Telegram channels are turning verified bank and fintech accounts into money mule marketplaces

Cybercriminals are using Telegram channels, dark web forums, and encrypted groups to sell verified bank accounts, fintech wallets, and cryptocurrency exchange accounts for money laundering. These accounts help criminals move funds from phishing, ransomware, business email compromise, investment scams, and account takeover operations.

The market has grown into a structured Mule-as-a-Service economy. A KELA Cyber Intelligence Center report says threat actors advertise verified accounts, forged identity documents, synthetic profiles, and full-service laundering pipelines across underground platforms.

This shift matters because criminals no longer need to recruit every mule manually. They can buy accounts that already passed identity checks, rent laundering infrastructure, or pay operators to cash out stolen funds.

What Mule-as-a-Service means

A money mule is someone who moves illegal funds for another person or group. The FBI money mule warning says mules may transfer funds through bank accounts, virtual currency, prepaid cards, cashier’s checks, or money service businesses.

Mule-as-a-Service turns that role into a criminal marketplace. Sellers offer accounts, documents, onboarding support, withdrawal options, refund terms, and replacement accounts if a bank freezes access.

For fraud groups, this lowers the barrier to laundering stolen funds. For banks and fintech platforms, it makes account verification and transaction monitoring harder because the criminal infrastructure can look legitimate at first.

Key details at a glance

Topic	Details
Threat model	Mule-as-a-Service and Fraud-as-a-Service
Main marketplace	Telegram channels, dark web forums, and encrypted groups
Products sold	Verified bank accounts, fintech wallets, crypto exchange accounts, forged documents, and cash-out services
Main funding sources	Phishing, ransomware, BEC, investment fraud, banking malware, and account takeover
AI role	Deepfake KYC bypass, synthetic identities, document forgery, account warming, and transaction optimization
High-risk regions discussed	Brazil, Argentina, Colombia, the United States, Europe, and other digital finance markets

Why Telegram has become a storefront for mule accounts

Telegram gives fraud sellers reach, speed, and a familiar sales format. Channels can display account stock, prices, country targeting, customer vouchers, and rules for replacement if an account stops working.

Some sellers advertise accounts from U.S., European, and Latin American banks. Others focus on fintech wallets, crypto exchanges, or instant payment systems where funds can move quickly before a victim or financial institution reacts.

These channels often look less like informal chats and more like underground e-commerce stores. They use pricing tiers, proof screenshots, reseller language, and support-style communication to attract buyers.

Latin America is a major hotspot

KELA found heavy underground activity tied to Latin American mule accounts. In Brazil, criminals advertise Contas Laranja, or Orange Accounts, to move money through the PIX instant payment system.

The same KELA research says analysts found nearly 250,000 Telegram messages in which threat actors showed interest in acquiring, selling, or using Contas Laranja. Argentina also showed large Telegram activity around CBU and CVU-linked bank and wallet accounts.

Colombian fintech platforms such as Nequi and Daviplata also appear in underground discussions. Criminals often look for platforms where onboarding is fast, transfers are instant, and fraud teams have limited time to stop withdrawals.

How AI is changing mule account creation

AI is helping criminals scale identity fraud. Attackers can combine stolen personal data with synthetic profile details, fake documents, AI-generated photos, and deepfake videos to pass remote onboarding checks.

A World Economic Forum report explains how deepfake-based KYC attacks can use forged or stolen documents, face-swapped media, camera injection tools, and device manipulation to create financial accounts not controlled by the real applicant.

These methods attack the identity layer before money even moves. If a bank approves a synthetic or hijacked identity, criminals gain an account that can receive fraud proceeds and pass early trust checks.

Deepfake injection makes liveness checks weaker

Older spoofing attacks often tried to show a fake image or video to a real camera. Newer attacks can inject synthetic video directly into a device or app input stream, making the verification system believe it is receiving a live camera feed.

The WEF paper says deepfake-facilitated KYC attacks can support fake financial account creation, loan fraud, money laundering, payout collection, and other financial abuse.

