How the application ‘XHelper’ is powering the Indian money-laundering gig economy
Cybercriminals are using a massive network of hired mules in India and an Android-based money transfer application to launder illicit proceeds, researchers have found.
According to an investigation by the Singapore-based cybersecurity company CloudSEK, the money mules — who are recruited to receive and then quickly transfer funds to obscure their origin — are managed through an application called XHelper.
The app, researchers said, is the “technological backbone for fake payment gateways used in various scams,” including pig butchering, e-commerce scams, and task scams.
Mules are typically recruited through Telegram channels, where jobs at a “Money Transfer Business” are advertised.
“The agents often pose as thriving businesses seeking efficient fund management due to a high transaction volume,” they wrote. “The recruitment often occurs through personal connections, with recruiters or agents persuading individuals in their social circles.”
After downloading the application, they are instructed to submit credentials for their Unified Payments Interface (UPI), a commonly used payments application in India for easily transferring money between bank accounts.
Once enrolled, they receive payments into their XHelper accounts, which they are incentivized through commissions to transfer to “corporate” accounts. The funds are then converted to cryptocurrency by the threat actors — usually the stablecoin Tether (USDT) — to further obscure their source. Payment for the mules is determined by their standing within the organization.
Once they have transferred more than approximately $600, the mules begin receiving a 0.2% commission, with rates going up to a maximum of 0.3% once mules have transferred more than 1 crore (about $123,000). They are also rewarded for raising the limits of allowable transfers, and tutorials within the application give instructions on submitting documents to create fake corporate bank accounts with higher caps on transfers.
CloudSEK researchers found that as of February there were more than 40,000 mule accounts on the platform and 16,000 linked bank accounts. Over a three-day period in February, more than $6.7 million was transferred, they found.
“While XHelper serves as a concerning example, it's crucial to recognize this isn't an isolated incident,” they said. “CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams.”
In a recent report on cybercrime and money laundering in Southeast Asia, the United Nations Office on Drugs and Crime cited the increasing use of money mules by Chinese organized crime groups to launder illicit funds.
The U.N. described the “growing use of sophisticated, high-speed money laundering ‘motorcade’ teams” which route money, usually in the form of USDT, through multiple accounts.
“This has also included the mass recruitment of mule bank accounts across virtually all jurisdictions in the Asia Pacific region which can be purchased for as little as … $30,” they said.
Europol recently announced that more than 1,000 money mules were arrested in the second half of 2023 as part of a global effort to crack down on money laundering. Investigators noticed that “a series of intricate online fraud schemes are funnelling money into accounts operated by money mules,” they said.
“These schemes include investment scams, compromised business emails, bogus holiday rental listings, middleman scams, phishing, messenger app fraud, help desk fraud, counterfeit bank cards and the use of crypto values transferred from virtual currencies exchanges to e-wallets.”
James Reddick
has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.