Cybercriminals Exploit Telegram Channels to Sell Verified Bank and Fintech Mule Accounts
In recent years, Telegram has emerged as a central hub for cybercriminal activities, particularly in the sale of verified bank accounts, fintech wallets, and cryptocurrency exchange accounts. This trend has transformed money laundering into a structured, on-demand service, complete with tiered pricing, customer support, and account replacement guarantees.
The Rise of Mule-as-a-Service
Traditionally, money mules—individuals who transfer illicit funds on behalf of others—were recruited through informal channels. However, the landscape has evolved into a professional industry known as Mule-as-a-Service (MaaS). This segment of the broader Fraud-as-a-Service ecosystem operates with a level of sophistication that mirrors legitimate e-commerce businesses.
Cybercriminals utilize stolen identities, AI-generated personas, and compromised credentials to create accounts that pass identity checks at banks and fintech platforms. They employ forged documents, deepfake videos, and synthetic identity kits to onboard new accounts without triggering fraud alerts. Once active, these accounts receive illicit funds, quickly disperse them across multiple institutions, and withdraw the money before any financial institution can respond.
Telegram: The New Marketplace for Cybercrime
Telegram has become the primary platform for MaaS operations. Sellers openly list accounts from banks across the United States, Latin America, and Europe, with some posts advertising hundreds of accounts alongside customer vouchers to prove reliability. These channels operate with a structure that mirrors legitimate e-commerce businesses, including refund policies if a purchased account gets frozen or restricted.
Analysts at KELA Cyber Intelligence Center identified extensive underground activity tied to these mule networks across Telegram channels, dark web forums, and encrypted messaging groups. KELA reported that threat actors are openly advertising verified bank accounts, fintech wallets, cryptocurrency exchange accounts, forged identity documents, and full-service laundering operations at an industrial scale.
Global Impact and Regional Variations
The scale of this underground market is staggering. KELA identified nearly 250,000 Telegram messages related to Brazilian Contas Laranja, or Orange Accounts, which are bank accounts rented or fraudulently created to move funds through Brazil’s PIX instant payment system. In Argentina, over 100,000 Telegram messages referenced the sale or rental of accounts linked to CBU and CVU identifiers used by local banks and digital wallets. Colombian fintech platforms such as Nequi and Daviplata were also flagged in underground discussions for their perceived ease of onboarding.
Some sellers offer complete cash-out pipelines where a buyer transfers dirty funds and receives clean money in return. One actor on a Russian-origin Telegram channel called GrossInfo was observed selling edited identity documents to help bypass Know Your Customer checks. These sellers also advertise PSD document templates designed to pass automated identity verification, with one such post collecting more than 1,000 views within 24 hours.
The Mechanics of Mule Account Operations
The funds moved through these networks often come from phishing campaigns, ransomware attacks, Business Email Compromise scams, and investment fraud. In the United States, an estimated 0.3% of all accounts at financial institutions are believed to be mule-controlled.
These operations rely on stolen identities, AI-generated personas, and compromised credentials to create accounts that pass identity checks at banks and fintech platforms. Criminals use forged documents, deepfake videos, and synthetic identity kits to onboard new accounts without triggering fraud alerts. Once active, these accounts receive illicit funds, quickly disperse them across multiple institutions, and withdraw the money before any financial institution can respond.
The Role of Telegram in Cybercrime
Telegram’s features make it an attractive platform for cybercriminals. Its encrypted messaging, large group capacities, and ease of use allow criminals to operate with a level of anonymity and efficiency that was previously unattainable. The platform’s hybrid architecture of public channels, private group chats, and automated bots has effectively replaced the traditional barriers that once defined underground participation.
For businesses, this means threats are better organized, move faster, and are increasingly difficult to track through traditional dark web intelligence methods. Ransomware groups are using Telegram to shame victims publicly, coordinate affiliate programs, and recruit skilled operators. Hacktivist collectives such as NoName057(16) and the Cyber Fattah team use it to claim attacks and broadcast narratives to a global audience. Malware operators manage marketing, customer support, and product updates all within a single platform—packaging criminal tools much the way legitimate software companies do.
Initial Access Brokerage Targeting Corporate Networks
One of the most direct threats to enterprise security involves Telegram’s role as a marketplace for unauthorized corporate access. Initial Access Brokers, commonly called IABs, use dedicated channels to advertise stolen credentials and verified entry points into corporate VPN portals, Remote Desktop Protocol sessions, and cloud platforms such as Azure, AWS, and Okta. Each listing typically includes the target company’s revenue, country, industry sector, and privilege level—giving ransomware buyers everything they need to evaluate a purchase before committing.
The Future of Cybercrime on Telegram
With Telegram’s upcoming update promising quantum-resistant encryption via PQXDH protocol, the cat-and-mouse game between cybercriminals and investigators appears set to intensify through 2026. However, the platform’s established position in criminal workflows suggests any migration would require not just superior security but replication of its unique ecosystem of bots, channels, and frictionless onboarding.
Conclusion
The exploitation of Telegram channels by cybercriminals to sell verified bank and fintech mule accounts represents a significant evolution in the cybercrime landscape. The platform’s features have enabled a level of organization and efficiency that poses new challenges for law enforcement and cybersecurity professionals. As these operations continue to grow, it is imperative for financial institutions, businesses, and individuals to remain vigilant and adopt robust security measures to mitigate the risks associated with this emerging threat.
