Organized Fraud Networks Exploit French Fintech Platforms to Launder Stolen Funds

What happened

Group-IB researchers have identified a structured three-phase fraud operation targeting French fintech platforms including Revolut, Wise, and N26, in which organized networks create verified business accounts using stolen identity information and use them as mule accounts to move stolen money before it can be traced or recovered.

The operation is attributed to a threat actor tracked as “Bastardaseller,” part of the broader ASGARD fraud network, which specializes in creating and selling verified European business accounts through Telegram channels and dark web marketplaces. Confirmed mule accounts on European freelancer fintech platforms are being sold for between $200 and $1,000 per account.

The three-phase scheme begins with phishing campaigns that collect victim PII through fake service sites, including one documented example impersonating a mortgage consultation platform. In the second phase, operators use the stolen PII to register accounts on fintech platforms, employing SIM modem farm infrastructure to generate French-looking IP addresses and phone numbers. KYC is bypassed by socially engineering the actual victim into completing the identity verification step themselves, through a link the victim believes is routine. In the third phase, once KYC passes, control of the account transfers to the fraud operation via a mobile app on a low-cost Android device, with subnet continuity linking the new login back to the sign-up infrastructure confirming the handover is deliberate.

Group-IB data extrapolated nationwide suggests nearly one in five sign-up users in France was a confirmed mule account. Credit transfer fraud losses across the European Economic Area reached $2.5 billion in 2023, a 25% increase from the prior year, with mule accounts as the primary vehicle. Funds are typically moved within minutes via instant payment rails, often beyond recovery before detection occurs.

Who is affected

French fintech platforms and their fraud teams are the primary targets, with the operation specifically designed to pass individual KYC checkpoints undetected. Victims whose PII was harvested through phishing face identity misuse without their knowledge. Financial institutions and businesses that receive or process payments from compromised mule accounts face secondary exposure.

Why CISOs should care

This operation is built to be invisible at every individual checkpoint. The KYC step, which most platforms treat as a trust anchor, is being completed by the actual victim under social engineering, making it genuinely difficult to distinguish from a legitimate account opening. The fraud only becomes visible when the full account lifecycle is analyzed as a connected sequence rather than a series of isolated events.

For security and fraud leaders at financial platforms, the implication is direct: point-in-time verification controls are not sufficient against fraud networks that engineer legitimate-looking behavior at each individual stage. Detection requires cross-session, cross-lifecycle analysis at the network level.

3 practical actions

1. Flag MVNO IP addresses and SIM farm infrastructure during sign-up sessions: Group-IB specifically identifies MVNO IP addresses on desktop sign-up sessions and rotating carrier dynamic pool addresses as high-confidence fraud signals that should trigger additional scrutiny before account activation.
2. Monitor for device and session discontinuities between KYC and post-activation logins: The operational handover in this scheme creates a detectable pattern: the device, subnet, and behavioral profile of the account after KYC completion differs from the sign-up session. Cross-lifecycle session linking is the recommended detection method.
3. Treat fintech business account abuse as a third-party risk category: Organizations that process payments from or integrate with European fintech platforms should assess their exposure to transactions originating from mule accounts and review whether current transaction monitoring rules account for the velocity and behavioral patterns associated with structured laundering operations.