Study of money mules in Karnataka cybercrimes calls for regulation of cryptocurrency to check galloping crime rate

Quoting data from the National Cyber Crime Reporting Portal (NCRP) for the year 2024, the study states that ₹2,915 crore was lost in 6.11 lakh cyber crimes in Karnataka – ₹1860 crore from private banks (3.02 lakh cases) and ₹948 crore from public banks (2.55 lakh cases). The losses caused by cyber crimes in Karnataka are reported to have increased fourfold in 2024 from ₹660 crore reported in 2023.

The study has looked at the subject of money mules who knowingly or unknowingly facilitate the usage of bank accounts to facilitate the laundering and layering of money stolen from lakhs of innocent victims through scams like investment frauds, digital arrests etc, leading to the eventual transfer of the stolen funds to the operators of cybercrime networks through modes like cryptos or direct withdrawals.

“The unregulated cryptocurrency market is exacerbating the issue of money muling. Recent cases have revealed that laundered money is either converted into cryptocurrency using a money mule or transacted through P2P transactions with genuine crypto traders,” says the report authored by cybercrime police experts and the Data Security Council of India.

The laundering of cybercrime proceeds through cryptos “is further complicated by certain gaming platforms, such as casinos, that allow cryptocurrency deposits. Many cryptocurrency exchanges either do not require KYC or are based in foreign countries with lenient regulatory frameworks, both of which pose challenges for investigators,” says the study.

The study has identified the tracking of the conversion of money stolen in cybercrime as “a significant challenge for law enforcement agencies”. Apart from cash withdrawals at overseas ATMs using Indian debit cards in locations such as Dubai, Hong Kong, and Bangkok, as well as ATMs in remote areas across India, cryptocurrency conversions are seen as a key challenge.

“In many instances, illicit funds are converted into cryptocurrency through peer-to-peer (P2P) transfers on unregistered platforms and exchanges) changes). According to the CFCFRMS (Citizen Financial Cyber Fraud Reporting and Management System) platform, crypto valued at approximately ₹ 5.52 crores was transferred from March to May 2024 via the Bitget multi-exchange platform,” states the Karnataka study.

“In this process, criminals use mule accounts to funnel funds into international payment aggregators and global wallets such as Pypl from which the money is subsequently transferred to Binance,” states the report.

The study has identified regulation of the cryptocurrency market as a key step in regulating the exploding rate of cyber crimes in states like Karnataka.

“There is a pressing need to regulate the cryptocurrency market in India. This regulation should not only require cryptocurrency exchanges to follow specific norms for collecting and verifying user details but also include penal provisions for money laundering and other illegal activities,” says the study on money mules in cyber crimes.

In addition “gaming and other platforms that receive direct cryptocurrency payments need to be regulated, requiring registration and mandatory KYC verification for customers. The government may consider banning non-compliant platforms and prohibiting Indian residents from transacting on cryptocurrency platforms not registered with the Government of India,” says the report.

The study has also called for better monitoring of accounts by the banking sector to identify the creation and usage of mule accounts which tend to be dormant accounts or new accounts opened with fictitious details of identity and location.

“Cybercriminals are exploiting the online account opening facilities offered by numerous banks to open mule accounts using fake and nonlocal addresses. For instance, an individual located in Rajasthan may open an online account while providing a Bengaluru address. In one of the cases investigated at CID Bengaluru, up to 125 mule accounts have been opened in a private bank through online channels, where only basic KYC is required, and no physical verification is conducted by the banks,” states the study.

Banks not flagging suspicious transactions

While the RBI has mandated the generation of ‘Suspicious Transaction Reports’ to the centralised Financial Intelligence Unit India (FIU-IND) with warnings against non-compliance as part of efforts to regulate cyber crimes, banks tend to default on STRs, says the report.

“Investigations have revealed that banks sometimes fail to flag transactions as suspicious when large volumes occur. This failure is often attributed to negligence on the part of the banks, and in some rare cases, insiders in the bank colluding,” says the cybercrime report.

Banks also tend to allow individuals to easily change the registered phone numbers on their bank accounts, and “genuine accounts are sold to fraudsters who then link their phone numbers, enabling control over internet banking” even if the new mobile number does not match the one registered with Aadhaar.

“Despite the RBI mandates for strict due diligence on mobile number changes, this is not uniformly enforced across banks,” says the study. The study has pointed out that the RBI has also developed an in-house Artificial Intelligence/Machine Learning based solution called Mulehunter.AI “to detect suspected mule accounts”.

“Another factor aiding the proliferation of mule accounts is the ease with which fraudsters acquire mobile SIM cards. Cybercriminals procure SIMs using forged Aadhaar cards and other identities,” the study has reported.

In terms of legal provisions the absence of punitive measures against money mules in the existing laws in the country has been a hindrance to regulating cybercrimes, says the report.

“As neither the Bharatiya Nyaya Sanhita (BNS), 2023 nor the Information Technology Act, 2000 contains sections solely and expressly dealing with money mules, individuals knowingly operating these accounts do not face criminal penalties in cybercrime cases specifically for being a money mule,” the report has stated.

“The entire gamut of cyber crime offences are occurring in the white economy of the country. The mechanisms introduced for financial inclusion like bank accounts and net banking are being misused for cyber crime. The cyber crimes involve the theft of white money through regular banking channels and not unknown networks,” a Karnataka cybercrime officer said.