Thailand’s Mule Account Challenge Is Becoming a Network Problem
Mule accounts are a critical part of the online fraud ecosystem. Criminal groups use them to receive stolen funds, split money across multiple accounts, withdraw cash, or move proceeds before banks can intervene.
Thailand has strengthened interbank fraud information sharing and shifted mule account management from individual accounts toward individual identities. Fraud networks continue to adapt.
Organized groups may recruit multiple account holders, reuse faces across identities, control accounts through shared devices, or distribute transactions across many low-volume accounts.
Each account may appear normal when reviewed independently. The real risk becomes visible only when the bank identifies relationships between accounts, identities, devices, documents, and transaction flows.
This is where identity link analysis becomes valuable.
What Is Identity Link Analysis?
Identity link analysis connects customers, accounts, devices, identity documents, biometric profiles, phone numbers, addresses, and transaction behaviors to determine whether multiple accounts may be controlled by the same person or coordinated network.
Instead of evaluating each account as an isolated record, the bank builds a relationship graph.
In this graph:
- Customers and accounts become identity nodes.
- Faces, devices, documents, phone numbers, and addresses become linking attributes.
- Transfers become behavioral connections.
- Confirmed fraud cases become high-risk reference points.
For example, six accounts may use different names and phone numbers, yet share highly similar faces, the same device cluster, and a common beneficiary.
No single signal proves fraud. Together, they may reveal an organized mule network.

Why Account-Level Monitoring Is Not Enough
Traditional monitoring focuses on rapid transfers, unusual beneficiaries, sudden volume increases, or repeated withdrawals.
These controls remain important, but they often detect risk only after an account becomes active. Mule accounts may stay dormant, keep transactions below fixed thresholds, or distribute funds across several accounts.
Some mule accounts use valid documents, while others involve stolen or synthetic identities, manipulated documents, or account holders who later transfer control.
Banks therefore need to determine whether the applicant is real, whether the identity is linked to other accounts, and whether the account is independent or part of a wider network.
Key Identity Links Banks Should Analyze
1. Face-to-Account Links
Facial information is one of the strongest signals for detecting whether apparently different applicants may represent the same person.
During onboarding, banks can compare a selfie with the identity document portrait. With proper governance, they can also use 1:N face search to determine whether the same or a highly similar face has appeared in previous applications.
This can reveal one person using multiple documents, blocked customers returning with new credentials, or the same operator appearing across several applications.
A face match should not automatically trigger rejection. It should be combined with document, device, behavioral, and account data.
2. Document-to-Identity Links
Banks should analyze whether the same document image, portrait, template, or capture environment appears across multiple applications.
Indicators include repeated document images, identical portraits, editing traces, screenshots, re-photographed documents, and inconsistent identity fields.
Document authenticity analysis can expose image manipulation, portrait replacement, recapture, and data-field modification.
3. Device and Session Links
A single fraud operator may control many accounts through shared devices, emulators, virtual environments, or device farms.
Useful signals include device fingerprints, IP reputation, proxy or VPN use, emulator indicators, geolocation inconsistencies, and repeated login behavior.
A shared device alone does not prove fraud. Risk becomes stronger when combined with unrelated identities, repeated applications, common beneficiaries, or synchronized transactions.
4. Contact and Profile Links
Phone numbers, emails, addresses, employers, company directors, and emergency contacts can expose additional relationships.
Fraud groups often make small changes to avoid exact matching. Fuzzy matching can detect near-duplicate phone numbers, address variations, and email aliases that basic rules may miss.
5. Transaction Network Links
Transaction data becomes more effective when combined with identity relationships.
Common patterns include multiple accounts receiving funds from unrelated victims, rapid fan-in and fan-out transfers, circular movement between connected accounts, repeated transfers to common beneficiaries, high pass-through value with little normal activity, and coordinated withdrawals.
These patterns help banks identify not only suspicious accounts, but also the wider network around them.
A Five-Step Detection Workflow
Step 1: Collect Identity and Session Signals
At onboarding, collect high-quality document images, a live facial capture, device information, contact details, and session metadata.
Liveness detection should confirm that the biometric sample comes from a real, present person rather than a printed image, replayed video, deepfake, or injected stream.
Step 2: Resolve the Applicant’s Identity
Compare the live face with the document portrait and validate document information.
The bank should search authorized records across existing customers, previous applications, rejected cases, closed accounts, and confirmed mules.
The result should be an identity-level profile, not another isolated account record.
Step 3: Build the Relationship Graph
Connect the applicant with relevant accounts, devices, documents, phone numbers, addresses, beneficiaries, and transaction endpoints.
Each link should be weighted by confidence. An exact identity match should carry more weight than a shared public IP address, while a high-confidence face match may be stronger than a similar address.
Step 4: Calculate Cross-Account Risk
The bank can score both individual accounts and the wider cluster.
Risk should increase when one face is linked to multiple documents, one device is linked to unrelated customers, several accounts share high-risk beneficiaries, linked accounts show synchronized behavior, or the network contains confirmed mule accounts.
Graph-based scoring can reveal accounts that appear normal individually but sit close to known fraud nodes.
Step 5: Apply Proportionate Controls
Low-risk customers may continue normally. Medium-risk users may require enhanced face verification or manual review. High-risk accounts may face transfer limits, transaction delays, beneficiary restrictions, or temporary suspension.
Confirmed networks may require blocking, investigation, regulatory reporting, and authorized interbank information sharing.

Reducing False Positives
Families, small businesses, employees, students, or people using shared internet connections may legitimately share devices, addresses, or beneficiaries.
Banks should therefore avoid making decisions based on one connection alone.
A stronger model combines biometric similarity, document authenticity, device relationships, contact information, transaction behavior, and historical fraud exposure.
Investigators should see why accounts were connected and which signals influenced the score. Explainable graphs improve review efficiency and consistency.
How Face++ Supports Identity-Level Mule Detection
Face++ provides facial recognition and identity verification capabilities that can serve as a biometric layer within a broader mule account detection framework.
Thai banks can use these capabilities to compare a live applicant with an identity document portrait, detect repeated faces across multiple applications, search authorized internal fraud datasets, identify blocked identities attempting to return, and trigger step-up face verification during high-risk activities.
Face recognition is not a complete mule detection solution by itself. Its value increases when combined with document analysis, device intelligence, transaction monitoring, and investigation workflows.
From Account Detection to Network Disruption
Mule accounts are not isolated endpoints. They are connected components of organized fraud operations.
By moving from account-level rules to identity-level and network-level analysis, Thai banks can detect suspicious relationships earlier, identify additional accounts surrounding confirmed cases, and prevent blocked individuals from returning with new credentials.
The key is to connect biometric, document, device, contact, and transaction signals into one explainable risk view.
With identity link analysis, banks can move beyond closing individual mule accounts and begin disrupting the networks behind them.



