India’s Mule Account Crisis and What AML Compliance Must Do Differently

Preface: A Problem Hiding in Plain Sight

There is a peculiar quality to the mule account threat that makes it so difficult to tackle: the account looks entirely normal. The account holder is real. The KYC documents seem genuine. The account was opened through a legitimate branch or a verified digital onboarding channel. The first few transactions are unremarkable. And then, without warning, the account becomes a conduit, receiving stolen funds, moving them through a chain of other ordinary-looking accounts, and dispersing them before any investigator can trace the trail.

This is not a theoretical vulnerability. It is the dominant mechanism behind India’s surging cyber fraud losses. And the most significant gap in the response is not technological, it is categorical. Mule accounts are being treated primarily as a fraud problem, managed by fraud teams with fraud-detection tools and fraud-response playbooks. But mule account networks are money laundering infrastructure. They are the “layering stage” of the AML typology, executed at scale, automated in recruitment, and increasingly integrated with crypto offramps that put proceeds beyond the reach of conventional tracing.

Until compliance officers, Principal Officers and AML teams claim ownership of this problem with the tools, monitoring frameworks and STR narratives it requires, the regulatory response will remain structurally incomplete, no matter how sophisticated the detection technology becomes.
This article makes that case, in full.

1. The Numbers India Has Not Fully Reckoned With

The headline figures are public. The compliance implications are not being discussed with proportionate urgency.

In 2024, India recorded 36 lakh cyber fraud cases, resulting in losses exceeding Rs. 22,845 crore, a 42% increase over the 23 lakh cases reported the previous year. More than 10,000 arrests were made. Projections from the Indian Cyber Crime Coordination Centre (I4C) suggested that if 2024 trends continued unchecked, losses could exceed 1.2 lakh crore by end of 2025.

The banking fraud picture is, if anything, more alarming. In FY 2024-25, the total value involved in banking frauds nearly tripled to Rs. 36,014 crore, up sharply from Rs. 12,230 crore the previous year, even as the number of reported cases fell from 36,060 to 23,953. Fewer cases, far larger losses. The implication is unambiguous: individual fraud events are becoming larger, more coordinated and more sophisticated.

The Suspect Registry, introduced by I4C in September 2024, flagged 24 lakh mule accounts and prevented an estimated Rs. 4,631 crore in further fraud losses. Between September 2024 and January 2026, I4C shared details of more than 2.73 million suspected mule accounts (Layer 1 accounts) with financial institutions, helping block transactions worth over Rs. 9,518 crore.

These are not edge case numbers. They describe a systemic crisis. And the compliance function with its obligations under the PMLA, the FIU-IND Red Flag Indicators framework, and the RBI’s increasingly explicit guidance on mule detection, is squarely in the middle of it.

2. Not One Problem – Three Distinct Mule Typologies

A critical error in institutional response is treating “mule accounts” as a single, uniform threat. They are not. There are three materially distinct typologies in the Indian context, and each requires a different detection strategy and a different STR narrative.

A. The Complicit Mule
The complicit mule knowingly allows their account to be used for illegal fund transfers, typically in exchange for a cash payment or a percentage of funds routed through the account. In India, complicit mule recruitment frequently occurs through direct outreach on WhatsApp, Telegram and Instagram offering quick income in exchange for allowing “business payments” to pass through a personal account.

The complicit mule is the hardest to detect through behavioural monitoring alone because they often “actively cooperate” in making transactions look routine. They may change PINs to allow remote access, share OTPs, or operate under explicit instruction from the criminal network about transaction timing and amounts. The detection signal here is not a single transaction anomaly, it is a pattern of account usage that is disconnected from the account holder’s known economic profile: a student account receiving and immediately disbursing lakhs; a rural PMJDY account suddenly transacting in amounts inconsistent with any documented income.

For AML compliance, the STR narrative for a complicit mule account must establish the disconnection between the account holder’s known economic profile and the account’s observed transaction behaviour, not merely flag an individual suspicious transaction.

