Security researchers have revealed how mule operators across the Middle East, Turkey and Africa (META) region have evolved from basic internet-masking tricks to sophisticated multi-layer fraud networks that now blend digital deception with physical logistics.
According to a new report by Group-IB, two years ago, mule actors relied on simple VPN and proxy tools to mask their locations. Regulatory controls and IP reputation checks quickly rendered these tactics ineffective.
By 2023, however, fraudsters had shifted to roaming SIM cards, Starlink terminals and GPS spoofing to bypass location checks in regional banking systems.
The researchers noted that one of the largest mule groups, operating out of Syria and Turkey, combined stolen identities, eSIMs and GPS manipulation to open hundreds of accounts. Funds linked to extremist financing networks were later traced through these channels.
“Fraud leaves patterns,” the report said.
“With the right telemetry, even complex schemes can be disrupted.”
Read more on banking fraud detection: Authorized Push Payment Fraud a National Security Risk to UK, Report Finds
By mid-2024, mule networks began removing SIM cards from devices to evade detection tied to telecom fingerprints.
At the same time, a more structured model emerged. So-called first-layer mules opened bank accounts legitimately, built trust by behaving like ordinary customers, and then passed credentials to overseas operators who conducted laundering operations.
Fraud groups increasingly disguised these schemes as business partnerships, using formal documents, expense reimbursements and corporate-style narratives to avoid scrutiny.
In early 2025, researchers observed a further escalation: physical device muling. Instead of passing login credentials, fraudsters shipped preconfigured smartphones across borders. Device fingerprints stayed consistent, making the fraud more difficult to detect.
Still, Group-IB said its behavioral biometrics flagged discrepancies in swipe speed, typing rhythm and transaction patterns, revealing when accounts had been handed over to new operators.
The report also highlights a deceptive trend in which fraudsters manipulate multiple victims in sequence. For instance, Victim A is tricked into sending funds to Victim B, who is then deceived into forwarding the money, unknowingly acting as a mule.
Key Recommendations for Banks
Group-IB advised financial institutions to strengthen defenses through:
-
Multi-layered fraud detection combining IP, GPS, SIM and behavioral signals
-
AI-driven anomaly detection and continuous intelligence sharing
-
Enhanced know-your-customer (KYC) and video verification safeguards against synthetic identities
-
Graph-based analysis to uncover hidden mule networks
The report concludes that fraud is no longer purely digital, but is now intertwined with human recruitment, logistics and even artificial intelligence. The growing use of deepfakes and synthetic documents, it warns, could accelerate mule operations and complicate detection further.
No tags.
