How are Cybercriminals Using India UPI Technology to Facilitate Money Laundering Transactions?

Cybercriminals are utilizing an Android-based application to manage a vast money laundering scam through a network of hired money mules in India. According to a report by CloudSEK researchers, the malicious program, XHelper, is a “key tool for onboarding and managing these money mules.”

The first information about the scam surfaced in late October 2023, when it was discovered that Chinese cybercriminals were using the fact that Indian Unified Payments Interface (UPI) service providers are exempt from the Prevention of Money Laundering Act (PMLA) to start illicit transactions while pretending to be offering an instant loan.

Hired mules are people who are recruited via Telegram in exchange for commissions that range from 1% to 2% of the total transaction amounts. The illicit gains from the activity are then transferred to these mules' other accounts.

What Does The CloudSEK Have Said?

Chinese payment gateways that precisely take advantage of UPI's QR code feature are at the heart of this operation. The cybersecurity business reported at the time that the plan “utilized a network exceeding hundreds of thousands of compromised 'money mule' accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.”

XHelper, which allows the technology underlying fraudulent payment gateways used in pig slaughtering and other scams, is an effective way to handle these mules. The application is distributed through websites that pose as reputable companies and go by “Money Transfer Business.”

Features of XHelper App

The application additionally provides mules with the option to monitor their earnings and optimize the entire payout and collection procedure. They must first complete an initial setup process where they must create their online banking credentials and register their unique UPI IDs in a specific format.

Payouts require money to be sent to pre-designated accounts within 10 minutes, but collection orders are more passive; money is transferred to the registered accounts from other scammers using the network.

Money mules can receive and complete money laundering jobs by activating order intake within the XHelper app. According to the researchers, orders are automatically assigned by the system, maybe using predefined criteria or mule profiles.

To encourage continuous participation, mules are required to upload screenshots of the unlawful fund transfer once it has been completed using the associated bank account. These images are authenticated and then submitted for payment.


More Features of XHelper

One of XHelper's features is the ability to invite other people to become agents, who are in charge of finding mules to join. They can receive bonuses for each recruit through a referral system, which leads to an ever-growing network of agents and mules.

This referral system has a pyramid-like structure that encourages the mass enlistment of money mules and agents, thus expanding the scope of illegal activity. The expansion of this interconnected network is sustained by agents, who in turn invite and recruit new mules, according to the study.

Helping mules learn how to effectively launder stolen money with a Learning Management System (LMS) that provides tutorials on creating fictitious corporate bank accounts, the various workflows, and methods to increase commission is another noteworthy feature of XHelper.

UPI & Beyond: Facilitating Illegal Transfers

In addition to preferring the UPI function included in reputable banking apps for carrying out the transfers, the platform serves as a central location for figuring out how to evade account freezes so that mules can carry on with their illicit operations. Additionally, they receive instructions on how to respond to bank customer service inquiries regarding questionable transactions.

CloudSEK stated that although XHelper is a worrying example, it's important to understand that this isn't a one-off incident. It also found a “growing ecosystem of similar applications facilitating money laundering across various scams.”

Europol declared in December 2023 that 1,013 people had been taken into custody during the second half of 2023 as a result of an international campaign to combat money laundering. In addition, 10,759 money mules and 474 recruiters (also known as herders) were identified as a result of the multinational law enforcement investigation.

The revelation coincides with Kaspersky's revelation that, from February 2023 to the end of the year, mobile device malware, adware, and riskware attacks increased rapidly.

After two relatively quiet years, the activity of Android malware and riskware increased in 2023 and by the end of the year had reached levels seen in early 2021. The bulk of threats found in 2023 were classified as malware, according to the Russian security provider.