B. The Deceived Mule
The deceived mule is a victim, not a criminal though they may unknowingly become one. I4C has documented that 42% of WhatsApp users in India have received a fraudulent job offer typically promising work-from-home income, part-time earnings, or remittances management for an overseas employer. The victim is asked to receive funds into their account and forward them, believing they are performing a legitimate financial intermediary function.

Deceived mules are disproportionately concentrated among first-time formal banking users, migrant workers, homemakers and students. The I4C’s Pratibimb module, which maps cybercriminal networks, has aided over 10,599 arrests, many involving groups that systematically target these demographics for mule recruitment.

The AML implication is significant: the account holder in a deceived mule scenario is a victim of fraud and an unwitting instrument of money laundering. This dual status creates complexity for STR filing. The STR narrative must capture both the ML dimension (the fund layering function the account is performing) and the context that may indicate the account holder’s victimhood â€” which affects the appropriate escalation path.

C. The Synthetic or Compromised-KYC Mule
The most sophisticated and most concerning typology is the account opened using fabricated, stolen or coerced KYC. This includes: accounts opened using stolen Aadhaar details purchased on the dark web; accounts opened by Business Correspondents (BCs) who have been compromised or incentivised to open accounts without genuine customer presence; and accounts opened using the identity of deceased persons or individuals unaware that their documents are being used.

The CBI identified nearly 8.5 lakh mule accounts opened across 700 bank branches nationwide in 2025, a significant portion of which involved BC-linked vulnerabilities, particularly in rural and financially underserved regions. The MHA has specifically flagged BC channel compromise as a structural risk requiring urgent attention.

For AML compliance, synthetic mule accounts represent a KYC failure that cannot be remediated post-onboarding through monitoring alone; they require a fundamental rethinking of BC oversight, onboarding verification controls and the ongoing monitoring of accounts opened through agent or assisted channels.

3. How Mule Recruitment Has Been Industrialised

The shift that makes the 2024 to 2026 mule account crisis qualitatively different from earlier iterations is the industrialisation of the recruitment pipeline. This is no longer a cottage industry of individual fraudsters persuading acquaintances to hand over account credentials. It is a transnational, technology-mediated operation.

I4C has formally identified bot-driven mule recruitment networks operating across Facebook, Instagram and Telegram. These bots mass-distribute fake job postings, screen respondents for banking details, and automate the initial account access and transaction instructions, all without human intervention in the early stages of the operation.

The transnational dimension adds a further layer of complexity. Cybercrime syndicates operating from Southeast Asia, particularly Myanmar, Cambodia and Laos, where scam compound operations have been extensively documented, run coordinated operations targeting India’s 290 lakh unemployed population. These syndicates use India’s UPI infrastructure as a collection mechanism and then rapidly convert proceeds through crypto offramps, including peer-to-peer platforms to fragment and obscure the trail before Indian law enforcement can intervene.

The geographic concentration of mule account activity is telling. Haryana’s Nuh district recorded over 1,000 mule accounts identified in 2025, with Rs. 18 crore withdrawn through more than 1,400 ATM IDs and 75 cheque branches. Jharkhand’s Jamtara, long associated with phone fraud, recorded over 350 mule accounts with Rs. 7 crore in ATM withdrawals. Maharashtra, Uttar Pradesh, Rajasthan, Delhi, Karnataka, Madhya Pradesh, Bihar and Tamil Nadu have all been flagged by I4C as high-risk states.

The operational sophistication is reflected in the transaction structure. Mule networks deliberately spread funds across multiple accounts and geographic regions not because this is operationally convenient, but because it is architecturally designed to defeat rule-based monitoring systems that flag individual account anomalies. No single transaction in the chain may breach a monitoring threshold. The money laundering is in the network topology, not in any individual transaction.

4. Why Traditional AML Monitoring Cannot Catch This

This is the architectural problem at the heart of the compliance failure, and it deserves to be stated precisely.

