Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
Home/Threats/Cybercriminals Exploit French Fintech Accounts to Launder Stolen Funds
Threats

Cybercriminals Exploit French Fintech Accounts to Launder Stolen Funds

Key Takeaways Organized fraud networks are exploiting legitimate French fintech platforms to launder stolen funds by creating fraudulent business accounts. The operation, attributed to...

Emy Elsamnoudy
Emy Elsamnoudy
April 22, 2026 4 Min Read
51 0

Key Takeaways

  • Organized fraud networks are exploiting legitimate French fintech platforms to launder stolen funds by creating fraudulent business accounts.
  • The operation, attributed to “Bastardaseller” within the ASGARD network, leverages phishing to obtain Personally Identifiable Information (PII) and social engineering to bypass Know Your Customer (KYC) protocols.
  • These fraudulent accounts, often sold on dark web marketplaces for $200-$1,000, facilitate rapid, often irreversible, movement of illicit funds.
  • One in five new sign-ups in France on these platforms may be a mule account, contributing to a 25% increase in credit transfer fraud losses across the EEA, totaling $2.5 billion in 2023.

Cybercriminals Exploit French Fintech Platforms for Sophisticated Money Laundering

Organized criminal groups have devised an advanced scheme to launder illicit proceeds within France, utilizing business accounts on popular freelancer fintech platforms. These accounts serve as sophisticated money mules, enabling the rapid movement of stolen funds before detection can occur. This is not merely the work of individual scammers but a meticulously structured fraud operation designed to evade security measures at multiple stages.

Table Of Content

  • Key Takeaways
  • Cybercriminals Exploit French Fintech Platforms for Sophisticated Money Laundering
  • The Dark Web Marketplace for Mule Accounts
  • Mule Account Creation: Inside the Three-Phase Scheme
  • Phase 1: PII Collection via Phishing
  • Phase 2: Account Registration and KYC Bypass
  • Phase 3: Operational Handover
  • What You Should Do

Fintech providers such as Revolut, Wise, and N26, known for their expedited remote account opening processes, streamlined Know Your Customer (KYC) procedures, and robust business payment infrastructure (including SEPA transfers, invoicing, and payment processing), inadvertently provide the ideal environment for these fraudulent activities. While these features are highly beneficial for legitimate users, they also offer the speed and operational anonymity sought by criminal networks.

A verified individual entrepreneur account on these platforms grants fraudsters the ability to initiate instant payments, conduct business-like transactions, and transfer money internationally, all under the guise of a regulated financial service. This makes such accounts considerably more valuable to illicit actors than conventional consumer bank accounts, according to a detailed analysis.

The Dark Web Marketplace for Mule Accounts

Analysts from Group-IB have confirmed the active trade of mule accounts on European freelancer fintech platforms across dark web marketplaces. These illicit accounts are being sold for prices ranging from $200 to $1,000 each. The European Economic Area (EEA) experienced credit transfer fraud losses amounting to $2.5 billion in 2023, marking a 25 percent increase from the previous year, as reported by the EBA-ECB Joint Report on Payment Fraud. Mule accounts are identified as the primary vector for these losses, with funds often transferred within minutes via instant payment systems, making recovery nearly impossible.

The individual behind this specific operation is known as “Bastardaseller,” a key component of the broader ASGARD fraud network. This network specializes in the creation and distribution of verified European business accounts. Bastardaseller primarily operates a Telegram channel and lists these accounts on various dark web platforms. Group-IB’s customer data, extrapolated nationwide, indicates that almost 20% of new user sign-ups in France were confirmed as mule accounts, suggesting the true scope of the problem is likely much larger. The sophisticated nature of the attack allows it to remain largely invisible at individual checkpoints, only becoming apparent when the entire account lifecycle is analyzed holistically.

Mule Account Creation: Inside the Three-Phase Scheme

The fraudulent operation unfolds in three distinct phases, each designed to overcome specific security hurdles.

Phase 1: PII Collection via Phishing

In the initial phase, fraudsters launch extensive phishing campaigns to harvest victims’ Personally Identifiable Information (PII). These phishing sites are crafted with various cover stories; one documented instance involved a fake mortgage consultation service where victims submitted personal details under the pretense of receiving financial advice. The fintech platform perceives a real individual undertaking a legitimate check, while the victim remains unaware that their information is being compromised for fraudulent purposes.

Screenshot of a French phishing page to collect victim PII, with English translation (Source - Group-IB)
Screenshot of a French phishing page to collect victim PII, with English translation (Source – Group-IB)

Phase 2: Account Registration and KYC Bypass

Phase 2 involves using the stolen PII to register the fraudulent account. Group-IB researchers observed that operators employ SIM modem farm infrastructure to generate French-looking IP addresses and phone numbers, with addresses dynamically rotating within the same carrier pool to evade detection. Analysis of device timezone signals during these sessions indicates that the operators are not physically located in France. The KYC process, which often requires a real person presenting a valid identity document, sometimes with a live selfie or video verification, is circumvented through social engineering. Victims are contacted via phone or messaging, led to believe they are completing a routine verification step, and then guided to perform the necessary KYC actions.

Corroborating fraud signals during sign-up phase (Source - Group-IB)
Corroborating fraud signals during sign-up phase (Source – Group-IB)

Phase 3: Operational Handover

Once KYC is successfully passed, control of the account is transferred to the fraud operation. This typically occurs via the platform’s mobile application using a low-cost Android device. Analysis of subnet continuity reveals a link between this new login and the initial sign-up infrastructure, confirming that the handover is a deliberate operational maneuver by the fraudsters, rather than a legitimate access event.

What You Should Do

  • Fintech Platforms: Implement enhanced monitoring for MVNO IP addresses during desktop sign-up sessions. Track sign-up velocity across different networks, cities, and ISPs. Treat fingerprint spoofing artifacts as high-confidence fraud indicators. Flag device downgrades between KYC completion and subsequent operational account access. Critically, detection requires linking sessions across the entire account lifecycle and identifying network-level patterns, rather than evaluating individual accounts in isolation.
  • Individuals: Be highly suspicious of unsolicited requests for personal information, especially those related to financial services. Verify the legitimacy of any links or requests for KYC verification through official channels. Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitphishingThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Lotus Wiper Destroys Data in Energy Sector Attacks

Next Post

Malicious Google Ads Push Crypto Wallet Drainers and Seed Phrase Theft

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us