In a sophisticated cybercrime operation, criminals are leveraging the Unified Payments Interface (UPI) in India to conduct extensive money laundering activities. This operation involves the use of an Android app known as XHelper, which plays a crucial role in recruiting and managing individuals, referred to as “money mules,” to facilitate the illicit flow of funds.
CloudSEK analysts Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel have unveiled the intricacies of this scam, which came to light in late October 2023. They discovered that perpetrators, primarily based in China, are exploiting a regulatory loophole as UPI services in India are not encompassed by the Prevention of Money Laundering Act (PMLA). This oversight allows these cybercriminals to mask their illegal money transfers as legitimate instant loan transactions.
The scheme involves transferring the stolen money into the bank accounts of these money mules, who are lured into the operation through Telegram for a commission of 1-2% of the transaction value. The operation is notably reliant on Chinese payment gateways that adeptly misuse the QR code functionality of UPI systems to siphon funds, ultimately repatriating them to China.
The XHelper application is pivotal for the scam’s operation, enabling the seamless management of money mules and the fraudulent payment gateways integral to various scams, including “pig butchering.” Disguised as a legitimate “Money Transfer Business,” the app is distributed through counterfeit websites, offering features for mules to monitor their earnings and facilitate the laundering process. This includes setting up their UPI IDs and bank credentials to either dispatch or receive illicit funds.
The app assigns laundering tasks to the mules, who must then transfer the funds swiftly and provide transaction proof via screenshots to earn their commission. XHelper also includes a referral program, encouraging the recruitment of more mules and expanding the network through a pyramid-like structure.
Moreover, XHelper educates these mules on laundering techniques and evading banking scrutiny through its Learning Management System, which includes tutorials on creating fake corporate accounts with higher transaction limits.
The revelation of XHelper and its operations underscores a broader issue of similar apps being used for money laundering, as noted by CloudSEK. This situation was highlighted by Europol’s announcement in December 2023, where a global crackdown led to the arrest of over a thousand individuals and the identification of numerous money mules and recruiters.
This disclosure aligns with Kaspersky’s findings of a significant uptick in mobile device threats, particularly adware, malware, and riskware, marking a return to the heightened activity levels seen in early 2021. This trend emphasizes the evolving and persistent threat of cybercrime, particularly in the realm of financial transactions.
