Network News

X My Profile
View More Activity

FDIC: Uptick in 'money mule' scams

The Federal Deposit Insurance Corporation (FDIC) is warning financial institutions about an uptick in scams involving unauthorized funds transfers from hacked online bank accounts to so-called "money mules," people hired through work-at-home scams to help cyber criminals overseas launder money.


According to the FDIC, the following are examples of events that may indicate money mule account activity:

-A customer who just opened a new account suddenly receives one or several deposits, each totaling a little less than $10,000, and then withdraws all but approximately eight to 10 percent of the total (the mule's "commission").

-A foreign exchange student with a J-1 Visa and fraudulent passport opening a student account with a high volume of incoming/outgoing money transfer/wire activity.

In tracking more than 50 companies over the past five months that have been victimized with the help of willing or unwitting money mules, I've spoke to dozens of folks who got caught up in these scams.

While a majority of mules I interviewed received a single fraudulent payment from only one victimized company, some were sent money from multiple victims, or signed up with more than one mule recruitment firm. In fact, one mule I tracked down recently admitted to receiving funds from at least two hacked companies. This individual also was among the phantom employees added to a company's payroll after a breach last month at payroll processing giant PayChoice.

"The FDIC alert and reporting by the Washington Post suggest that cyber criminals are increasingly using money mules to target banks and related financial databases," PayChoice chief executive Robert Digby said in an e-mailed statement. "The recent attack on PayChoice appears to fit that pattern."


On Sept. 23, unknown hackers broke into Moorestown, N.J.-based PayChoice, a company that provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. The thieves stole the names, e-mail addresses, user names and passwords that a large number of PayChoice's customers used to access, PayChoice's service portal. Not long after that, the attackers then included that information in spoofed e-mails to PayChoice's clients, addressing each recipient by name and warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.

When I first got wind of that breach, I immediately wondered if the culprits might be the same individuals responsible for a rash of incidents I've investigated this year in which attackers used password-stealing Trojans to swipe the banking credentials of small to mid-sized firms. In every case, the attackers used that access to put money mules on the payrolls of those companies and then send the mules sub-$10,000 bank transfers.

PayChoice responded to that breach by forcing customers to change their passwords. But sometime during the week of Oct. 12, some PayChoice customers reported seeing phantom employees added to their outgoing payroll. PayChoice alerted its customers that hackers had again breached its systems, and urged customers to be on the lookout for unauthorized payroll transfers to four specific people and associated bank accounts. PayChoice said one of those individuals was named Ronald Cutshall, and that an account associated with Cutshall ended in the numbers 7766.

Security Fix recently caught up a Ronnie Cutshall from Greeneville, N.C. who acknowledged having an account at the local GreenBank ending in those four digits.

Cutshall, 48, runs a small horse carriage service called Greeneville Carriage Co.. Cutshall said he had never heard of PayChoice, but he did admit to receiving $9,600 from a company called American Realty on Oct. 6. At least, that was the name of the company on the receipt his erstwhile employers sent him (see the screenshot below). The bank routing number on the $9,600 payment Cutshall said he received from American Realty traced back to Georgia, but attempts to reach the victim were unsuccessful (there are more than 100 companies in Georgia with some approximation of that name).

According to Cutshall, approximately three weeks prior to receiving that $9,600 bank transfer, he had been recruited over the Internet as a finance manager by a company called the Fairline Group (the company's Web site is at, which said it had found his resume on a popular job search site.


Several requests for comment e-mailed to addresses listed at Fairline Group's Web site went unanswered. But the Web-based interface used by the group to manage employees is similar as ta firm purporting to be the Scope Group, another mule recruitment firm identified in a previous blog post (see 'Money Mule' Recruitment Network Exposed).

ZDNet blogger Dancho Danchev has written extensively about the links between the Fairline Group's Web site and other sites used by money mule recruiters, which share internet infrastructure and Web site registration details.


Cutshall said he withdrew all but about $750 of the $9,600 transfer from American Realty, and then wired the money via Western Union to his employers in Ukraine, as instructed.

Cutshall said that on Oct. 16 he received yet another unexpected transfer, totaling $3,441.97. This time, however, Greeneville Bank froze his account, just hours after the money was deposited.

