For a French freelancer, the website looked like a lifeline. It offered mortgage consultation and financial advice in exchange for basic personal details. They submitted their ID and proof of address, unaware they had just provided their identity to an international money-laundering operation.
Within hours, their identity was for sale on Telegram for $700.
Security researchers say this type of fintech fraud is no longer a one-off scam. It is a structured, repeatable operation designed to defeat identity controls and fly under the radar of defenders and regulators. In France, nearly 1-in-7 business account sign-ups on fintech platforms are fraudulent, according to research from Group-IB published Wednesday.
While standard consumer accounts are common targets, criminal networks such as the ASGARD Network have pivoted to B2B fintech platforms like Revolut, Wise and Qonto. These groups have targeted more than 40 financial institutions across six European countries since October 2025. France, according to Group-IB, is the primary market.
Verified accounts are sold for $300 to $700 on dark web marketplaces. Budget-tier fintech fraud accounts are available for as little as $140.
For criminals, the challenge isn’t stealing money. It’s keeping it. Without an intermediary, stolen funds are easy to trace, freeze or reverse. Verified fintech accounts solve that problem by giving stolen funds a place to land that looks legitimate, long enough to move them out of reach.
That’s why verified accounts command up to $700 each. It’s not the account itself that’s worth that but the frictionless, scrutiny-free passage it provides for money that would otherwise be stuck.
Money Laundering and More
Victims have no idea they have been scammed. The banks see nothing wrong.
For buyers of these “Entrepreneur Individuel” accounts, they are gold. They allow criminals to move stolen funds through a fully verified business identity, send and receive instant SEPA payments, and operate inside the financial system with the appearance of legitimacy.
Accounts, Group-IB explains, are valuable because of their perceived legitimacy. They appear to be opened using personal identity verification and carry the robust financial capabilities of a business account. Having business status, according to Group-IB, makes the accounts significantly more effective for money laundering than consumer accounts. Illicit funds land in a verified account and can be moved within minutes to a third party.
Fraud Formula
Group-IB outlines how the scheme runs in four phases.
First, phishing sites harvest victim identity data under cover stories — a fake mortgage service, a financial advice portal — that give people a plausible reason to submit personal details.
Second, the fraudster uses that data to register a fintech account, routing the session through a SIM modem farm to generate a French-looking IP address and phone number.
Third, the fraudster cannot complete identity verification alone. KYC requires a real face and a real document. So they call the victim.
Through social engineering, they instruct the victim to follow a link and complete what they describe as a routine verification step. The victim complies. The platform sees a real person, on a real device, on a real network, passing a legitimate check. The fintech fraud is invisible.
Fourth, once the account clears, control transfers back to the criminal operation through the mobile app — often on a cheap Android device reconnecting through the same SIM farm subnet used at sign-up.
Everything else in the operation is designed to look clean in isolation, researchers said. The sign-up session looks like a user with a French SIM. The KYC session looks like an authentic identity check. The first mobile login looks like a new device accessing a verified account. None of these events, reviewed alone, triggers an alert.
Defraud, Exploit and Launder: Rinse, Wash and Repeat
Mule accounts are the primary vehicle for a surging crisis: Credit transfer fraud across the EEA reached 2.5 billion euros ($3 billion US) in 2024, a 24% increase from the previous year, Group-IB said.
Credit transfer fraud is a type of financial crime in which funds land in a verified account and are moved on within minutes through instant payment rails, often beyond recovery. In this scheme, criminals exploit bank transfer systems to receive and forward stolen funds, using verified accounts as a money-laundering vehicle to obscure the trail between the criminal and the stolen money.
End users bear 85% of credit transfer fraud losses because the payments are typically authorized by the victims themselves, even though they were tricked into sending the money. Unlike credit card fraud — where a bank typically covers a charge made by a thief using a stolen number — credit transfer fraud involves the user voluntarily hitting “send.”
Our French Freelancer: The Real Victim
For our French freelancer, this person is not the one stealing the money. But once the account is used, they become the one whose name sits on every transaction, every alert and every investigation.
Money mule activity is a criminal offense in France and across the European Union. The fact that someone was deceived is a defense, but it requires them to actively prove it. Not everyone can. Not everyone has legal representation. Fallout often includes financial and personal blacklisting, temporary account freezes, confiscation of personal assets and, in some cases, financial liability.
Sinking the Syndicates
Detecting this industrial-scale fintech fraud requires looking for “discontinuity” signals, according to Group-IB.
Flag mobile virtual network operator (MVNO) IPs on desktop sign-up sessions. A desktop device on a mobile carrier IP has no legitimate explanation.
Monitor “device downgrades,” where an account moves from a high-end iPhone used by the victim to a budget Android used by the fraudster immediately after verification.
Link the subnets. Shared browser fingerprints or subnet overlap across multiple accounts reveal the network clusters that individual session analysis misses.
In underground markets, price is the clearest indicator of success. When verified account prices drop, it signals that herders have found a path of least resistance. For security teams, the goal is to make that path too expensive to travel.
