Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts

HomeCyber Security News Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts By Tushar Subhra Dutta May 25, 2026 Cybercriminals are openly selling verified bank accounts, fintech wallets, and cryptocurrency exchange accounts through Telegram channels, turning money laundering into a structured, on-demand criminal service. This underground market has grown far beyond informal recruitment and now operates like a professional industry, complete with tiered pricing, customer support, and account replacement guarantees. The funds moved through these networks often come from phishing campaigns, ransomware attacks, Business Email Compromise scams, and investment fraud. In the United States, an estimated 0.3% of all accounts at financial institutions are believed to be mule-controlled. These operations rely on stolen identities, AI-generated personas, and compromised credentials to create accounts that pass identity checks at banks and fintech platforms. Criminals use forged documents, deepfake videos, and synthetic identity kits to onboard new accounts without triggering fraud alerts. Once active, these accounts receive illicit funds, quickly disperse them across multiple institutions, and withdraw the money before any financial institution can respond. Analysts at KELA Cyber Intelligence Center identified extensive underground activity tied to these mule networks across Telegram channels, dark web forums, and encrypted messaging groups.  KELA said in a report shared with Cyber Security News (CSN) that threat actors are openly advertising verified bank accounts, fintech wallets, cryptocurrency exchange accounts, forged identity documents, and full-service laundering operations at industrial scale. Cybercriminals Use Telegram Channels Telegram has become the primary storefront for what researchers call Mule-as-a-Service, or MaaS, a specialized segment of the broader Fraud-as-a-Service ecosystem. User in a Telegram channel offering bank accounts from various U.S. banks (Source – Kela) Sellers openly list accounts from banks across the United States, Latin America, and Europe, with some posts advertising hundreds of accounts alongside customer vouchers to prove reliability. These channels operate with a structure that mirrors legitimate e-commerce businesses, including refund policies if a purchased account gets frozen or restricted. KELA identified nearly 250,000 Telegram messages related to Brazilian “Contas Laranja,” or “Orange Accounts,” which are bank accounts rented or fraudulently created to move funds through Brazil’s PIX instant payment system. In Argentina, over 100,000 Telegram messages referenced the sale or rental of accounts linked to CBU and CVU identifiers used by local banks and digital wallets. Colombian fintech platforms such as Nequi and Daviplata were also flagged in underground discussions for their perceived ease of onboarding. Some sellers offer complete cash-out pipelines where a buyer transfers dirty funds and receives clean money in return. One actor on a Russian-origin Telegram channel called GrossInfo was observed selling edited identity documents to help bypass Know Your Customer checks. These sellers also advertise PSD document templates designed to pass automated identity verification, with one such post collecting more than 400 replies from interested buyers. (Figure 1: A post offering PSD templates for KYC bypass on a dark web forum) AI Is Making These Operations Harder to Detect Artificial intelligence has fundamentally changed how mule accounts are created and managed. Threat actors use large language models, deepfake video tools, and platforms like RunwayML to fabricate realistic facial movement videos that trick remote verification systems at banks and fintech apps. One manual shared on the CrackedTo forum instructed users to prompt ChatGPT with phrases like “generate natural facial movements for verification” to fool banking application liveness checks. Beyond account creation, AI automates account warming, where bots carry out low-risk transactions like paying utility bills to make an account appear legitimate before illicit funds arrive. User in carding Telegram channel offering money mule services (Source – Kela) Predictive smurfing algorithms dynamically adjust transfer sizes and timing to stay below Anti-Money Laundering detection thresholds. Voice cloning tools built on Retrieval-based Voice Conversion systems can also replicate a victim’s voice to bypass callback verification at financial institutions. To defend against these threats, KELA recommends that organizations actively monitor dark web forums and Telegram channels for emerging MaaS activity. Financial institutions should upgrade identity verification systems to detect deepfake injection attacks, where synthetic video is fed directly into a banking application’s input pipeline rather than shown to a physical camera. Security teams should also deploy behavioral analytics capable of recognizing AI-assisted account warming and adaptive smurfing behaviors that standard AML systems are not built to catch. Indicators of Compromise (IoC):- Type Indicator Description .onion URL exiliow4ctlzrvaglkgwqnpxdlvrxmdgvuy2hkbzqoziebfim6q5hwid.onion Brazilian dark web forum “Exillio404” used to exchange operational guidance on money mule operations, account rentals, and laundering techniques  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New NGINX Vulnerability Allows Remote Attackers to Trigger Malicious Code Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain Indian Student Data Weaponized for Phishing, Social Engineering, and Financial Fraud GitHub Source Code Breach – TeamPCP Claims Access to Internal Source Code Latest News Cyber Attack News Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets Cyber Security News Hackers Abuse Shared CDN Infrastructure to Bypass Domain Reputation Security Controls Cyber Attack News KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell Cyber Security News Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer Uncategorized Kazuar Malware Evolves Into Modular Espionage Ecosystem for Secret Blizzard Operations