Executive Summary
In February 2026, Recorded Future announced an expansion of its payment fraud prevention capabilities through a partnership with CYBERA, a leader in detecting and verifying data on scam-linked bank accounts. This collaboration introduces Money Mule Intelligence, a tool designed to help fraud teams identify accounts used by criminals to extract and move stolen funds. The initiative addresses the escalating threat of Authorized Push Payment (APP) fraud, which is projected to reach nearly $15 billion in the U.S. by 2028, up from $8.3 billion in 2024. The rise in APP fraud is driven by factors such as AI-generated deepfakes, personalized scam scripts, and instant payment systems that outpace traditional fraud controls. Money mule accounts serve as critical infrastructure for these scams, enabling the conversion of stolen payments into untraceable cash or cryptocurrency. The sophistication of mule operations has increased, with criminals employing 'mule herders' who manage numerous accounts and use AI to simulate normal transaction behavior, making detection challenging. Regulators are responding by shifting liability to banks, emphasizing the need for proactive detection and disruption of mule accounts to prevent fraud and comply with emerging reimbursement requirements.
Why This Matters Now
The surge in APP fraud, coupled with the increasing sophistication of money mule operations, poses significant challenges for financial institutions. Traditional fraud controls are often inadequate against these evolving threats. The partnership between Recorded Future and CYBERA provides a timely solution by offering verified intelligence on scam-linked accounts, enabling banks to proactively prevent fraud, reduce financial losses, and meet regulatory expectations in an increasingly complex threat landscape.
Attack Path Analysis
The adversary initiated the attack by impersonating a trusted entity to deceive victims into transferring funds to accounts they controlled. Upon gaining access, they escalated privileges by modifying authentication processes to maintain persistent access. They then moved laterally within the network to identify and compromise additional financial systems. Establishing command and control, they exfiltrated sensitive financial data and executed unauthorized transactions. Finally, they laundered the stolen funds through money mule networks, causing significant financial impact to the victims.
Kill Chain Progression
Initial Compromise
Description
The adversary impersonated a trusted entity to deceive victims into transferring funds to accounts they controlled.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Financial Theft
Valid Accounts
Phishing
Acquire Infrastructure: Domains
Establish Accounts: Social Media Accounts
Compromise Accounts: Social Media Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
NIS2 Directive – Incident Handling
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target for APP fraud and money mule operations, facing $15B projected losses by 2028 with increasing regulatory liability for scam reimbursements.
Financial Services
Critical exposure to authorized push payment fraud through payment networks, requiring enhanced mule detection capabilities and compliance with emerging reimbursement regulations.
Insurance
Secondary impact through fraud liability coverage and claims processing for APP fraud victims, necessitating improved risk assessment and mule account detection.
Information Technology/IT
Infrastructure providers enabling payment systems and fraud detection solutions, requiring enhanced security fabric capabilities to prevent AI-powered scam operations.
Sources
- Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERAhttps://www.recordedfuture.com/blog/recorded-future-money-mule-intelligence-cyberaVerified
- Money Mules — FBIhttps://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/money-mulesVerified
- CYBERA Mule Intelligencehttps://www.cybera.io/solutions/cybera-mule-intelligenceVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it embeds security directly into the cloud infrastructure, effectively reducing the attacker's ability to move laterally and exfiltrate data. By implementing identity-aware segmentation and enforcing least-privilege access, CNSF would likely have constrained the adversary's reach and minimized the blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While CNSF primarily focuses on internal network security, its comprehensive visibility and monitoring capabilities could likely have detected anomalous access patterns, potentially limiting the adversary's ability to exploit compromised credentials.
Control: Zero Trust Segmentation
Mitigation: By enforcing strict identity-based access controls, CNSF would likely have limited the adversary's ability to escalate privileges beyond their initial access point.
Control: East-West Traffic Security
Mitigation: CNSF's east-west traffic security would likely have restricted the adversary's ability to move laterally by enforcing strict segmentation between workloads.
Control: Multicloud Visibility & Control
Mitigation: CNSF's centralized visibility across multicloud environments would likely have identified and constrained unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: CNSF's egress security policies would likely have restricted unauthorized data exfiltration by controlling outbound traffic.
While CNSF's primary focus is on preventing unauthorized access and data exfiltration, its comprehensive security measures would likely have constrained the adversary's ability to reach the stage of financial impact by limiting earlier stages of the attack.
Impact at a Glance
Affected Business Functions
- Fraud Detection and Prevention
- Compliance and Regulatory Reporting
- Customer Trust and Relationship Management
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) to prevent unauthorized access and privilege escalation.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities in real-time.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Establish Multicloud Visibility & Control to gain comprehensive oversight of all cloud environments and detect anomalies.
