Fraudsters Evolve: How Money Mules Are Using Starlink and AI to Launder Funds
Over the past two years, the banking sector across the Middle East, Turkey, and Africa has witnessed a marked evolution in cash-out schemes driven by so-called “money mules.” According to Group-IB, drawing on data from more than 200 million mobile sessions and thousands of investigations, fraudsters have steadily advanced from simple IP-masking tactics to multi-layered operations involving Starlink satellite terminals, forged GPS coordinates, SIM identification evasion, and even the cross-border shipment of pre-configured smartphones.
At first, criminals relied on basic tools such as VPNs and proxy servers. Yet stringent regulatory controls in Gulf states quickly rendered these methods useless, as connections from hosting providers and anonymizers were automatically blocked. New workarounds soon emerged, including the use of SIM cards and eSIMs registered in target countries, as well as Starlink stations that spoofed originating IP addresses. While such connections appeared legitimate on the surface, discrepancies between GPS readings and mobile operator data exposed their fraudulent nature and became the basis for identifying campaigns.
The next wave brought large-scale geolocation spoofing on smartphones. Previously, mandatory GPS access in banking apps served as a reliable barrier, but by 2024 criminal groups had mastered coordinate manipulation on both Android and iOS. One Syrian-Turkish network stood out in particular, using GPS spoofing and counterfeit SIM cards to mass-open accounts for laundering operations, some linked to extremist financing. Banks countered these efforts with Group-IB’s SDK, capable of detecting GPS anomalies and mismatches with device data.
When the correlation of GPS and SIM identifiers grew harder to bypass, fraudsters turned to SIM-less smartphones, operating via Wi-Fi through routers or tethering from other devices. In parallel, a more elaborate model took shape: recruiting “first-layer” operatives within target countries. These individuals opened accounts in their own names, passed KYC, and maintained them legitimately for a period to build a “trust history.” Afterwards, credentials were transferred abroad to operators who conducted transactions, often disguised as business ventures, investment agreements, or trade deals.
The most sophisticated phase of mule operations involved shipping pre-prepared devices. In trusted jurisdictions, first-layer mules opened accounts, fulfilled all formalities, and used them for some time to establish credibility. The activated smartphones were then shipped overseas, where entirely different individuals took control. From the bank’s perspective, activity still appeared to originate from the same device, with no signs of a client switch.
Nevertheless, inconsistencies betrayed the deception: GPS suddenly placed the phone in a different country, ATM withdrawals were logged outside the originating jurisdiction, and network or SIM parameters shifted abruptly. Most revealing of all were behavioral metrics—swipe speed, touch patterns, periods of activity, and even the angle at which the device was held. Such biometric cues allowed investigators to distinguish the original user from the impostor despite unchanged technical identifiers.
Equally troubling has been a trend in which victims themselves are unwittingly drawn into laundering schemes. Criminals would first transfer funds into a random customer’s account, then contact the individual while impersonating a bank representative or official authority. Under the pretense of an “erroneous transfer,” the victim was persuaded to forward the funds or grant account access. In this way, a well-intentioned client became an unwilling intermediary in the laundering chain.
For banks, such cases are exceptionally difficult to detect: the customer appears entirely legitimate, shows no overt signs of fraud, and transactions resemble standard transfers. Yet investigations reveal that detection is possible—through analysis of atypical transaction routes, deviations from habitual behavioral patterns, and inconsistencies between device and account data.
This progression underscores a broader truth: fraud in the META region is no longer confined to the digital realm. It has increasingly morphed into a hybrid model where online technologies intertwine with physical logistics, human recruitment, and social engineering. To counter this, Group-IB recommends unifying IP analytics, geolocation checks, device integrity monitoring, and behavioral modeling into a single system—while preparing for the next wave of threats, including the use of generative AI and deepfakes to forge documents and KYC videos.
