Login
VAAS · Money Mule & Fraud Network

One account looks clean. The network reveals it.

Device fingerprint, repeated address, and shared behavior expose mule accounts, money mules, and fraud rings. Identity cross-matching surfaces the network before losses occur.

The problem

Account-by-account analysis hides the ring.

Three limits of isolated analysis that only network visibility solves.

Isolation

Each account passes because no one looks at the whole.

The mule account is designed to look normal in isolation. Without cross-referencing device, address, and beneficiary across accounts, each one is approved and the ring operates in plain sight, split into pieces that seem harmless.

9 accounts
on the same device go undetected when analysis runs one account at a time
Timing

By the time the case closes, the money is gone.

Reconstructing the network manually after the chargeback is archaeology. The cash-out already happened, accounts were already emptied, and the ring already moved to a new device. Network visibility only matters at decision time.

6 days
average age of mule accounts before they are used and discarded
New rule

Testing rules in production is too risky.

The ring shifts patterns with every block. Prevention teams need to test new rules fast, but going straight to production blocks legitimate customers. Without shadow mode, the defense runs slow or imprecise.

Shadow
mode is what teams need to iterate rules without blocking legitimate customers
What we cross-check

Everything in a single call.

Public and private sources queried in parallel, normalized and weighted by the use-case matrix.

Device fingerprintShared addressCommon beneficiaryAccount graphCash-out behaviorRecidivism
Regulations covered
COAF · ReportingCirc. BCB 3.978Lei 9.613LGPD
Case anatomy

One account flagged. Nine in the network.

The engine starts from a signal, expands through device and address links, confirms the shared beneficiary, and returns the full cluster to the analyst, not a single account.

CASE · MULA-2026-07335 · 09/jun 14:22
Account cluster · shared device + address
4 confirmed · review
Network expansion
Initial signal1 account · cash-out
Accounts on same device9
Shared address4 accounts
Confirmed4 of 9
Detected links
!Shared device fingerprint
!Repeated registration address
!Shared beneficiary
!Synchronized cash-out
!Average age · 6 days
IP / geolocation
!Time pattern
!Cross-match with past cases
Score · network risk
Cluster densityHigh · 9 nodes
Link strength (device)Strong
Independent confirmation4 accounts
Global score88/100 · red
AI-generated summary

Recommendation: Send to review queue and block the core. 9 accounts linked by the same device, 4 with shared address and beneficiary, synchronized cash-out, average age 6 days. 4 accounts confirmed as mule accounts. Network expanded and ready for review.

1
Network visible at decision time

Device, address, and beneficiary cross-matching runs at analysis time, not post-mortem. The ring surfaces before cash-out, not after the chargeback.

2
From one signal to the full cluster

One flag on one account expands through links to the rest. The analyst receives the group with evidence for each link and decides on the whole network at once.

3
Rule sandbox in shadow mode

Prevention teams test new rules in parallel, without blocking, measure impact on legitimate customers and fraud, then flip the switch. Fast iteration, no risk.

Regulatory

The mule network the regulation requires monitoring.

Mule accounts and financial mules are classic money laundering typologies. Three instruments make detection and reporting a duty.

COAF
Report · UIF

Suspicious transaction reporting

Transactions with signs of using an intermediary person must be reported to COAF, under art. 11 of Law 9.613/1998. Network visibility supports the suspicion rationale with objective evidence.

3.978
BCB Circular · 2020

AML/CFT and monitoring

Requires transaction monitoring and identification of accounts used for incompatible activity. Mule clusters are a central typology.

9.613
Law · 1998 · AML

Money laundering law

Criminalizes concealment through an intermediary. The link trail between accounts backs identification of the mule structure.

LGPD
Law 13.709

Processing for fraud prevention

Identity cross-matching has a legal basis in fraud prevention, with defined purpose and proportionality in the use of device and address signals.

Rollout

From kickoff to go-live in 4 weeks.

Multi-tenant architecture. What changes per client: enabled link signals, cluster thresholds, and core block policy.

01
Week 1

Discovery & scope

Map available link signals (device, address, beneficiary) and priority network typologies.

02
Week 2

Calibration

Tune cluster density thresholds, link strength, and confirmation rules. Validate against historical cases.

03
Week 3

Shadow mode

Network detection running in parallel, no blocking. Review clusters with prevention team and fine-tune.

04
Week 4

Go-live

Network detection in production. Active cluster expansion. Rule sandbox open for continuous iteration.

Ready?

Decide in seconds.
Start with a meeting.

In 15 minutes we show how VAAS works in your scenario, with your rules, your data, your volume.

Explore the platform