On a warm November afternoon in 2024, Ajay Arora, a nursery owner in Faridabad, sold a plant and a small pot for ₹150. The customer paid through UPI and left.

Nothing about the transaction stood out. But a few days later, his bank account stopped working. When he contacted his bank, he was told that the account was frozen and the freeze had been ordered by a police station in Chhattisgarh, more than 1,000 km away. 

“They said that the ₹150 payment that had come into the account, had been traced to a cyber fraud case. How was I supposed to know if it’s fraud money?” says Arora over the phone.

Under protocol, every account the money involved in the fraud case had touched was being flagged. Arora’s account—holding over ₹1 lakh—was among them. “For 14 months, the account remained frozen. All my payments were stuck, and my business came to a halt,” says Arora. Finally, the freeze on the account was lifted after a court order. 

“My account is fine now, but this is such a big problem for us shopkeepers who accept hundreds of digital payments every day. How can we keep track of these things?” he asks.

Indians lost ₹22,495 crore to cyber fraud in 2025 across 2.81 million complaints, a 24% jump from the year before, according to reports. Behind most of it was the same invisible infrastructure of mule accounts—bank accounts rented, coerced, or stolen from ordinary people to move dirty money beyond the reach of investigators. 

The response has been swift and institutional. Between September 2024 and January 2026, the Indian Cyber Crime Coordination Centre (I4C) shared details of more than 2.73 million “Layer 1” mule accounts—bank accounts used in suspected fraudulent transfer of money—with financial institutions across India, helping block transactions worth more than ₹9,518 crore. It launched a Suspect Registry in September 2024, in collaboration with banks, to share flagged identifiers in real time. 

The Ministry of Home Affairs has cancelled more than 1.2 million suspicious SIM cards and blocked over 263,000 mobile device identifiers linked to fraud networks. The Reserve Bank of India’s Innovation Hub unveiled MuleHunter.AI in December 2024—a machine learning tool trained to detect mule behaviour patterns, now live in more than 20 banks.

Banks have now been pushed towards a single operating principle: the cost of missing a fraudulent account outweighs the cost of freezing a legitimate one. The result is a financial system that acts on suspicion at scale—quickly, and with limited ability to reverse course.

India has built the world’s most frictionless digital payment system. But what did not get built at the same pace was the systems to govern it. Now, as fraud has scaled alongside payments, the response has been to move faster on less information by freezing accounts on probabilistic signals, shifting the burden of proof from the state to the account holder. 

The mule economy

The foundation of financial crime in India is no longer the hacker, but commoditised rented identity. In Tier II cities and smaller towns, a new form of “gig work” has emerged where individuals lease their KYC-verified bank accounts and digital credentials to aggregators for a one-time fee of ₹2,000–5,000.

The recruitment pitch is simple. A message arrives on Telegram or WhatsApp offering easy commission for receiving and forwarding payments, framed as legitimate work for a company that cannot process funds locally. The recruits are mostly students, daily wagers, and unemployed youth. Most hand over their UPI credentials or debit card details without understanding what follows. Small transfers arrive first, deliberately, to build a clean transaction history and lower the account’s risk score in bank monitoring systems. Once credibility is established, the account is activated: large sums arrive and move out within minutes. By the time it is flagged, the operator has moved on. The account holder is left facing the freeze.

Layer 1 accounts sit at the base of this operation. They receive funds and transfer them onward within minutes to intermediary layers that fragment and route money across dozens of identities, before reaching an exit layer where funds are withdrawn as cash, converted to crypto, or moved offshore. An estimated 3,000 to 5,000 new UPI IDs are generated daily to keep the pipeline moving.

“Enforcement removes individual accounts; it does not alter the price mechanism that makes recruitment viable,” says Rushi Anandan Karichalil, associate professor at K J Somaiya Institute of Management, who studies organisational behaviour and economic incentives.

The timing problem is structural. Fraud moves in real time; detection does not. At the first layer, funds are transferred out within minutes of receipt, compressing the window for intervention to near-zero. It is an architecture built for volume, speed, and disposability.

The problem is compounded by behavioural overlap. The same signals used to identify mule accounts—sudden inflows, rapid dispersal, high transaction velocity—are also common in legitimate economic activity. This creates a blind spot.

“Rules-based systems were designed for a slower, simpler era of fraud,” says Anand Krishnamurthi, head of global digital delivery at FSS Tech, a Chennai-based payments technology company. “Only a system capable of mapping relationships across accounts—and ideally across banks—can see the pattern.”

