I launched the U.S. Secret Service’s Global Investigative Operations Center in August 2017 to serve as the internal fusion center to disrupt and dismantle financially motivated transnational organized criminal groups. At the time, I had extremely limited resources. How limited? It was me and two analysts.

If you were told to disrupt organized crime and given limited resources, where would you start? For us, the choice was clear. We identified what we called the centers of gravity that enabled cybercrime to flourish. As part of an agency that was founded in the U.S. Treasury Department in 1865, we knew how to do one thing as well as anyone – follow the money. Following the money meant targeting money mule networks as they serve as a chokepoint (center of gravity) for business email compromises, romance scams, impersonation scams, and investment scams.

Classifying Money Mules by Intent

One of the challenges for law enforcement is that there are two types of money mules: witting and unwitting. We can break those down further into five mule personas but for the purposes of this blog, let’s stick with these two types. Unwitting money mules are most often recruited from an advertisement to “work from home” and make a lot of money, but they also include those who are somewhere in the lifecycle of a romance scam.

While I was assigned to the Secret Service office in Manchester, NH, we uncovered criminals taking advantage of people with disabilities to serve as unwitting money mules who were laundering millions of dollars of stolen funds. First recruited to work from home, their “relationship” with their “boss” evolved into a romance scam. They lost all their money and then laundered millions more.

There is not a prosecutor in the country that will take one of these cases of an unwitting money mule because one of the first elements of any Federal offense is normally “intent.” If we came across unwitting money mules, we would issue them “money mule” letters informing them that they are laundering money for criminals, and any additional wire transfers/ACH/deposited checks withdrawn for cash would be considered conspiracy to commit wire fraud. The mule letters established the ability to prosecute if the criminal activity continued.

Truth be told, it was hard to prosecute these folks even after issuing them the money mule letters because they were sympathetic figures, and the real goal was to get them to stop. Our advice was always as basic as:

Never respond to an offer to earn quick and easy money.

Never agree to receive and send money on behalf of others.

Never share your bank account or personally identifiable information (PII).

Never open a joint account with anyone other than close family.

Witting money mules, on the other hand, are knowingly involved in criminal activity and taking active measures to conceal the origin of the funds or the communications with other co-conspirators. Like many criminal investigations, intent is also proven via the suspect’s own written or spoken word so we would obtain and serve search warrants on their email providers and other ISPs.

Both witting and unwitting money mules can move millions of dollars in weeks. Working with other law enforcement and financial institutions, our objectives were to seize/freeze as much money and arrest as many leadership level fraudsters as we could. On paper, the numbers were impressive. We recovered close to $1 billion in losses that were returned to victims. What we didn’t advertise was that, due to the speed in which money mules are directed to transfer the funds, we probably only recovered $1 for every $10 that was laundered.

Fraudsters Do Homework on Money Mules

It should go without saying that fraudsters spend considerable time vetting their money mules. We worked a case in which one fraudster had hundreds of credit reports in his email inbox. After I arrested him, he told me that those credit reports, which he obtained via answering the knowledge-based authentication questions after buying their PII for pennies on the dark web (a blog for another day) at the free credit reporting websites. He downloaded the credit reports to make sure the money mules he was recruiting were “credit worthy” to handle high-value transfers. In other words, would they steal from him.

We partnered with the FBI, Europol, and other international law enforcement in Money Mule Action Weeks and other initiatives to disrupt their ability to move billions of dollars in stolen funds every year. The challenge was, as is often the case in law enforcement, we were reactionary and couldn’t be proactive because, until someone does something criminal, it’s hard to disrupt the future operation. We knew the key to success was being as close to “left of boom” as possible.

New Technologies are Changing the Game

In 2017, when we started our targeted plan to disrupt money mule networks, financial institutions hadn’t widely adopted the technologies, such as behavioral biometrics, that they have at their disposal today to identify and disrupt money mules prior to losses occurring.

For example, in the case of a fraudster using stolen or synthetic identities to open new accounts to serve as money mules, behavioral data can be used to detect criminal intent in the onboarding process. Following are three illustrative examples:

Application Proficiency: This evaluates the user's familiarity with the account application process. A fraudster, frequently utilizing compromised or synthetic identities, tends to exhibit a high level of proficiency in navigating the new account opening process, in contrast to a genuine user.

Data Familiarity: This assesses the user's familiarity with personal data. A fraudster typically lacks familiarity with personal data, often resorting to excessive deletion, cut-and-paste techniques, or automated tools to input information that would be instinctive for a legitimate user.

Advanced Proficiency: This scrutinizes whether the user demonstrates advanced computer skills compared to the general populace. Fraudsters often showcase advanced computer skills uncommon among genuine users, such as utilizing intricate shortcuts, special keys, or frequent application toggling.


Amid escalating social engineering assaults and the surge in authorized push payment (APP) scams, regulators around the world are paying new attention to the role mule accounts play in the global cybercrime epidemic, and receiving banks are under increased pressure to do more. In the UK, effective October 2024, receiving banks will be held liable for 50% reimbursement to victims of APP fraud. Other nations are following suit.

I was proud to see our team in the GIOC, working with FIs around the world who had proactively implemented controls, disrupt criminal networks and seize hundreds of millions of dollars that was ultimately returned to victims. As an industry, FIs and law enforcement must be as innovative and agile as the criminals we hunt. We can no longer just react after the fact.

Matt O’Neill is a retired U.S. Secret Service agent who served as the Managing Director of Cyber Operations where he led the Secret Service’s global cyber investigative operations, digital forensics, mobile wireless tracking, and critical systems protection portfolio. O’Neill led scores of international high-profile investigations involving hacking, sextortion, money laundering, and other crimes, and helped seize over $2B in illicit proceeds during his tenure. To learn more about his upcoming speaking appearances, visit the BioCatch Events page.

Recent Posts