Organized fraud networks are now using a new method to move stolen money in France. They create fake business accounts on freelancer fintech platforms and use those accounts as mule accounts to launder funds quickly, often before anyone can trace the money.
This is not a simple scam by one bad actor. It is a structured fraud operation built to avoid detection at every stage.
Fintech platforms such as Revolut, Wise, and N26 offer fast, remote account opening, streamlined KYC, and business-grade payment infrastructure including SEPA transfers, invoicing, and payment processing.
These features, very useful for legitimate users, are also what fraud networks need. A verified individual entrepreneur account can send instant payments, process business transactions, and move money across borders, all inside a regulated, legal-looking financial service.
This makes such accounts far more valuable to fraudsters than regular consumer bank accounts.
Group-IB analysts and researchers identified that confirmed mule accounts on European freelancer fintech platforms are actively sold on dark web marketplaces for between $200 and $1,000 per account.
According to the EBA-ECB Joint Report on Payment Fraud, credit transfer fraud losses across the European Economic Area reached $2.5 billion in 2023, a 25 percent increase from the previous year.
Mule accounts are the primary vehicle for these losses, with funds moved within minutes via instant payment rails, often beyond recovery.
The threat actor behind this operation is tracked as “Bastardaseller,” part of the larger ASGARD fraud network, a structured organization specializing in creating and selling verified European business accounts.
The actor operates a primary Telegram channel and distributes accounts through multiple dark web marketplaces. Nearly 1 in 5 sign-up users in France was confirmed as a mule account, derived from Group-IB customer data and extrapolated nationwide.
Screenshot of verified mule accounts listing by @astarta_seller1 (Source – Group-IB)
The true scale is likely higher. The attack is designed to be invisible at every individual checkpoint and only becomes visible when the full account lifecycle is analyzed as a connected sequence.
Mule Account Creation: Inside the Three-Phase Scheme
The operation runs across three distinct phases. In Phase 1, fraudsters run phishing campaigns to collect victim Personally Identifiable Information (PII).
Phishing sites are built under various cover stories; one documented example is a fake mortgage consultation service where victims submit personal details in exchange for financial advice.
The platform sees a real person completing what looks like a legitimate check, while the victim has no awareness their information will be used for fraud.
Screenshot of a French phishing page to collect victim PII, with English translation (Source – Group-IB)
In Phase 2, fraudsters use the stolen PII to register the account. Group-IB researchers observed that operators use SIM modem farm infrastructure to generate French-looking IP addresses and phone numbers, with addresses rotating between attempts within the same carrier dynamic pool.
Device timezone signals during sessions suggest operators are not located in France. KYC requires a real person presenting a real identity document, often with a live selfie or video check.
The victim, contacted via social engineering through phone or messaging, follows a KYC link and completes what they believe is a routine verification step.
Corroborating fraud signals during sign-up phase (Source – Group-IB)
In Phase 3, once KYC passes, control transfers to the fraud operation through the platform mobile app using a low-cost Android device. Subnet continuity links this new login back to the sign-up infrastructure, confirming the handover is a deliberate operational move rather than a legitimate access event.
Fintech platforms and fraud teams should flag MVNO IP addresses on desktop sign-up sessions and monitor sign-up velocity by network, city, and ISP.
Treating fingerprint spoofing artifacts as high-confidence fraud signals and flagging device downgrades between KYC and operational handover are also important steps.
Detection requires linking sessions across the full account lifecycle and identifying patterns at the network level, not evaluating accounts in isolation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Cybercriminals Exploit French Fintech Accounts to Move Stolen Money Before Detection appeared first on Cyber Security News.
.webp?w=0&resize=0,0&ssl=1 "109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware")
