In a recent revelation, it has been uncovered that cybercriminals are capitalizing on a network of hired money mules in India to execute a large-scale money laundering operation using an Android-based application. The deceptive application, known as XHelper, plays a pivotal role in the orchestration and management of these money mules, as highlighted in a report by CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel.
The illicit scheme came to light towards the end of October 2023 when Chinese cyber criminals exploited the absence of coverage of Indian Unified Payments Interface (UPI) service providers under the Prevention of Money Laundering Act (PMLA). This loophole allowed them to carry out illegal transactions under the pretext of offering instant loans. The profits obtained from this operation are then channeled to accounts of hired mules who are recruited through Telegram, with commissions ranging from 1-2% of the total transaction amounts.
Central to the success of this operation are Chinese payment gateways that leverage the UPI QR code feature with precision. This elaborate scheme involves a vast network of compromised ‘money mule’ accounts to launder illicit funds through fraudulent payment channels, ultimately transferring them back to China. XHelper plays a critical role in effectively managing these mules, enabling them to track earnings and streamline the payouts and collection process.
The application is distributed through websites posing as legitimate businesses under the guise of a “Money Transfer Business.” It not only aids in managing mules but also provides technology for fake payment gateways used in various scams. The mules are required to register their UPI IDs in a specific format and configure their online banking credentials to kickstart the process.
Payouts necessitate the quick transfer of funds to pre-designated accounts within 10 minutes, while collection orders involve receiving incoming funds from other scammers utilizing the platform. Mules utilize the XHelper app to accept and fulfill money laundering tasks, with the system automatically assigning orders based on predetermined criteria or mule profiles.
Furthermore, XHelper allows for the recruitment of agents who are responsible for enlisting mules. This referral system operates on a pyramid-like structure, incentivizing agents to recruit more mules and invite additional agents, thus expanding the illicit network. The application also provides training for mules on laundering stolen funds efficiently, utilizing a Learning Management System with tutorials on various aspects of the process.
Aside from leveraging the UPI feature in legitimate banking apps for fund transfers, the platform also offers strategies to circumvent account freezes, enabling mules to continue their illicit activities. Additionally, mules are trained to handle customer support calls from banks for validating suspicious transactions.
Although XHelper serves as a major concern, it is important to recognize that this is not an isolated incident. CloudSEK uncovered a growing ecosystem of similar applications facilitating money laundering across various scams. This revelation follows Europol’s announcement of the arrest of 1,013 individuals in the latter half of 2023 as part of a global effort to combat money laundering, as well as Kaspersky’s report on the surge in malware, adware, and riskware attacks on mobile devices in 2023.
As the landscape of cybercrime continues to evolve, it is imperative for law enforcement agencies and cybersecurity experts to remain vigilant and proactive in addressing such sophisticated schemes. Stay updated with the latest developments in cybersecurity by following us on Twitter and LinkedIn for exclusive content.