Money Mule Account Detection for Fraud & AML Teams

The Infrastructure Problem

Financial crime does not fail because criminals are careless. It fails because the systems it builds leave structural residue.

A money mule account is not a strange or exceptional artifact. It is a functional component of criminal infrastructure—predictable in its role, reproducible in its design, and detectable in its shape. Understanding it requires less focus on individual suspicious transactions and more focus on what the account does within its network.

This article examines money mule accounts across three levels of analysis: the human layer of recruitment and motivation, the operational mechanics of how mule networks function, and the structural and temporal signatures that make them detectable even when no individual transaction appears abnormal.

‍

What Is a Money Mule?

A money mule is an individual whose bank account—knowingly or not—receives, holds, and forwards criminal proceeds on behalf of a criminal operator. The term reflects the operational role: the account carries value across the financial system, placing distance between the crime and its beneficiary.

This distance serves two purposes:

Insulation: The criminal's identity is replaced, in the transaction record, by a third-party account holder. Traceability degrades at each mule layer.
Apparent legitimacy: Funds passing through a real account held by a real person look different from funds moving directly between criminal parties. The audit trail becomes harder to read.

FinCEN's 2019 Advisory on Money Mule Schemes describes mule activity as a foundational mechanism in the laundering of proceeds from elder fraud, business email compromise, romance scams, and tax refund fraud—a consistent presence across the fraud typology landscape.

‍

Recruitment: How Mule Networks Are Built

Mule accounts do not self-assemble. Criminal networks build them through deliberate, scalable recruitment operations. The common thread across all recruitment methods is plausible deniability: the recruited individual should believe—or be able to claim—that their activity is legitimate.

‍

Recruitment Vectors

Thinsaction AML guide — money mule recruitment methods and fraud vectors including job scams, romance scams and social media targeting for financial crime detection — *Table 1 — Common Recruitment Vectors for Money Mule Accounts*

‍

The Three Mule Profiles

Unwitting mules are victims. They believe the cover story and do not understand they are participating in a crime. Their account activity is indistinguishable from witting mules at a structural level—which is precisely what makes behavioral analysis necessary.
Witting mules understand the gray area but rationalize participation. They accept commission-based compensation for the use of their account, often minimizing their legal exposure in their own assessment.
Professional mules are the third, increasingly documented category. They operate deliberately, manage sub-networks of mules beneath them, and may control multiple accounts simultaneously. Europol's annual European Money Mule Action (EMMA) operations have consistently identified this professional tier as a growing structural element of mule networks.

The operational implication is significant: professional mules introduce coordination above the individual account level. Detection at the single-account level will systematically underperform when mule networks include a professional management layer.

‍

How Mule Accounts Operate

A mule account follows a predictable operational workflow, regardless of the fraud typology it serves:

Activation: The account begins receiving deposits from multiple sources—fraud victims, other criminal accounts, or payment aggregators. These sources are typically geographically distributed and mutually unconnected.
Transit: Funds are moved onward quickly—via wire transfer, peer-to-peer payment, cryptocurrency exchange, or cash withdrawal. The account does not accumulate. It passes.
Abandonment: After the operational window closes, the account returns to dormancy or is discarded entirely.

Three behavioral characteristics are consistent across all mule account typologies:

Brevity: Operational windows are short. The interval between receiving and forwarding is deliberately compressed.
Fragmentation on intake: Incoming transfers arrive from multiple, geographically dispersed, mutually disconnected sources.
Concentration on output: Despite receiving from many, outbound movement typically converges toward a small number of destinations.

This is not random behavior. It is operational logic: aggregate from many, concentrate toward one.

‍

The Structural Fingerprint

The central analytical insight is this: a mule account's function creates its structure. The criminal purpose of the account—gather widely, transit quickly, disperse narrowly—produces a geometric shape in the transaction graph that is identifiable independent of amounts, flags, or account metadata.

That shape is the gather-scatter pattern.

Thinsaction AML analysis — gather-scatter transaction pattern revealing money mule account structure with multiple inbound sources and concentrated outbound flows — *Figure 1 — Gather-scatter topology of a mule account*

‍

The Gather Phase

Multiple accounts send funds to the mule within a defined time window. Analytically, these incoming sources are:

Geographically dispersed, often across regions or countries
Mutually disconnected—they share no transaction relationships with each other
Varying in amounts and timing, without the regularity of legitimate recurring payments

This is the fingerprint of coordinated sourcing at scale. Legitimate accounts do receive from multiple senders—but legitimate sources tend to be recurring, geographically consistent, and temporally predictable. The mule pattern diverges on all three dimensions.

‍

The Scatter Phase

Following the gather, the hub redirects funds outward—rapidly and toward a concentrated set of destinations. The temporal interval between incoming and outgoing transactions is characteristically short. The account is not accumulating value; it is channeling it.