Turns out, at about the same time he was recruited by Fairline, Cutshall had responded to a job offer from a company called Medical Payments Inc.-- at the Web site -- which also reported finding his resume on an Internet job search site. According to the e-mail sent from his contact at that site, the name on the bank transfer as the source account was a law firm in Central Florida by the name of "The Law Offices of Thomas." That is almost certainly not the full name of the victim organization in this case, since most bank transfer receipts list only a finite number of characters in the "from" field of any given transaction.


I checked with PayChoice: Neither the $9,600 payment nor the $3,441 transfer matched amounts that were intended for Cutshall from customers of PayChoice that had phantom employees added to their payrolls. Cutshall said he doesn't recall signing up with any other work-at-home recruitment firms. This suggests that the attackers who added his name to the payroll of PayChoice's customer may also have been responsible for adding him to the payroll for the hacked realty company and/or law firm. Alternatively, there may be two or three separate criminal groups responsible for the incidents, with each group pulling money mules from a single mule recruitment service.

Cutshall, who describes himself as a nurse and a 16-year veteran who fought in the first Gulf War, said he researched both companies online before joining up with them, and that their Web sites looked legitimate. Cutshall he would never have had anything to do with these companies had he known or suspected they were fraudulent.

"I just was wanting to provide for my family," he said. "But when I seen that this money was supposed to go to Ukraine, I was like 'Wait a minute.' I'm an old soldier from the Cold War. I'll do it this time, but after this I ain't helping nobody if I don't know where the money is coming from or where it's going."

For its part, PayChoice said it has "conducted a comprehensive review of its IT infrastructure, including network devices, servers, applications and IT operating procedures, and that it is "deploying responsive measures recommended by industry-leading security experts."

"While law enforcement authorities have asked us not to provide detailed information to the public, PayChoice has responded vigorously to last month's breach of our online system," Digby said.

Note to readers: This blog post refers to an entities calling themselves the Fairline Group, and Medical Payments Inc. -- using the Web site names and, respectively -- that allegedly helped recruit people to help commit online crime. Because fraudsters tend to use generic-sounding names when they create fake corporations, there may be a number of businesses which have names similar to those named in this story that have nothing to do with the perpetrators of this crime.

By Brian Krebs  |  November 2, 2009; 6:00 AM ET
Categories:  Fraud , From the Bunker , Small Business Victims , Web Fraud 2.0  | Tags: fdic, money mules, paychoice  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: A makeover for federal cybersecurity reporting
Next: What Windows Autorun Has Wrought


When I saw those recruiting e-mails I always assumed that opening an account was just the first step. Several steps later, they would somehow gain control of my other accounts and drain them.

Posted by: blasmaic | November 2, 2009 10:05 AM | Report abuse

Yeah, it used to baffle me as well as to how these things were working. You knew somewhere there was something wrong, but I didn't know quite what it was.

Posted by: jackrussell252521 | November 2, 2009 10:56 AM | Report abuse

To quote Robert Heinlein - TANSTAAFL - there ain't no such thing as a free lunch. There are a million of these 'make money fast and easily from home' scams on the Internet. With an increase in desperation as people get laid off, etc, there are way too many intermediaries available to the bad guys.

In Europe, stronger money laundering laws make it a lot harder to participate in these kinds of scams without getting flagged, hopefully the financial institutions in North America can institute some stronger controls to prevent money being stolen in this fashion.

Michael Argast, Security Analyst, Sophos

Posted by: michaelargast | November 2, 2009 12:10 PM | Report abuse

I just can’t see it.

If you are a citizen of the United States, and you have a resume online, you probably aren’t used to earning more $5,000 a month. So, when $9,600 appears in your account magically, shouldn’t that set off bells and whistles?

Mr. Cutshall didn’t ask about the duties his new employers sought him out for? But still he thought $9,600 was a good day’s work? And he sent the money to the Ukraine, as instructed. If Mr. Cutshall – and others – is willing to mule, I don’t see the government putting a stop to this anytime soon.

Posted by: ummhuh1 | November 2, 2009 12:44 PM | Report abuse

Junior high math classes should involve a unit on "avoiding scams." Real-world stuff can grab students' attention better, and we'd end up with a nation of better-informed people, less likely to sign on to ARM loans or vote for demagogues.

Posted by: bellabone | November 2, 2009 1:56 PM | Report abuse

The government prosecutes drug mules. Do the same rules apply to the money mules?