Rules-based transaction monitoring systems are designed to identify anomalous behaviour in individual accounts. They flag transactions that breach thresholds, velocity, value, geography, counterparty etc., applied account by account.

Mule networks are engineered so that no individual account is anomalous. Each account in a mule chain may receive modest amounts, transact infrequently, and show no individually suspicious counterparty. The crime is in the aggregate pattern across accounts, not in any one account’s behaviour when viewed in isolation.

This is a category error in the detection tool. It is equivalent to trying to detect a distributed denial-of-service attack by monitoring individual packet sizes. The threat is not in the individual unit, it is in the coordinated use of many units simultaneously.

The consequences for compliance are significant:

Alert saturation without signal: Rules-based systems, when tuned aggressively enough to catch mule behaviour, generate enormous volumes of false positives, legitimate accounts that happen to share surface-level characteristics with mule accounts (sudden inflows, quick disbursements, high velocity). Institutions that have tried to solve the mule problem by tightening rules have frequently created alert backlogs that overwhelm investigation teams, while still missing sophisticated mule networks operating below individual thresholds.

STR quality degradation: When monitoring systems cannot distinguish a genuine mule account from a legitimate high-velocity account, the STRs that do get filed often lack the contextual richness, the network linkages, the fund flow narrative, the beneficiary identification that FIU-IND needs or law enforcement for them to act. A high volume of low-quality STRs is worse than a lower volume of high-quality ones. It creates noise in the intelligence infrastructure at precisely the moment when signal clarity is most needed.

The false positive trap: As noted by the Reserve Bank’s own research and amplified by recent enforcement, the same transaction patterns that indicate mule behaviour, sudden large inflows, immediate dispersal, high-frequency transfers can also resemble entirely legitimate business activity: a GST refund, a vendor payment cycle, a salary disbursement account. The cost of aggressive false-positive generation is real: innocent account holders and small businesses are increasingly caught in account freezes, facing legal and procedural battles to regain access to funds. This is not a cost-free error. It is a regulatory and reputational risk for institutions, and an access-to-finance risk for the broader economy.

The solution is not more rules. It is a different kind of analysis entirely.

5. MuleHunter.AI – What It Does and What Compliance Still Has to Do

RBI’s MuleHunter.AI, developed by the Reserve Bank Innovation Hub (RBIH), represents a genuinely significant intervention. The tool uses machine learning to analyse patterns of account and transaction behaviour, studying nineteen distinct patterns of mule account behaviour and can detect approximately 20,000 mule accounts per month. As of December 2025, 23 banks have implemented the platform, with the Ministry of Home Affairs having directed all financial institutions to integrate with MuleHunter by December 2026.

The technical capabilities are real. MuleHunter.AI can identify unusual changes in account behaviour, detect connections between accounts that appear unrelated but share common transaction patterns, and critically, trigger alerts that allow banks to freeze suspicious transactions before funds are withdrawn. Unlike traditional systems that identify fraud after the fact, MuleHunter is designed to intervene within the transaction flow.

But here is what MuleHunter.AI does not do and what compliance must understand clearly.

MuleHunter generates signals. It does not make decisions.

The STR filing decision, which is a legal obligation under the PMLA, with consequences for non-compliance remains solely with the Principal Officer. The case narrative that contextualises why a cluster of accounts constitutes a mule network remains with the AML team. The escalation judgment, whether to freeze an account, whether to exit a relationship, whether to refer a matter for investigation, remains with the compliance function and the Principal Officer.

When MuleHunter scales to full deployment across the Indian banking system by December 2026, the volume of alerts it will generate is expected to multiply significantly. Most institutions are not currently equipped in terms of investigation team capacity, STR workflow infrastructure, or case narrative quality, to handle that volume. The bottleneck will shift from “detection” to “disposition”. And the disposition function is entirely a compliance responsibility.

