Money Mule Networks in MENA: Key Insights and Solutions from Our Latest Webinar

In today’s fast-evolving financial landscape, financial institutions constantly face the threat of money laundering. One of money laundering techniques, Money Muling has become rampant, with fraudsters deploying increasingly sophisticated techniques to exploit financial systems and evade detection, especially in regions like MENA. To address this issue on May 20, 2025, FOCAL hosted a thought-provoking webinar titled “Money Mule Networks in MENA Insights and Solution” featuring Gerrit Bekker, Director of Data Science at Mozn, Marwan Ismael, Principal Solution Engineer, and Georg Knoerr, Vice President of Client Operations at Mozn who moderated the webinar. The session offered insights into how organizations can overcome and prevent Money Muling.

Money Mule Networks – How They Move Money

A foundational theme of the webinar was the rising threat of Money Mule activity in the MENA region and the continuous fight against financial crime. Both Gerrit Bekker and Marwan Ismael shared insights on the evolving risks of Money Mules, as well as the regulatory expectations surrounding their detection.

Marwan began the webinar by explaining how Money Mule networks are built. This can be broken down into two steps:

1. Building the network of Mules: This includes recruiting from already known criminal networks, as well as recruiting new individuals. This can be done through fake job advertisements, investment scams, or threats. Some individuals are tricked or forced into becoming mules, while others knowingly engage in mule activity for financial gain. Once recruited, these individuals are used to create or provide access to multiple bank accounts. These accounts, known as "mule accounts", can be either pre-existent or newly opened across different financial institutions, including traditional banks and fintech platforms.

2. Getting illicit funds from victims and cashing out the funds: Once the network is functioning, fraudsters begin moving the illicit funds from criminal activities through small transactions and different accounts. Then the funds are gathered in a “consolidation account,” which acts as the final point for the laundered money. Funds are then cashed out through ATMs, transferred out of the country, or converted into other assets to further obfuscate their origins.

Key takeaway: Money Muling networks are carefully built, requiring two key stages, to move illicit funds, making it hard to trace them.

What Regulators Want

Regulators in the MENA region—like SAMA (Saudi Central Bank) and the UAE Central Bank—are tightening their stance on financial fraud, including Money Mule activity. Here's what they expect from financial institutions:

1. Stronger Onboarding Controls

• Verify customer identities thoroughly.

• Prevent suspicious individuals from opening accounts.

• Use both internal and external data sources to validate identity.

2. Ongoing Monitoring

• Track both financial and non-financial activities (e.g., logins, and device changes).

• Detect unusual behavior like sudden spikes in transactions or logins from multiple locations.

3. Real-Time Detection & Prevention

• Implement systems that can stop suspicious transactions or account openings instantly.

Insight: Regulators in MENA are raising the bar on financial crime prevention. They expect financial institutions to adopt stronger onboarding, continuous monitoring (including non-financial behavior), and real-time systems to detect and stop fraud—especially Money Mule activity—before it happens.

Signals and Red Flags to Spot a Mule

To spot a Money Mule, one must look out for these signals and red flags.

1. New accounts with high transaction velocity: Especially within 3–6 months of account opening.

2. Accounts opened online: No physical branch visit, increasing anonymity.

3. Dormant or “sleeper” accounts: Previously inactive for 3–6 months, then suddenly active with multiple transactions.

Long-dormant accounts are suddenly used in suspicious patterns.

4. Non-financial behavior anomalies:

• Frequent logins.

• Changes in address or device.

• Logins from multiple or distant locations in a short time (e.g., Dubai then Riyadh within minutes).

5. Test transactions: Small withdrawals or transfers to check if funds can be moved, followed by large transfers.

6. High-risk counterparties: Transactions involving individuals already flagged as mules or under investigation.

7. Network connections to confirmed mules: Shared devices, IPs, or behavioural patterns linking to known mule accounts.

Case Study – How a Leading Bank Stopped Mules in Their Tracks

Gerrit explained how the organization FOCAL by Mozn worked with was facing a critical challenge that was evolving mule networks that were passing detection by adopting more complex behaviors. These networks used specific ISPs and masking mechanisms to hide their geolocations and identities. With IB threat intelligence and a data-driven mule detection strategy, the leading bank was able to stop the mule networks.  

This approach included:

Device Fingerprinting: This solution helps banks track devices previously involved in mule activity.

Threat Intelligence Integration: Receiving additional information about the IP providers helps with identifying suspicious patterns. 

Graph Network: Stores data in columns and rows to map connections between devices and account holders.

