What appears as a simple notification promising easy money or a harmless-looking app download is, in reality, a trapdoor into a sprawling underworld of financial crime. Investigators in Gujarat, as part of the recently launched 'Operation Mule Hunt', have peeled back the layers on sophisticated mule-account operations that are laundering hundreds of crores of illicit funds. This network uses a web of fake applications and illegal payment gateways to move stolen money across countries swiftly and silently.
The Anatomy of a Rs 719 Crore Scam
The Gujarat CID's Cyber Crime Centre of Excellence has exposed a vast network that laundered a staggering Rs 719 crore across 26 Indian states. The racket exploited multiple vulnerabilities in the system: weak bank KYC processes, insider lapses, and forged identity documents like Aadhaar, PAN, and GST papers. The rapid adoption of digital payment systems was also manipulated to move funds before detection. This crackdown builds on the landmark GujCTOC case in Surat, where a 46-member gang was found operating 1,029 mule accounts spread over 15 states.
According to investigators, these mule accounts form the critical backbone of an interconnected fraud economy. This ecosystem is powered by deceptive Android apps that front as Ponzi schemes, online betting platforms, loan scams, and sham investment portals. These apps are intricately linked to illegal payment gateways, mule bank accounts, and cryptocurrency wallets operating in over 40 countries, creating complex layers to obscure the money trail.
Recruitment: From Telegram to Corporate Shells
The recruitment for this crime web cuts across all social and economic strata, from students and daily-wage workers to corporate shell firms. Mayank Sahariya, a threat analyst at AI cybersecurity firm CloudSEK, identified fraudulent apps circulated on Telegram and WhatsApp as among the most effective recruitment tools. Apps like Xhelper, Big Winner, Jeevan Earnbox, Petross, Lakshmi, Xwallet, Honeygain, and Sharkpay—among 22 flagged—masquerade as earning platforms or digital wallets.
Once installed, these apps demand extensive permissions, particularly access to SMS. This allows them to intercept one-time passwords (OTPs), capture UPI IDs, scan merchant QR codes, and steal banking credentials. Users are lured with promises of a 2-3% commission on transaction volumes. "In reality, the app runs silently in the background, approves transactions without the user's knowledge and converts the bank account into a laundering node," Sahariya explained.
Recruitment also happens offline through local agents, often coordinated via Telegram channels. They target vulnerable groups, offering an upfront payment of Rs 10,000 to Rs 20,000 for the use of a savings account. The payout skyrockets for current or corporate accounts due to higher transaction limits. "The chain runs deep," Sahariya noted. "A savings account pays Rs 10,000. A corporate account? Rs 4 crore to Rs 5 crore. If an account has a Rs 100 crore limit, they will pay Rs 5 crore."
Gamified Crime and The Gateway Enablers
The operation even gamifies the criminal activity, ranking top earners and incentivizing speed. Some mule account holders earned commissions as high as Rs 1.2 crore for transferring stolen funds within a mere 10 minutes. Analysis of data from a single tracked app revealed 3.98 lakh individual fund movements, averaging 33,000 transactions monthly.
Once recruited, agents typically seize control of the account holder's debit cards, cheque books, and SIM cards. For corporate accounts, shell companies are created using forged documents to lend a veneer of legitimacy. Powering this entire system are illegal payment gateways—custom-built platforms operating outside RBI regulations, many suspected to be of Chinese origin.
CloudSEK has flagged gateways including Bsdpay, Dragonpay, Magicpay, Jdpay, and Luckypay. These gateways issue app IDs and secret keys, allowing scammers to automatically rotate mule accounts every 7-10 minutes to evade anti-money laundering checks. They mimic legitimate fintech dashboards, letting operators manage countless transactions from a single interface.
Shashank Shekhar, Managing Editor at CloudSEK and co-founder of the Future Crime Research Foundation, emphasized that banks cannot evade accountability. "If their accounts are being misused, banks must face action. Fake accounts and fake SIMs are the two pillars of this racket," he stated. Warning that the uncovered network is just the tip of the iceberg, Shekhar added, "Those 45,000 accounts are just a fraction. Early monitoring could save crores, but cybercrime cases are exploding and police resources are stretched thin."