The institutions that will be ahead of this curve are those that treat MuleHunter integration not as a fraud tool to be handed to the fraud team, but as an AML signal generator that feeds directly into the STR workflow, with trained investigators, documented decision frameworks, and the capacity to write STRs that capture the network topology of mule operations, not just the individual account anomalies.

6. Where the AML Compliance Function Is Likely Falling Short

The KYC failure in mule account cases is, paradoxically, not primarily at onboarding. The account holder is real. Their documents are (usually) genuine. The account opening checks out. The problem is in what happens after onboarding and in the compliance function’s capacity to detect it.

There are three specific failure modes worth naming:

Failure Mode 1: Monitoring Designed for Individual Accounts, Not Networks

As discussed above, mule operations are network phenomena. A single mule account viewed in isolation may show nothing unusual. The signal is in the aggregate: the same beneficiaries appearing across many accounts; accounts at different institutions receiving funds that converge on a common destination; velocity patterns that, when overlaid across an account cluster, reveal a structured dispersal network.

The compliance tool required to detect this is graph analytics, the analysis of relationships and fund flows across accounts, not just within individual accounts. Graph analytics identifies communities of accounts that are structurally connected, even if no individual connection in the graph is suspicious on its own. It maps the network topology of fund flows and surfaces the clusters that exhibit the structural characteristics of mule layering.

Graph analytics is not a marginal enhancement to existing monitoring. It is a categorically different analytical approach. Institutions that continue to rely exclusively on single-account monitoring rules will continue to miss sophisticated mule networks, regardless of how finely they tune those rules.

Failure Mode 2: STR Quality for Mule Cases Is Systematically Poor

When a mule account is eventually identified, whether through MuleHunter, through transaction monitoring, through a law enforcement referral, or through adverse media, the STR filed is often inadequate to support downstream action.

A good STR for a mule case needs to: (i) establish the account holder’s economic profile and the deviation of observed transactions from that profile; (ii) map the inflow sources and the beneficiaries of outflows; (iii) identify other accounts in the mule chain, including at other institutions, to the extent visible; (iv) document the timeline and sequence of fund movements; (v) articulate why the observed behaviour constitutes layering within an ML typology, not merely suspicious fraud; and (vi) identify any links to known cybercrime typologies (such as pig-butchering, fake investment scams, digital arrest fraud, etc.) where discernible.

Most STRs filed in mule cases in India currently meet none of these criteria. They describe a transaction anomaly. They do not describe a money laundering network. FIU-IND cannot act on an STR that does not give it the network context it needs to trace fund flows and coordinate enforcement.

Failure Mode 3: The Fraud-AML Boundary Is in the Wrong Place

In most Indian financial institutions, mule account detection and response sits in the fraud team. This is a category error with structural consequences.

Fraud teams are optimised to prevent and recover losses â€” to freeze accounts quickly, to reverse transactions where possible, to minimise the institution’s direct financial exposure. These are legitimate objectives. But they are not the same objectives as the AML compliance function, which is legally obligated to detect money laundering, file STRs, support investigations, and contribute to the disruption of ML networks.

When a mule account is handled exclusively by the fraud team, the STR obligation may not be triggered at all because fraud teams are not trained in STR decision-making and may not perceive a mule account as an ML event. Or, where an STR is filed, it may lack the analytical depth needed because it has been drafted by an investigator whose primary frame is fraud recovery, not ML typology analysis.

The structural fix is to ensure that mule account cases once identified are routed through the AML workflow: assessed against the ML typology, reviewed by the Principal Officer, and documented in STRs that reflect an understanding of the layering function the mule account is performing.

7. The Sector Picture – Different Vulnerabilities, Different Obligations

The mule account threat manifests differently across sectors, and the compliance response must be calibrated accordingly.