The combination—many inbound, few outbound, compressed time window—is the structural definition of mule behavior in a transaction graph. Structure reveals what amounts cannot.

‍

The Network Level: Communities of Mules

Individual mule accounts are rarely deployed in isolation. Criminal networks coordinate multiple mules simultaneously to increase throughput, reduce per-account exposure, and introduce redundancy.

Thinsaction fraud detection — money mule network community graph showing coordinated accounts and shared destinations in AML transaction monitoring — *Figure 2 — Mule network community*

‍

When multiple mule accounts operate in the same network, two structural properties become visible at the graph level:

Community formation: Mule accounts share overlapping counterparties, similar transaction profiles, and coordinated timing. They form a coherent cluster within the broader transaction network—not through direct relationships with each other, but through their shared sources, shared destinations, and structural similarity. Graph community detection surfaces these clusters as groups that are internally more connected than their relationship to the rest of the network would suggest.
Shared downstreams: Multiple mules in the same network typically funnel funds toward the same final destinations, despite receiving from different sources. The convergence point at the downstream layer identifies the criminal beneficiary—the node the entire mule tier is serving.

These network-level properties are invisible when accounts are analyzed individually. They emerge only when the graph is examined as a whole.

‍

The Temporal Signal: Behavioral Change Points

A distinguishing characteristic of money mule accounts is their behavioral discontinuity. The transition from ordinary account behavior to mule operation is discrete, not gradual. It marks the moment of recruitment and activation.

Figure 3 — Temporal transaction profile of a mule account

‍

Before activation, the account exhibits typical behavior—or no behavior at all in the case of newly opened accounts. After activation, a structural shift occurs simultaneously across several dimensions:

Transaction frequency increases abruptly
New counterparties appear with no prior account relationship
The geographic scope of senders expands suddenly
The ratio of inbound to outbound transactions shifts toward the gather-scatter shape

After the operational window closes, the profile reverts to dormancy. The change is reversible. The record is not.

In coordinated mule networks, this behavioral change point often occurs across multiple accounts within a narrow time window—reflecting the synchronized deployment of a mule cohort. That synchronization amplifies the network-level signal.

Combined with the gather-scatter topology and the community coordination pattern, the temporal signal creates a multi-dimensional convergence. Accounts exhibiting all three simultaneously—structural shape, community membership, and behavioral change point—produce a significantly more robust detection signal than any single dimension in isolation.

‍

Conclusion

Money mule accounts are infrastructure. They are not accidents or anomalies. They are designed components of a system that requires physical and financial distance between criminal operations and criminal proceeds.

That design is their weakness.

The function of a mule account—receive from many, transit quickly, forward to few—produces a structural shape that persists across every variation of the pattern. The shape survives changes in amounts, changes in geography, changes in the underlying fraud typology. It is not contingent on a flagged account or a suspicious amount. It is the geometric consequence of what the account is built to do.

Seeing that shape, understanding it as a role within a coordinated network, and situating it within a behavioral timeline—that is the analytical shift that makes mule detection tractable at scale.

The infrastructure leaves a record. The question is whether you are looking at the right level to read it.

‍

References

1. Financial Crimes Enforcement Network (FinCEN). Advisory on Imposter Scams and Money Mule Schemes Related to the Coronavirus Disease 2019 (COVID-19) Pandemic. FIN-2019-A005, October 2019.

2. Financial Crimes Enforcement Network (FinCEN). Update on U.S. Currency Restrictions in Mexico: Funnel Accounts and TBML. FIN-2014-A005, May 2014.

3. Europol. European Money Mule Action (EMMA 7) — Results. Joint operation coordinated by Europol and Eurojust, 2022.

4. Financial Action Task Force (FATF). Professional Money Laundering. July 2018.

5. Federal Bureau of Investigation, Internet Crime Complaint Center (IC3). 2023 Internet Crime Report. 2024.

6. Starnini, M., Saracco, F., Yepes, A.J., Peralta, A.F., Tessone, C.J., & Toral, R. (2021). "Smurf-based anti-money laundering in time-evolving transaction networks." PLOS ONE, 16(6).

7. van Vlasselaer, V., Bravo, C., Caelen, O., Eliassi-Rad, T., Akoglu, L., Snoeck, M., & Baesens, B. (2015). "APATE: A novel approach for automated credit card transaction fraud detection using network-based extensions." Decision Support Systems, 75, 38–48.

8. Rakhmetulayeva, S., Duisebekova, K., Buribayev, Z., Bugubayeva, A., Tokmurzina, A., Zhumazhanov, B., & Moldagaliyev, A. (2025). "A Machine Learning Approach for Transaction-Based Money Laundering Detection." Procedia Computer Science, 254, 256–263.

‍