Modern financial crime operates as two tightly coupled systems: fraud, which extracts money from victims, and money laundering, which moves and disguises it. Financial institutions sit at the intersection of both. Whether they know it or not, they’re part of the infrastructure criminals use to return stolen money to the system. In this part of our fraud series, we follow the money – its digital trail and “intervention points” that are critical for fraud detection.
In previous articles, we’ve revealed the industrial scale of modern fraud operations and the trafficked workforce that powers them. Once the stolen money leaves the victim’s account, the second part of the fraud mechanism kicks in: money laundering. This is the process of making illegally obtained money – from drug trafficking or any other criminal activity – clean to appear legitimate. In this series, we focus on how it operates in the context of fraud.
The digital heist: How the money laundering unfolds
Phase 1: Placing and layering stolen funds through the system
Money laundering traditionally begins with placement – introducing illicit funds into the financial system – followed by layering, where funds are moved and obscured to make tracing harder. This can involve using money mules, channelling money through prepaid cards or splitting funds into smaller amounts, a practice known as “smurfing”, so that the transferred amount falls below the reporting threshold.
In modern fraud scenarios, the victim’s money is already within the financial system when stolen. The challenge is therefore not introducing funds into the system but rapidly moving and disguising them.
This is where criminals exploit money mules – individuals recruited, often under false pretenses, to receive and transfer illicit funds. Rather than being the perpetrators of the fraud, these individuals are typically vulnerable victims of social engineering themselves (lured by fake job offers, “romance” setups, or quick-cash schemes). Yet, their accounts serve as the vital first conduit in the laundering chain, allowing stolen funds to quickly exit the victim’s sphere. These victims act as the critical entry point for the layering phase. Because the stolen money is already electronic, the traditional ‘placement’ step is virtually instantaneous. The real battle is in the layering and that begins the moment a victim is coerced into sending money to a mule account.
Stolen funds, that mules help enter back to the system, however rarely move directly into accounts controlled by the perpetrators. Instead, they are routed through intermediary accounts, creating distance and making detection and recovery significantly more difficult.
Although many mules are unwitting participants, recruited through fake job ads or messaging apps promising $70–300 per day for “remote payment processing”, some may suspect the activity is questionable from the very start.
Regardless of the setup, their role is simple: receive funds – often from scam victims – into their bank account, transfer the money onward quickly (to other accounts or crypto wallets, for example).
And the greatest trick of all? Traditional KYC checks see a legitimate customer: real identity documents, plausible address. The account passes verification because the person is real. Transaction monitoring may eventually flag suspicious activity, but by then multiple victim transfers have been processed and funds have moved on.
Phase 2: Obfuscating money through transaction layers
Once funds clear initial mule accounts, they enter a maze designed to make tracing impossible. First stop: cryptocurrency exchanges. Within minutes, euros become Bitcoin or Ethereum, but once converted, banks’ ability to freeze or reverse transactions ends as crypto is irreversible. Syndicates then “chain-hop”, moving value across blockchains (e.g. from Bitcoin to Ethereum and then to other cryptocurrencies) and use so-called “mixers” that spread crypto across hundreds of wallets, making the trail non-linear and hard to follow.
Phase 3: Converting digital funds to real assets
The final challenge is converting laundered funds into usable assets, often bringing money back into the traditional financial system through real estate, luxury goods or investments in high-cash-volume businesses like restaurants, bars or casinos.
For larger sums requiring eventual reinvestment in real assets, criminals buy ready-made shell companies from underground providers – firms registered in places with weak enforcement (like Eastern Europe) that have bank accounts but no real business. These shells issue fake invoices satisfying bank reviews, supply nominee directors shielding real beneficiaries and create transaction chains that look legitimate on paper.
Fighting back: Where detection must improve
The three-phase laundering process exploits gaps in financial controls at precisely the moments they matter most – when accounts are opened, when stolen funds land in mule or shell company accounts and when money moves into crypto or hard assets. At each stage, there is an opportunity for detection. At each stage, traditional controls are under pressure.
To catch these patterns, financial institutions must distinguish between fraud prevention (protecting the victim from sending money) and mule account detection (preventing the laundering account from receiving or moving it).
At onboarding, (Mule/Launderer Prevention), that means looking beyond the document for:
- multiple accounts opened from the same device or IP in a short timeframe, coordinated mule farming/device sharing,
- inconsistent, coerced or scripted responses during live video verification (indicators of social engineering or scripting),
- recently issued documents coupled with a thin digital footprint
- or a profile that doesn’t match the financial background.
Post-onboarding, the behavioural fingerprint is equally distinct:
- incoming funds followed by rapid outbound transfers within minutes,
- no normal spending or balance retention,
- multiple inbound payments from unrelated third parties,
- and login activity limited solely to moving money.
Shell companies with minimal operating history processing large or frequent transactions, business relationships that make no economic sense, and generic or implausible invoice descriptions are all indicators. On the crypto side, rapid chain-hopping across blockchains or the use of mixers are strong signals. Blockchain analytics tools are increasingly essential for following this trail – and transaction monitoring systems that flag illogical business relationships can catch shell company activity before the company is dissolved and replaced.
Detection at this stage often falls outside traditional banking controls, but red flags include:
- crypto-to-property transactions routed through shell companies,
- high-value luxury purchases through business accounts with no plausible business rationale,
- and cash-intensive businesses posting revenue patterns inconsistent with their size, location or sector.
Cross-sector reporting and beneficial ownership transparency are critical here, which is precisely what the incoming regulatory frameworks are beginning to mandate.
IDnow’s video verification can be configured with mule-specific questions during the live session, surfacing behavioural inconsistencies that document checks alone would miss. Through the Trust Platform and its Risk Intelligence, Device & Network Intelligence and IDV repeat attempt tracking can flag coordinated account opening across shared devices or IPs and real-time risk scoring can catch the behavioural patterns that betray mule activity before funds move on.
On the regulatory side, the direction of travel is clear. The EU’s Anti-Money Laundering Regulation (AMLR), coming into force from 2027, will introduce stricter customer due diligence requirements, mandatory beneficial ownership checks, and new obligations for crypto asset service providers. For financial institutions, this isn’t just a compliance exercise, it’s an opportunity to build infrastructure that matches the sophistication of modern financial crime.
Cross-institution intelligence sharing will also be essential. Mule networks, shell company chains and crypto layering schemes don’t stop at one bank’s front door. The question is no longer whether financial institutions can stop this trillion-dollar crisis. It’s whether they’ll move fast enough to matter.
Get ahead of AMLR and financial crime with one platform built for both.
Want to read more on this topic? Explore:
The True Face of Fraud #1: The masterminds behind the $1 trillion crime industry. Uncover who is behind the fastest-growing fraud schemes, where the main scam compound hubs are located, and what financial organisations need to understand about the threat actors they are up against.
The True Face of Fraud #2: The Industrialisation of Crime – How crime syndicates run $1 trillion scam empires. Discover how criminal networks are structuring themselves as fully-fledged enterprises, leveraging AI and the Fraud-as-a-Service (FaaS) model to industrialise fraud at scale.
The True Face of Fraud #3: The workforce behind fraud empires and how banks can fight back. Uncover the dark human reality behind industrialised fraud: hundreds of thousands of trafficked workers enslaved in scam compounds — and what banks can do to disrupt these criminal networks.
The True Face of Fraud #4: 5 reasons why the industry is losing the war on fraud – Why fraud keeps winning despite billions spent fighting it.
Author

Nikita Rybová
Customer & Product Marketing Manager at IDnow
Connect with Nikita on LinkedIn