Banks and Cooperative Banks

Banks remain the primary entry point for mule fund flows, they hold the accounts that receive fraud proceeds, and through which layering occurs. The BC channel compromise risk is particularly acute for smaller cooperative and regional rural banks with limited monitoring infrastructure. For these institutions, the December 2026 MuleHunter integration deadline is both an opportunity and a challenge: the tool will surface mule accounts that current systems miss, but the investigation and STR workflow to handle the resulting volume may not exist.

Large private and public sector banks are further along in terms of monitoring sophistication, but face a different challenge: alert volume management. Banks with millions of accounts and complex transaction patterns face the most acute risk of both false positive saturation and false negative gaps in mule detection.

Fintechs and Payment System Operators

Fintechs and UPI-enabled payment service providers face a distinct version of the mule problem. Because mule networks use UPI as a collection and dispersal mechanism, its real-time, 24/7 availability makes it ideal for rapid fund movement. Payment intermediaries are structural enablers of mule operations even when they do not hold the mule accounts themselves.

The compliance obligation for a payment intermediary is to monitor transaction flows for network-level mule characteristics, not just account-level anomalies and to coordinate with nodal banks on STR intelligence. Fintechs that have invested heavily in fraud detection but have not mapped that investment to their AML obligations under the PMLA are particularly exposed.

NBFCs and Microfinance Institutions

NBFCs and MFIs face a specific version of the deceived mule risk. Borrowers, particularly in rural or semi-urban catchments, may have their accounts used as mule accounts without their knowledge, as part of social engineering operations that target underserved financial service users. For NBFCs with portfolio monitoring infrastructure, the challenge is integrating mule account detection signals into their existing credit and portfolio monitoring frameworks.

Virtual Digital Asset Service Providers (VDA SPs) and Crypto Exchanges

The crypto dimension of the mule account problem is the fastest-evolving and least adequately addressed. Mule networks increasingly use P2P crypto platforms as the offramp at the end of the fund flow chain converting rupee proceeds into crypto assets to fragment the trail and place funds beyond the reach of conventional bank-level investigation.

Starting March 2023, VDA SPs in India are required to register with FIU-IND and comply with PMLA obligations, including AML/KYC requirements and STR filing. But the practical reality is that many VDA SPs have invested primarily in onboarding KYC without building the ongoing transaction monitoring capability needed to detect mule-related fund flows hitting their platforms. The FATF, in its June 2025 update, specifically highlighted persistent gaps in the implementation of travel rule and transaction monitoring requirements for virtual asset service providers globally and India is not an exception.

For crypto exchanges and VDA SPs, the compliance question is not whether mule funds are reaching their platforms they are but whether their monitoring infrastructure is capable of detecting the transaction patterns (rapid P2P conversion, fragmented amounts, unusual counterparty clusters) that characterise mule-to-crypto offramp activity.

8. The Framework – What Needs to Change

The mule account crisis requires a response at three levels simultaneously: within institutions, at the regulatory level, and across the industry as a whole.

For Institutions: A Five-Point AML Compliance Upgrade

(i). Establish network-level monitoring as a distinct capability.

Graph analytics must be deployed alongside not as a replacement for existing transaction monitoring. The objective is to surface account clusters that exhibit mule network topology: convergent fund flows, common beneficiaries, correlated velocity patterns across accounts that individually appear clean. This capability does not need to be built from scratch, several RegTech platforms offer graph-based AML monitoring but it needs to be treated as a compliance investment, not a fraud department optional upgrade.

(ii). Redesign the mule account STR workflow.

Institutions should document a specific STR narrative template for mule account cases that captures: account holder economic profile deviation; network linkage evidence; fund flow mapping; typology identification; and downstream beneficiary analysis to the extent visible. STR quality for mule cases should be a specific metric tracked by the PO and the compliance audit function.

(iii). Formally transfer mule account case management to the AML function.

The fraud-AML boundary needs to be redrawn. The fraud team retains responsibility for transaction reversal and recovery. The AML team under the PO takes responsibility for STR assessment and filing in all cases where a mule account’s operation constitutes layering. Escalation protocols between the two functions need to be codified and tested.

