Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts

Cybercriminals are openly selling verified bank accounts, fintech wallets, and cryptocurrency exchange accounts through Telegram channels, turning money laundering into a structured, on-demand criminal service.

This underground market has grown far beyond informal recruitment and now operates like a professional industry, complete with tiered pricing, customer support, and account replacement guarantees.

The funds moved through these networks often come from phishing campaigns, ransomware attacks, Business Email Compromise scams, and investment fraud. In the United States, an estimated 0.3% of all accounts at financial institutions are believed to be mule-controlled.

These operations rely on stolen identities, AI-generated personas, and compromised credentials to create accounts that pass identity checks at banks and fintech platforms.

Criminals use forged documents, deepfake videos, and synthetic identity kits to onboard new accounts without triggering fraud alerts. Once active, these accounts receive illicit funds, quickly disperse them across multiple institutions, and withdraw the money before any financial institution can respond.

Analysts at KELA Cyber Intelligence Center identified extensive underground activity tied to these mule networks across Telegram channels, dark web forums, and encrypted messaging groups. 

KELA said in a report shared with Cyber Security News (CSN) that threat actors are openly advertising verified bank accounts, fintech wallets, cryptocurrency exchange accounts, forged identity documents, and full-service laundering operations at industrial scale.

Cybercriminals Use Telegram Channels

Telegram has become the primary storefront for what researchers call Mule-as-a-Service, or MaaS, a specialized segment of the broader Fraud-as-a-Service ecosystem.

Sellers openly list accounts from banks across the United States, Latin America, and Europe, with some posts advertising hundreds of accounts alongside customer vouchers to prove reliability.

These channels operate with a structure that mirrors legitimate e-commerce businesses, including refund policies if a purchased account gets frozen or restricted.

KELA identified nearly 250,000 Telegram messages related to Brazilian “Contas Laranja,” or “Orange Accounts,” which are bank accounts rented or fraudulently created to move funds through Brazil’s PIX instant payment system.

In Argentina, over 100,000 Telegram messages referenced the sale or rental of accounts linked to CBU and CVU identifiers used by local banks and digital wallets.

Colombian fintech platforms such as Nequi and Daviplata were also flagged in underground discussions for their perceived ease of onboarding.

Some sellers offer complete cash-out pipelines where a buyer transfers dirty funds and receives clean money in return. One actor on a Russian-origin Telegram channel called GrossInfo was observed selling edited identity documents to help bypass Know Your Customer checks.

These sellers also advertise PSD document templates designed to pass automated identity verification, with one such post collecting more than 400 replies from interested buyers. (Figure 1: A post offering PSD templates for KYC bypass on a dark web forum)

AI Is Making These Operations Harder to Detect

Artificial intelligence has fundamentally changed how mule accounts are created and managed. Threat actors use large language models, deepfake video tools, and platforms like RunwayML to fabricate realistic facial movement videos that trick remote verification systems at banks and fintech apps.

One manual shared on the CrackedTo forum instructed users to prompt ChatGPT with phrases like “generate natural facial movements for verification” to fool banking application liveness checks.

Beyond account creation, AI automates account warming, where bots carry out low-risk transactions like paying utility bills to make an account appear legitimate before illicit funds arrive.

Predictive smurfing algorithms dynamically adjust transfer sizes and timing to stay below Anti-Money Laundering detection thresholds. Voice cloning tools built on Retrieval-based Voice Conversion systems can also replicate a victim’s voice to bypass callback verification at financial institutions.

To defend against these threats, KELA recommends that organizations actively monitor dark web forums and Telegram channels for emerging MaaS activity.

Financial institutions should upgrade identity verification systems to detect deepfake injection attacks, where synthetic video is fed directly into a banking application’s input pipeline rather than shown to a physical camera.

Security teams should also deploy behavioral analytics capable of recognizing AI-assisted account warming and adaptive smurfing behaviors that standard AML systems are not built to catch.

Indicators of Compromise (IoC):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts appeared first on Cyber Security News.