Money laundering scheme caught employing mules via Android app XHelper


The Android app XHelper, disguised as a legitimate money transfer business, has been found to be the axis of a global money laundering network. It employed money mules to launder illicit inflows from loan scams, ‘pig butchering’ schemes, illegal gambling, and other frauds, CloudSEK's Threat Intelligence (TI) team has uncovered.

The researchers identified a single app serving as the technological backbone for fake payment gateways. XHelper manages money mule schemes and deceptive payment systems, simplifying recruitment processes and helping to conceal the operation.

“Threat actors have intricately crafted a sophisticated application known as XHelper, which functions as a crucial tool for efficiently managing a network of money mules,” the ClaudSEK report reads. “The app is distributed through websites posing as legitimate businesses under the guise of “Money Transfer Business.”

The scheme exploited a critical loophole within India’s banking infrastructure, which enabled Chinese cybercriminals to orchestrate a large-scale money laundering scheme targeting Indian citizens.

This scheme has 37 thousand active users on the platform, who linked 16 thousand bank accounts. XHelper processed $1.9 million daily, with an average transfer size of $270 and more than 7000 daily transfers.

The money mule role is crucial for successful money laundering, as it adds a layer of complexity for threat actors who convert the funds into cryptocurrencies. Mules on the app were incentivized by commissions, and the app itself included many complex features to automate money laundering.

“While XHelper serves as a concerning example, it's crucial to recognize this is not an isolated incident. CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams,” the report said.

How does XHelper work?

The user-friendly XHelper app functions as a central hub for money mules, streamlining illegal transactions by simplifying payout and collection.

Mule accounts were used to collect funds received through fraudulent activities. The money mules themselves did not directly participate in collection activities, rather, they passively received incoming funds from scammers.

However, their active participation was required for payout orders, as these orders mandate the swift transfer of funds to pre-designated accounts within strict timeframes.

xhelper-system

To ensure protection against potential fraud by the mules, the app creators implemented a time-sensitive approach.

“Money mules are incentivized to complete payout orders within a strictly enforced 10-minute window. Faster processing translates to higher commissions and rewards, promoting rapid and potentially reckless transaction behavior,” researchers noted.

Mules transferred funds to dedicated accounts provided by the threat actors or application providers. The money is subsequently converted into cryptocurrency.

“The XHelper app offers various features, including a ranking list for mules to track earnings and compete with others. Additionally, the app incorporates a dedicated support system operating through the binding of Telegram accounts to the APK.”

Bank UPI apps in India seemingly provide scammers with a platform for conducting transactions discreetly, mitigating the risk of immediate detection or suspicion by leveraging the relative lack of visibility associated with bank-specific platforms, according to the report.

How are mules recruited and trained?

The report reveals that mules are often recruited through personal connections, with recruiters, also known as ‘agents,’ persuading individuals in their social circles. Agents pose as thriving businesses seeking efficient fund management due to high transaction volume.

Money mules operate within a network established through multiple Telegram channels.

The mules on the app are organized hierarchically, and the referral system follows a pyramid-like structure.

New mules are initially limited to adding up to two bank accounts. The app allows mules to increase their limits by leveling up based on their performance, unlocking additional commissions and benefits. They have the option to receive commissions in USDT, a crypto stablecoin tied to the dollar. This adds a layer of anonymity to the transactions.

The transaction rewards ranged from 0% for new users to up to 0.3% for top-performing mules.

For registration, money mules need to enter their net banking and UPI information within the app to grant access for transfering funds directly into their UPI account. UPI stands for Unified Payments Interface, which is a real-time payment system in India that allows free and seamless money transfers and merges multiple accounts into a single app.

After the initial steps, the app automatically assigns orders, potentially based on pre-determined criteria or mule profiles.

xhelper-app

Following strict adherence to guidelines to minimize detection, money mules then need to execute the illicit fund transfer using their linked bank app. The success of execution is verified by uploading screenshots, and successful order completion translates to financial rewards within the app.

XHelper used another app for onboarding money mules. They were provided with content on how to streamline the money laundering process, maximize profits by adding more cards, use them strategically, and handle cryptocurrency transactions.

Motivational content included justifying this activity by showcasing success stories, addressing concerns, and overcoming obstacles, such as handling frozen accounts or exceeding limits. Mules had incentives to open corporate and merchant accounts, offering greater limits and flexibility.

All this was done to equip new users to efficiently launder stolen funds through the XHelper app.

new-user-xhelper

The mules are also provided with very detailed instructions on what to do when law enforcement or banks freeze the accounts and how to deal with complaints. To resolve the issues, mules were instructed to always settle the payments with complainants or negotiate settlements and never argue with authorities or bankers.

“By optimizing the recruitment and oversight of money mules, XHelper effectively masks the origins of illegal funds, making it challenging to track and reclaim them,” CloudSEK researchers concluded.