(iv). Build BC channel oversight into the ongoing monitoring framework.

For institutions with a BC distribution network, the synthetic mule risk accounts opened through compromised or negligent BCs requires a specific monitoring layer: ongoing review of account opening patterns at BC touchpoints, particularly in high-risk geographies; anomaly detection at the BC level, not just the account level; and regular independent verification of accounts opened through assisted channels.

(v). Prepare the investigation function for post-MuleHunter volume.

MuleHunter integration by December 2026 will generate a step-change in mule account signals. Institutions should model the expected alert volume based on their account base, assess current investigation team capacity against that volume, and invest in the people, process and technology needed to handle disposition at scale before the mandate kicks in, not after.

For Regulators: Three Specific Asks

(i). Issue STR quality guidance specifically for mule network cases.

FIU-IND and the RBI should jointly issue guidance modelled on the Red Flag Indicators framework that specifies what a high-quality STR for a mule network case should contain. The absence of such guidance leaves institutions without a clear standard to aim for, and results in systemic STR quality variation that undermines the intelligence value of reported information.

(ii). Mandate AML workflow integration as a condition of MuleHunter adoption.

The December 2026 MuleHunter integration deadline should be accompanied by a requirement that institutions demonstrate that MuleHunter alerts are routed through an AML-governed STR assessment workflow not handled exclusively by fraud or technology teams. Integration without compliance workflow ownership defeats the purpose of the mandate.

(iii). Clarify the account freeze obligation in the mule context.

The January 2026 IFSCA circular (relevant to IFSC entities) has clarified that STR filing alone does not justify account freezes. The RBI and MHA should issue equivalent guidance for the broader banking sector: clearly specifying the conditions under which a mule account should be frozen (legal order, sanctions designation, confirmed fraud) versus merely reported through STR to prevent both under-action and the collateral damage of innocent account freezes.

For the Industry: Cross-Institutional Intelligence Sharing

The mule account problem cannot be solved institution by institution. Mule networks operate across institutions, funds enter at one bank, layer through accounts at several others, and exit through a fintech or crypto platform. The intelligence needed to map and disrupt a mule network requires visibility across that entire chain.

The infrastructure for this already exists partially. I4C’s Suspect Registry and the CFCFRMS (Citizen Financial Cyber Fraud Reporting and Management System) already enable some cross-institution flagging. FIU-IND’s financial intelligence function is designed to aggregate and analyse STR data across reporting entities.

What is missing is a structured mechanism for proactive, institution-to-institution intelligence sharing enabling Bank A, which has identified a mule cluster, to alert Bank B where the funds are heading, before the transfer completes rather than after. The SWIFT-model information sharing frameworks used in some jurisdictions for correspondent banking risk could be adapted for domestic mule network intelligence. This is a regulatory architecture question that the RBI, MHA and FIU-IND need to address collaboratively, with industry input.

Conclusion: Owning the Classification

The mule account crisis is not a fraud story with some AML implications. It is a money laundering story that begins with fraud as the predicate offence. Accepting that classification fully, structurally, and with the institutional investment it implies, is the most important single step available to India’s compliance community right now.

The tools are improving. MuleHunter.AI is a genuine advance. The Suspect Registry is generating real intelligence. I4C and the enforcement agencies have demonstrated that coordinated action can disrupt mule networks at scale. But the compliance function, the AML teams, the Principal Officers, the compliance committees of India’s banks, fintechs, NBFCs and VDA SPs have to meet the tools where they are.

That means network-level monitoring. It means STR quality built for the mule typology. It means formal ownership of mule account case management within the AML function. It means preparation for the post-MuleHunter alert volume. And it means participating actively in the cross-institutional intelligence architecture that is the only systemic answer to a threat that does not respect institutional boundaries.

The account looks normal. The crime is in the network. The compliance function needs to be able to see both.

Key data sources and references used in this article:

References & Sources