-
Organized cybercriminal groups abuse freelancer-focused fintech platforms in France to create verified mule accounts and transfer stolen money across Europe.
-
Confirmed “mule accounts” at European fintech services sell for between $300 and $700 on dark markets, often with escrow support and replacement guarantees.
-
Nearly 1 in 7 business account sign-ups in France was identified as fraudulent, suggesting many more mule accounts remain active and undetected.
Cybercriminal networks have found a new way to move stolen money across Europe. They’re targeting French fintech platforms designed for freelancers and small businesses. The scale of the operation is alarming, and the financial damage keeps growing.
Group-IB recently released research exposing this sophisticated fraud scheme. The activity affects the wider fintech category, including popular services such as Revolut, Wise, and N26. These platforms offer fast remote onboarding, digital payments, and cross-border transfers that criminals now exploit.
Freelancer Accounts Become Criminal Tools
These fintech platforms attract freelancers and micro-businesses because they are easy to set up. They offer business-grade tools such as invoicing, SEPA transfers, as well as payment processing. The same features also make them attractive to fraud networks.
Criminals prefer verified freelancer accounts over basic consumer bank accounts. Once verified, an individual entrepreneur account can pose like a major business account and still pass personal identity checks. That mix creates high value for criminals because the accounts look legitimate and can move money quickly.
Dark web markets now actively trade these compromised accounts. Verified mule accounts at European fintech platforms sell for between $300 and $700 each. Sellers often provide escrow support, replacement promises, and regular stock updates. This turns fraud into a structured business model.
Multi-Stage Fraud Operation Targets French Users
Group-IB explains that a mule account is a bank account set aside for receiving and forwarding stolen funds. It helps criminals hide the money trail. The French scheme runs in multiple stages and uses both phishing and social engineering.
Fraudsters steal victims’ personal information through fake websites in the first stage. One example used a mortgage advice theme to collect names, contact details, and identity data. The victims usually think they are onto a real service. They don’t know their details will later facilitate the opening of a fintech account.
The financial impact has already become serious. The ECB and EBA reported that losses from credit transfer fraud all over the EEA totalled €2.5 billion as of 2024, a 24% increase from the previous year.
85% of those minuses hit end users directly. Recovery is so difficult thanks to Mule accounts. Stolen funds transfer can run onward in minutes across instant payment channels. By the time victims realize what happened, the money has already moved through multiple accounts across different countries.
Organized Network Controls the Operation
Group-IB says the operation targeting France is not random fraud but a structured criminal business. According to one actor in the research, @astarta_seller1, has connections to the broader ASGARD Network. This network brandishes verified European accounts all over different cybercrime chatrooms.
The group appears to focus heavily on French entrepreneur accounts. These accounts command some of the highest prices in its portfolio. The preference for French accounts suggests they offer particular advantages for money laundering, possibly due to regulatory gaps or verification weaknesses.
One of the strongest findings in the report reveals the operation’s scale. Nearly 1 in 7 business account sign-ups in France flagged as fraudulent in the company’s confirmed customer data and national extrapolation. That figure implies that a lot of mule accounts could still be running behind the dark shadows.
The fraud network operates like a legitimate business. They maintain inventory, offer customer service to buyers, and even provide guarantees. This professionalization of cybercrime makes it harder for law enforcement to shut down operations. When one account leaks and closes, criminals simply activate another from their inventory.
The raw material for these accounts, stolen identities and personal data, often comes from breaches like the Réseau.site data leak, where user records were published on dark web forums, providing criminals with the verified personal information needed to pass identity checks and open fraudulent accounts.
The research highlights a critical vulnerability in the European fintech ecosystem. Platforms designed to make banking accessible and convenient for legitimate freelancers have become tools for organized crime. The speed and convenience that attract honest users are the same qualities that enable rapid money laundering.
Financial institutions and regulators now face a difficult challenge. They must balance innovation and accessibility with stronger fraud prevention. Tightening verification processes might slow down legitimate users, but leaving gaps open allows criminal networks to flourish. The current situation proves that criminals adapt faster than security measures evolve.