Posted by: tuber | November 2, 2009 2:13 PM | Report abuse

I guess the real news story is found not with the guy who wired the $9,600 on, but with the one who kept all the money and had the Ukrainian Mafia come calling!

Posted by: blasmaic | November 2, 2009 3:18 PM | Report abuse

More great reporting, Brian. I smell Pulitzer!

Posted by: Dawny_Chambers | November 2, 2009 4:32 PM | Report abuse

1. PayChoice is hacked on Sept. 23 and they do not improve security enough to prevent another successful attack three weeks later ??

2. How about banks paying attention to money transfers between $9K and 10K? The federal requirement might be $10K and over, but a little due diligence would not hurt.

3. Quoting Cutshall :
"I'll do it this time, but after this I ain't helping nobody if I don't know where the money is coming from or where it's going."
So what is wrong with not going thru with it the first time, either, if he has no idea where the money is coming from or going to ??

Posted by: observer31 | November 2, 2009 7:48 PM | Report abuse

1. PayChoice is hacked on Sept. 23 and they do not improve security enough to prevent another successful attack three weeks later ??

2. How about banks paying attention to money transfers between $9K and 10K? The federal requirement might be $10K and over, but a little due diligence would not hurt.

3. Quoting Cutshall :
"I'll do it this time, but after this I ain't helping nobody if I don't know where the money is coming from or where it's going."
So what is wrong with not going thru with it the first time, either, if he has no idea where the money is coming from or going to ??

Posted by: observer31 | November 2, 2009 7:51 PM | Report abuse

I accidentally double posted. Brian, please delete one of them.

Posted by: observer31 | November 2, 2009 7:52 PM | Report abuse

Wow, brilliant scam. Folks are washing the money and complicating the paper trail for a commission fee.

And they run the scam in a recession climate. Genius. Even the model citizen who is struggling to pay his/her bills is tempted by the easy money. So now the government has an extra step to get a trace on the money. Then they get stonewalled by the Ukrainian bank anyways.

LOL! We invaded Afghanistan and Iraq...we should have invaded the Ukraine!!!!

Gotta give these guys some serious credit. They operate with impunity and they are smarter than us. They are gaming the entire global banking network. They turned our company payroll systems into an untraceable ATM machine...ATM fees and all.

And we're too spread out/scared/broke to do anything about it. Even Interpol won't catch them. And they probably cleared in the hundreds of millions before the scam got shut down.

Running a chess game scam on a bunch of checkers players.

Genius. Despicable. But genius.

Posted by: 20yrskinfan | November 2, 2009 8:55 PM | Report abuse

The fraud operation listed above: Medical Payments Inc. and its website: is a hijacked cloned copy of the legitimate owned by Medical Payment Solutions LLC out of Oklahoma City, OK. In fact, the legitimate website has been cloned in to almost a dozen of the wire fraud mule recruit sites. The fraud clones are purposely hidden on the net via a robots.txt file which contains:

User-agent: *
Disallow: /

(append /robots.txt to the main url)

This prevents search engine archiving and hides them from all searches.

Be aware of the entire identical fraud cloned group:



Contact info:

Medical Payments Inc.
Kantie 14, Helsinki, Finland, 00434
Phone: +358 20 7117 371





Contact info:

MedicalGroup Payments Inc.
Kantzie 71, Helsinki, Finland, 00434
Phone: +358 20 7117 321

Contact info:

Neweca Payments Inc.
Vuorikatu 17, Helsinki, Finland, 00120
Phone: +358 09 576 125







They appear to have unfettered hosting access to AS41665, where according to Google's most recent safe browsing report more than 10% of the websites on AS41665
"served content that resulted in malicious software being downloaded and installed without user consent."

In addition IP hosts other template variations of fraud wire transfer recruit sites previously reported by Bob Bear



Posted by: -MGD- | November 2, 2009 10:36 PM | Report abuse


Until you have been down & out and find what appears to be a Godsend, don't say that you would ask tooooo many questions about where the money is really coming from.


Posted by: | November 3, 2009 3:34 AM | Report abuse


Thanks for putting in a word for the "little guys." As a corollary, what's most frightening about this scam is that the social engineering is a savvy as the programming. For "Godfather" afficianados, "It's not the Bocchicchios who cause the troubles of the world."

Posted by: featheredge99 | November 5, 2009 12:18 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company