“Our focus is a data-driven one, we utilize multiple data points—customer profile data, transaction data, and device information—to build a 360° view of the mule. This allows us to build better detection models and use AI to drive more effective mule detection rules.” —Gerrit Bekker.

Final Thoughts

This webinar highlighted the importance of adopting advanced, data-driven approaches to tackle the evolving threat of Money Mule networks in the MENA region. Traditional rule-based systems are ineffective against sophisticated Money Mule networks, which are adept at evolving their behaviors to avoid detection. These networks utilize multiple devices and locations, both locally and internationally, to avoid being on the radar. The key to effectively stopping mules lies in adopting a data-driven approach that provides a comprehensive view of mule activities. By leveraging AI and machine learning, financial institutions can build better profiles of mules, develop more effective detection models, and implement robust strategies to counteract these complex behaviors.

Q&A Highlights:

During the Q&A, both Gerrit and Marwan answered some of the audience’s questions:

Q1: What is the accuracy in numbers for the solution, particularly in false positives and false negatives?

Gerrit answered that detection rates depend on various factors, but current systems can identify approximately 70% of muling activity. Businesses rely on network analysis, which helps with identifying suspicious patterns and potential mule accounts before they begin transacting.

There are two key layers in mule detection:

1. Transaction-Based Detection

2. Network-Based Detection

While it's difficult to quantify how effective the network analysis is, using both strategies combined results at a very low false positive rate, under 2%. This means that when an account or device is flagged and blocked or blacklisted, 98% of the time it is a confirmed mule, with only 2% of the time being falsely identified.

Q2: Can you explain more about the use of multiple geolocations in mule networks?

Marwan explained that an effective way to detect and prevent Money Muling is through network and geolocation analysis. This is done by identifying the mule —whether internally, or through a financial institution, or through a central bank— investigators can use that individual as a starting point to build a bigger network and identify other mules.

Another example mentioned by Marwan is fraud hotspots. If several people belong to the same fraudulent network, and they are found to be operating within the same area (20 to 40 square meters), this location can be flagged as high risk. Activity coming from these hotspots can then be identified as riskier behavior and monitored more closely using preventive systems or machine learning models, allowing for early detection.

Q3: How effective is geolocation for the models, and are there ways I can spoof my location?

In this answer, Gerrit mentioned that fraudsters today do attempt to spoof their location, but FOCAL by Mozn has developed advanced device intelligence systems to counter this problem. The platform uses multiple mechanisms to verify a user’s location, making spoofing harder to work effectively.

Q4: Are mules discovered using supervised or unsupervised learning approaches, or a combination of both?

Gerrit confirmed that supervised learning approaches are more effective for detecting Money Mules. Unsupervised learning creates many false positives, but with labeled data and access to confirmed mule cases through a feedback loop, supervised learning becomes the recommended approach.

Q5: Do transactional records constitute IP device and location information, or do we collect the information from multiple data sources to enrich the data and the power of detection?

Gerrit confirmed transactional data is purely about incoming and outgoing transactions, and does not include IP addresses, device, or location information. On the other hand, device data has to do with how people interact with the accounts, where they’re logging in from, and the account data where the money is transferred.

Q6: How do you bypass the anti-detection AI-based models that fraudsters themselves use to conceal your behavior?

Fraudsters can use machine learning (ML) and AI-based models to detect and evade systems, specifically human-based rules. Using even more advanced tools makes it harder for fraudsters to bypass. In the end, Gerrit confirms that fraudsters do use the same tools that we use to detect and avoid detection.

Q7: How does a bank ensure that the alerts generated by the AI models are explainable and clear to investigators and regulators?

With regulatory requirements and the need for effective investigations, Gerrit mentions that Explainable AI (XAI), a sub-branch of machine learning and data science focused on making AI decisions understandable to humans, plays a part. It derives from when we build the AI models, moving away from black box models, and instead, understanding how the design models work and how decisions are made.

Today, we combine traditional AI with large language models (LLMs) to enhance its human-like capabilities. AI is useful in providing the right tools for decision-making, speeding up investigations, making them more consistent, and giving statistical data and reasoning. This allows the model to pick up new behaviors quicker following model retraining.

Marwan adds that part of the output from our offerings is automation with the use of CRM, IVR, OTB, and other systems, which help take the burden off investigators. We can also take immediate actions based on the thresholds agreed with the financial institute.

Another capability we have is the FOCAL Agentic AI, which generates descriptions for each case, explaining why an alert was generated, why we’re flagging a particular customer, and what is the recommended action to take for such cases.