persona-logo
  • Research
  • Identity muling and techniques to combat the rise of second-party fraud
January 23, 2026

Identity muling and techniques to combat the rise of second-party fraud

As identity verification systems improve at detecting deepfakes and synthetic identities, fraudsters are increasingly turning to identity muling, a form of second-party fraud that relies on real people willingly sharing their identities or completing verification on behalf of bad actors. This white paper examines how identity muling works, why it is difficult to detect, how it differs from identity theft and other muling schemes, and which risk signals and defense strategies organizations can use to identify and disrupt identity mule operations.

As organizations improve their ability to detect deepfakes and synthetic identities, some fraud actors have shifted toward using real people to bypass identity verification systems. In exchange for modest compensation (commonly between $5 and $20 USD), these individuals share selfies, identification documents, or complete account creation and verification on behalf of fraud networks. Because identity mules are legitimate individuals who can pass selfie and liveness checks, this form of second-party fraud presents unique detection challenges.

This paper outlines the mechanics of identity muling, explains why it has become more prevalent, and examines strategies organizations use to detect and mitigate this emerging fraud vector.

Definition of identity muling

Identity muling occurs when a fraud actor compensates an individual to use their identity in support of fraudulent activity. In some cases, individuals provide images or videos of their identification documents and face, which can later be reused or sold. More commonly, individuals are instructed to complete identity verification directly during account creation. Once verification is successful, control of the account is transferred to the fraud actor for illicit use.

Drivers of identity mule adoption

One factor contributing to the rise of identity muling is the increased effectiveness of fraud detection systems. Presentation attacks and injection attacks, including the use of deepfakes or virtual cameras, are becoming easier to detect. As a result, fraud actors may turn to identity mules as an alternative means of passing verification.

Because identity mule operations introduce additional cost and coordination, they are typically reserved for higher-value targets where the expected return justifies the investment. Less complex fraud schemes are often used for lower-value attacks.

Distinguishing identity muling from identity theft

Identity muling differs from identity theft in that individuals participate willingly. In contrast, individuals whose likeness or documents are captured through deception, coercion, or exploitation are considered victims of identity theft. This distinction aligns identity muling with other forms of human-assisted fraud, such as money muling and shipping muling.

Identity muling Identity theft
Someone willingly uses or shares their identity A bad actor uses a victim’s identity without consent
Second-party fraud Third-party fraud
Passes liveness and injection attack checks Might fail liveness or injection attack checks

Identity muling in the context of human-assisted fraud

Muling broadly refers to forms of human-assisted fraud in which individuals are recruited, compensated, or directed to participate in a larger fraudulent scheme.

Common examples include money mules, who receive funds into their accounts and transfer them on behalf of fraud actors, often as part of money laundering operations. Fraud networks frequently recruit money mules through deceptive “work from home” postings or by exploiting victims of romance scams.

Shipping mules are another example. These individuals receive and forward packages purchased using stolen payment methods or, in some cases, unknowingly transport illegal goods. The use of intermediaries allows fraud actors to distance themselves from the underlying criminal activity.

While the tactics and objectives vary, several characteristics are shared across muling schemes:

  • Individuals are often compensated upfront and have limited ongoing involvement.

  • A centralized fraud actor or group typically coordinates recruitment and subsequent fraudulent activity.

Muling is generally considered a form of second-party fraud and may carry legal consequences even when individuals claim limited awareness of the broader scheme. In the United States, money mules may face fines and imprisonment. In Singapore, scammers, scam recruiters, and members of organized scam groups may now receive a mandatory six lashes from a cane. Scam mules may receive up to 12 lashes.

Operational characteristics of identity mule networks

Identity mule operations range from opportunistic to highly sophisticated. 

  • Basic operations: Fraud actors recruit mules through social media or local networks, pay them directly, and have them complete verifications using their real information. These accounts may reuse the same device, IP address, or physical location.

  • Advanced fraud rings: Fraud actors scale sophisticated operations by creating fake IDs that have the mule's photo and falsified information. Fraud actors coach mules to take selfies and move mules to different locations to avoid pattern detection. Some operations even spoof IP addresses and take other measures to avoid detection.

When identity mule activity targets an organization, certain patterns may emerge:

Similar selfies and environments 

When the fraud group operates out of a single physical location, organizations may notice that the selfies new users submit appear oddly similar. Similar backgrounds may be observed, such as the same home or office setup. Or, some fraud groups might try to disguise the situation by having mules pose in front of a blank wall or hanging sheet. 

Similar ID images and backgrounds 

The government ID submissions may also have a template-like quality to them. If the fraud actor is creating fake IDs for the mules, there may be similarities in the physical document, such as the same date of birth or address. Regardless of the document's authenticity, it may be observed that the identification documents are placed on the same desk or countertop. 

Shared devices or networks 

Sometimes, the mules might be instructed to use the same device to create accounts. Even if they’re using their own devices, they might share the same IP address and be located in a region that’s commonly associated with fraud in your environment. 

Once the mules create and hand off accounts, the fraud actors might access the accounts using a single device. The process can link the fraudster’s device to multiple accounts. If fraud actors operate from multiple locations, organizations may detect logins from places that are too far apart for someone to travel between the login attempts.

Detection and mitigation strategies

Identity mules are real people, and they can legitimately pass standard liveness detection during identity verification. As a result, detecting identity mules can sometimes be more difficult than fighting the most sophisticated AI-powered attacks. 

We’ve found certain approaches to be most effective at detecting and mitigating fraud actors who rely on mules.

Monitor and stack risk signals 

Organizations can detect identity mule fraud based on different risk signals and velocity checks. Stack signals to improve recall and precision, and be particularly mindful of the following risk signals:

  • Shared IP addresses

  • VPN, Tor, or proxy use

  • Located in a high-risk area

  • Impossible travel between logins 

  • Shared browser or device fingerprints

Behavior signals and patterns can also be important. For example, users who attempt to quickly change the account credentials or details during the second login might be riskier. The presence of multiple signals may suggest the need to flag an account.

Uncover connections with link analysis

When an organization confirms that an account belongs to an identity mule, they may use link analysis to discover connected accounts within their system. They may find connected accounts through shared devices, IP addresses, email addresses, phone numbers, document details, and image similarities. 

Link analysis can quickly uncover connections even when there are several degrees of separation. With some link analysis tools, organizations can use the insights to determine when to require reverification and use the results as real-time signals during identity verification. 

For example, organizations may automatically block accounts that have the same device fingerprint as the previously caught identity mule. Or, automatically flag accounts when two or more accounts try to submit nearly identical identification documents. 

Run database verifications 

A database verification allows organizations to cross-check information from the user’s identifying documents with issuing or authoritative sources. It’s often part of a multi-layered fraud defense, and it can be effective when fraudsters create fake IDs for the identity mules. 

Require selfie reverification before high-risk transactions

Asking users to reverify their accounts before approving high-risk actions can be a good deterrent because fraudsters usually won’t be able to contact the original identity mule. 

Organizations may use dynamic, risk-based flows to only require reverification from users when other risk signals are present to mitigate friction for low-risk users. 

Conclusion 

Identity muling represents a growing challenge for organizations because it exploits legitimate human behavior rather than technical weaknesses in identity verification systems. Addressing this threat requires moving beyond one-time verification toward continuous, risk-based analysis that combines behavioral signals, device intelligence, database checks, and link analysis. By stacking signals and monitoring connections across accounts, we've found that organizations can more effectively detect identity mule rings, reduce fraud exposure, and stay ahead of evolving second-party fraud tactics.