channels, dark web forums, and encrypted messaging groups. In a report shared with Cyber Security News, KELA disclosed that threat actors are openly promoting verified bank accounts, fintech wallets, cryptocurrency exchange accounts, forged identity documents, and comprehensive laundering services on a massive scale.
Telegram has emerged as the primary platform for what is known as Mule-as-a-Service (MaaS), a niche within the broader Fraud-as-a-Service ecosystem. Users can find sellers listing accounts from a variety of banks across the U.S., Latin America, and Europe, with some posts showcasing hundreds of accounts accompanied by customer reviews to vouch for their credibility.
The Role of AI in Evasive Techniques
Artificial intelligence significantly enhances the creation and management of mule accounts. Criminals use advanced language models, deepfake video tools, and platforms like RunwayML to produce realistic facial movements that deceive remote verification systems at financial institutions. Manuals on forums like CrackedTo instruct users on how to exploit AI tools, such as prompting ChatGPT, to simulate natural facial movements required for verification.
AI also facilitates account warming, where bots conduct low-risk transactions, making accounts appear legitimate before funneling illicit funds. Additionally, predictive smurfing algorithms and voice cloning technologies help circumvent Anti-Money Laundering (AML) systems and verification processes.
Countermeasures and Future Implications
To combat these sophisticated threats, KELA advises organizations to actively monitor dark web forums and Telegram channels for emerging MaaS activities. Financial institutions should enhance their identity verification systems to counter deepfake injection attacks, where synthetic video is directly fed into banking applications rather than being shown to a camera. Security teams are encouraged to implement behavioral analytics capable of identifying AI-driven account warming and adaptive smurfing behaviors, which traditional AML systems may overlook.
As cybercriminals continue to refine their methods, it is imperative for financial institutions and security teams to stay vigilant and adopt advanced technologies to detect and prevent these evolving threats.
