Fraud Networks Exploit Fintech Platforms in France to Launder Stolen Funds
Organized fraud networks in France are deploying a sophisticated scheme to launder stolen money through fake business accounts on freelancer fintech platforms like Revolut, Wise, and N26. These platforms, designed for fast account openings and seamless transactions, have become prime targets due to their business-grade payment infrastructure, including SEPA transfers and invoicing.
The operation, tracked as "Bastardaseller" part of the larger ASGARD fraud network specializes in creating and selling verified European business accounts on dark web marketplaces for $200 to $1,000 each. These accounts, known as mule accounts, enable fraudsters to move funds rapidly via instant payment rails, often before detection. In France, nearly 1 in 5 sign-up users was identified as a mule account, with the true scale likely higher.
The scheme operates in three phases:
- Phishing for PII – Fraudsters run phishing campaigns, such as fake mortgage consultation services, to collect victims' personal data.
- Account Registration – Stolen PII is used to open accounts, with operators masking their location using SIM modem farms to generate French IP addresses and phone numbers.
- Operational Handover – Once KYC is completed, control shifts to the fraud network via mobile apps, with subnet continuity linking the new login to the original sign-up infrastructure.
According to the EBA-ECB Joint Report on Payment Fraud, credit transfer fraud losses in the European Economic Area reached $2.5 billion in 2023, a 25% increase from the previous year, with mule accounts as the primary driver. Detection remains challenging, as the fraud only becomes visible when analyzing the full account lifecycle rather than isolated transactions.
Fintech platforms are urged to monitor MVNO IP addresses, sign-up velocity patterns, and device downgrades between KYC and operational phases to disrupt these networks. The attack underscores the growing threat of structured fraud operations exploiting digital financial services.
Source: https://cybersecuritynews.com/cybercriminals-exploit-french-fintech-accounts/
N26 cybersecurity rating report: https://www.rankiteo.com/company/n26
Revolut cybersecurity rating report: https://www.rankiteo.com/company/revolut
Wise cybersecurity rating report: https://www.rankiteo.com/company/wise
"id": "N26REVWIS1776889641",
"linkid": "n26, revolut, wise",
"type": "Cyber Attack",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Financial Services',
'location': 'Europe',
'name': 'Revolut',
'type': 'Fintech Platform'},
{'industry': 'Financial Services',
'location': 'Europe',
'name': 'Wise',
'type': 'Fintech Platform'},
{'industry': 'Financial Services',
'location': 'Europe',
'name': 'N26',
'type': 'Fintech Platform'}],
'attack_vector': 'Phishing, Stolen PII, Fake Business Accounts',
'data_breach': {'personally_identifiable_information': 'Yes (stolen via '
'phishing)',
'sensitivity_of_data': 'High (used for account creation and '
'fraud)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'description': 'Organized fraud networks in France are deploying a '
'sophisticated scheme to launder stolen money through fake '
'business accounts on freelancer fintech platforms like '
'Revolut, Wise, and N26. These platforms, designed for fast '
'account openings and seamless transactions, have become prime '
'targets due to their business-grade payment infrastructure, '
'including SEPA transfers and invoicing. The operation, '
"tracked as 'Bastardaseller' part of the larger ASGARD fraud "
'network, specializes in creating and selling verified '
'European business accounts on dark web marketplaces for $200 '
'to $1,000 each. These accounts, known as mule accounts, '
'enable fraudsters to move funds rapidly via instant payment '
'rails, often before detection. In France, nearly 1 in 5 '
'sign-up users was identified as a mule account, with the true '
'scale likely higher.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'fintech platforms',
'data_compromised': 'Personally Identifiable Information (PII)',
'financial_loss': '$2.5 billion (credit transfer fraud losses in '
'EEA, 2023)',
'identity_theft_risk': 'High (stolen PII used for account '
'creation)',
'operational_impact': 'Increased fraud detection challenges, '
'exploitation of payment rails',
'payment_information_risk': 'High (SEPA transfers, instant '
'payments)',
'systems_affected': 'Fintech platforms (Revolut, Wise, N26)'},
'initial_access_broker': {'backdoors_established': 'Fake business accounts '
'(mule accounts)',
'data_sold_on_dark_web': 'Verified European '
'business accounts '
'($200-$1,000 each)',
'entry_point': 'Phishing campaigns (e.g., fake '
'mortgage consultation services)',
'high_value_targets': 'Fintech platforms with SEPA '
'transfer capabilities'},
'lessons_learned': 'Detection of mule accounts requires analysis of the full '
'account lifecycle rather than isolated transactions. '
'Fintech platforms must improve KYC processes and monitor '
'for suspicious sign-up patterns.',
'motivation': 'Financial gain, Money laundering',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring of MVNO '
'IP addresses, sign-up '
'velocity patterns, and '
'device downgrades; improved '
'KYC processes',
'root_causes': 'Weak KYC processes, fast account '
'opening, exploitation of SEPA '
'transfer infrastructure, use of '
'SIM modem farms to mask location'},
'recommendations': 'Monitor MVNO IP addresses, sign-up velocity patterns, and '
'device downgrades between KYC and operational phases. '
'Strengthen KYC processes and implement enhanced '
'monitoring for account lifecycle anomalies.',
'references': [{'source': 'EBA-ECB Joint Report on Payment Fraud'}],
'regulatory_compliance': {'regulations_violated': 'Potential violations of '
'AML/KYC regulations'},
'response': {'enhanced_monitoring': 'Recommended for full account lifecycle '
'analysis',
'remediation_measures': 'Monitoring MVNO IP addresses, sign-up '
'velocity patterns, and device '
'downgrades'},
'threat_actor': 'ASGARD fraud network (Bastardaseller operation)',
'title': 'Fraud Networks Exploit Fintech Platforms in France to Launder '
'Stolen Funds',
'type': 'Fraud, Money Laundering',
'vulnerability_exploited': 'Weak KYC processes, Fast account opening, SEPA '
'transfer infrastructure'}