This creates a direct problem for banks and fintech platforms that rely too heavily on one-time biometric checks. Fraud teams now need device signals, behavior analysis, document forensics, and ongoing monitoring after onboarding.

What criminals sell in mule marketplaces

• Verified bank accounts in specific countries or regions.
• Fintech wallets tied to instant payment systems.
• Cryptocurrency exchange accounts that passed KYC checks.
• Forged ID documents, proof-of-address files, and editable templates.
• Deepfake or synthetic verification material.
• Account warming services using low-risk transactions.
• Full cash-out pipelines that convert stolen funds into cleaner money.

Account warming makes fraud harder to spot

Fraudsters do not always use a mule account immediately. They may warm it first by running small, low-risk transactions that make the account look normal.

That activity can include small payments, balance checks, utility payments, transfers between related accounts, or basic wallet use. The goal is to build a transaction history before larger illegal funds arrive.

AI can automate this process by adjusting timing, values, and destinations. Some actors also use predictive smurfing to keep transfers below common anti-money laundering thresholds.

Why ordinary people still face legal risk

Not every mule understands the full scheme. Some people get recruited through fake jobs, romance scams, investment scams, or social media messages that promise easy commissions for receiving and forwarding money.

INTERPOL’s money mule guidance warns that people may face prosecution if they let others use their accounts to receive and move criminal funds, even when they did not fully understand the crime at first.

That risk has grown because mule recruitment no longer depends only on one-to-one grooming. Criminals can now buy accounts, rent identities, or use synthetic data, but they still recruit real people when fresh accounts or cash withdrawals are needed.

How financial institutions can respond

Banks and fintech companies need to treat mule detection as both an identity problem and a transaction problem. One-time KYC checks cannot stop fraud if criminals can bypass onboarding and then warm accounts gradually.

Fraud teams should combine dark web and Telegram intelligence with behavior analytics, device fingerprinting, document checks, and graph-based monitoring across related accounts. They should also monitor sudden changes in transaction purpose, device access, geolocation, and payment speed.

The FBI says money mules add layers of distance between victims and criminals, making money trails harder to trace. That is exactly why early detection matters before funds scatter across banks, wallets, crypto exchanges, and cash-out routes.

Recommended actions for banks and fintech platforms

• Monitor Telegram channels, dark web forums, and fraud marketplaces for accounts linked to your brand.
• Detect deepfake injection attacks during onboarding, not only visual spoofing.
• Use device intelligence and behavioral analytics after KYC approval.
• Flag accounts that show artificial warming before larger transfers.
• Track linked devices, IP ranges, phone numbers, identity documents, and repeated payout destinations.
• Review accounts that rapidly receive and disperse funds across multiple platforms.
• Share confirmed mule-account intelligence with law enforcement and sector partners.

Recommended actions for consumers

• Do not let anyone use your bank account, fintech wallet, or crypto account to receive money.
• Reject job offers that ask you to move funds for a commission.
• Do not upload your ID documents to unknown Telegram contacts or unofficial recruiters.
• Report suspicious account rental offers to your bank and local authorities.
• Stop communication immediately if someone asks you to receive and forward money.
• Watch for fake investment, romance, delivery, and government impersonation messages.

The bigger picture

Mule accounts sit at the point where online fraud becomes money. Without accounts to receive and move funds, many scams become harder to monetize.

INTERPOL says criminals recruit mules through job scams, romance scams, investment scams, and impersonation scams. Telegram-based Mule-as-a-Service adds a new layer by turning that supply into a searchable market.

The result is a faster and more industrial laundering ecosystem. Criminals can buy verified accounts, use AI to create new identities, warm accounts with automated activity, and move money through multiple platforms before victims realize what happened.

For defenders, the answer is not only better transaction alerts. Financial institutions need earlier intelligence on underground account sales, stronger onboarding controls, deepfake-resistant verification, and better monitoring of account behavior after approval.

FAQ