Rules-based systems generate disproportionately more false positives, says Krishnamurthi, creating alert fatigue and consuming investigator bandwidth on low-risk cases while genuinely suspicious activity slips through. 

Freeze first, resolve later

The moment a fraud complaint lands on the national cybercrime portal or the 1930 helpline, the I4C flags the associated accounts and shares them with the relevant banks through its Suspect Registry. Separately, the cyber police—working from the same complaint—contact the relevant bank directly and direct it to freeze the account or place a lien. But the process takes time. Under the Prevention of Money Laundering Act, banks cannot freeze an account on their own judgment alone, even when internal systems flag it as suspicious. They need authorisation from a court or law enforcement agency first. By the time that authorisation arrives, the mule account is typically empty, and the money has already moved.

What remains is the trail: accounts that received pass-through credits, often belonging to people with no knowledge of the fraud. The bank, acting on the police direction it has finally received, freezes what it can find. The account holder discovers this when a payment fails or when they arrive at a branch. The bank redirects them to the police. The police may or may not have filed a formal FIR. If they have, the account holder waits for the investigation to conclude. If they haven’t, the only remaining path is a court petition.

“A good cybercrime lawyer can get an account unfrozen in 7 to 10 days, but that assumes the merchant knows to hire one, can afford ₹3,000-5,000 in consultation fees, and has the time to navigate a process designed for investigators, not small business owners,” says Kunal Jhunjhunwala, founder of Airpay, a fintech company that specialises in processing payments.

The financial cost is immediate and cascading. “For a kirana store or small manufacturer operating on working capital credit, a frozen account can trigger a credit default with their lender if inflows stop,” says Jhunjhunwala.

The MHA’s January 2026 SOP went further. First-layer mule accounts now face prospective holds on all future credits; repeatedly reported accounts face full suspension of digital banking. By December 2026, all financial institutions are directed to integrate with MuleHunter.AI. But the gap between the directive and its execution remains wide.  

“The January 2026 SOP makes it more persuasive to claim the right but does not itself confer any new or additional right on the account holder,” says Adithya Iyer, a Mumbai-based criminal lawyer. “The remedy is still to approach the jurisdictional court seeking appropriate orders.”

The legal powers to attach suspected proceeds exist under Section 107 of the BNSS, which requires a magistrate’s order. Section 106, which police have routinely invoked to justify blanket freezes, confers only the power to seize property for evidentiary purposes, not to debit-freeze an account. 

“Several high courts have held that there exists no blanket power to debit-freeze any bank account. The statutory safeguards under Section 107 of the BNSS are to be followed scrupulously,” says Iyer.

This debate got more complex in March 2026, when the Supreme Court stayed the Bombay High Court’s judgment in Kartik Yogeshwar Chatur v Union of India, which had quashed the debit freezing of accounts on the ground that police cannot bypass the BNSS process. The matter has been tagged with a suo motu writ petition on cybercrimes before the Chief Justice. Until it is settled, the protections that account holders might have claimed remain in limbo.

Karichalil says such pre-emptive freezing transfers the cost of fraud enforcement from the state onto account holders who may have no connection to the underlying crime.  

The adaptation gap

Mule networks today are organised systems operating in clusters, with accounts created, activated, and discarded continuously, and transaction paths adjusted in real time to avoid detection. Funds exit the domestic financial system before intervention is possible. The enforcement architecture is national and account-based. The fraud infrastructure is adaptive and borderless.

The limits of the detection system are embedded in MuleHunter.AI’s own design rationale. The tool was built because existing rules-based systems were generating high false-positive rates while missing sophisticated networks.

“In roughly 12 months post-launch, 26 of approximately 150 scheduled commercial banks have integrated,” says Krishnamurthi of FSS Tech. “That leaves well over 100 commercial banks, plus 1,500-plus urban cooperative banks and numerous regional rural banks, to integrate within the remaining months of 2026. For UCBs and RRBs, meaningful detection capability — not just checkbox API integration—is a 2028–2030 horizon.”

“The architecture is partially current and partially lagged,” says Karichalil. “The January 2026 SOP and the I4C registry address the layering infrastructure that existed in 2023–24. Meanwhile, the India Fraud Report 2026 identifies mule networks as the most difficult fraud threat to detect and control for 48% of Indian enterprises, with networks designed to distribute funds across large clusters of connected accounts in ways that require cross-platform visibility that the current system does not yet provide.”

Mule accounts are not an anomaly in this system. They are a byproduct of a financial architecture optimised for speed, where the movement of money has outpaced the systems designed to verify and govern it.