Several years ago, I attended a user forum for a company offering fraud and AML solutions to banks all over the world. I had been working in AML technology for about 5 years at that point, and had very limited knowledge about the world of real-time fraud prevention. During one of the round-table sessions, I sat down next to someone from a device intelligence vendor.
Knowing almost nothing about the technology at the time, I peppered him with questions, culminating with, “Does anyone use device intelligence to detect money laundering?” He told me that he wasn’t aware of anyone doing so, and the others at the table, mostly senior AML professionals, were skeptical of the idea. When I proposed this company partner with a large financial institution as a proof of concept to see what they could find, it was shrugged off and the conversation moved on to other topics.
Fast forward several years, and we’ve been through the boom in synthetic identity fraud brought on by COVID and PPP, the rise of fraud-as-a-service on social media platforms, and more recently, an explosion of AI-assisted fraud. The landscape has changed completely. Today, I find myself building fraud solutions for everyone from seed-stage fintech startups to Fortune-500 companies. Many of these companies use Device Intelligence and Behavioral Biometrics (DIBB) products to prevent fraud, but as I’ve worked with them, an old thought surfaced: what if we looked at the device connections from an AML lens?
I have the luxury of working with some incredible data scientists. When I challenged them to find AML typologies with device connections, they were excited to take on the challenge. But before we get into that, let’s revisit some of the developments in the fraud ecosystem over the past several years to understand the components of the fraud to money laundering lifecycle.
The fraudster’s lifecycle looks something like this:
Find an opportunity: “What is the weakest link?” Whether that is a human or a system, they look for the easiest, most exploitable path. Why work harder than you must?
Tools of the trade: Sourcing “fullz” or full information from the dark web, card dumps, SIM swap services, or money mules is easy. There’s a whole underground market for this.
Testing and calibration: Fraudsters test the target’s controls to see what works. They use low-value probes to check if you’ll decline a stolen card, a reused device, or flag for velocity checks. They’re essentially reverse-engineering your fraud controls.
Scaling: Once they find what works, they move quickly. If your upper bound is $500, you’ll start seeing transactions for $495. If your transaction per minute allows for 50, they’ll do 49. It’s not always lightning quick, but it will skirt just below all your limits to deal maximum damage as quickly as possible.
Cashout: This is where it gets complicated. Whether they’re getting merchandise or money, they ultimately have to move it around to obfuscate the source of funds. This often happens through crypto exchanges, P2P networks, gift cards, and mule networks.
Iteration: When the exploit stops working, they find a new target. And since about 80% of adults reuse passwords, it’s pretty easy. And that underground market I mentioned earlier? They sell “methods” or instructions for how to exploit vulnerabilities at specific companies.
Cashouts are where we really dug in. What happens when you have visibility to multiple fintechs, neobanks, and financial institutions and can see the money movement between them? You see a lot more connections than looking at a single client in isolation. Here are a few examples of what we found:
Example 1 - Uncovering 1,200 unique accounts sharing a single user ID at one large U.S. neobank
Using our network graph capabilities, Sardine linked over 1,200 unique accounts sharing a single mobile user ID at one neobank customer. This device-level attribute should be unique for each Android device, but it was being used across hundreds of devices. There’s only one way this can happen: intentionally changing it.
This may raise the question “Why would anyone do that?” Our best explanation: the pre-Sardine control environment was allowlisting based on specific features, and this was likely one of them. The existing fraud solution had no network graphing or anomaly detection features, so no red flags were ever raised. Since every device ID was different, they were none the wiser.
This ring operated out of Southeast Asia and moved hundreds of thousands of dollars between accounts before exiting to traditional financial institutions. Money Mules: plain and simple.
Example 2 - 50,000 connected accounts moving funds cross-border at one international money remitter
Cross-border payments are a different animal. Before we even started testing, I knew we’d find something, but the scale of what we uncovered was beyond anything I expected. Whenever you’re dealing with cross-border payments, the likelihood of money laundering is exponentially higher than when you’re working with, say, a community bank. The ease with which one can send thousands of dollars from one country to another, outside of traditional financial institutions, makes obfuscating the source of funds that much simpler.
One week in, we discovered a network of several hundred connected accounts. A month in, that number exceeded 20,000. Two months in, we were pushing 50,000 connected accounts moving extraordinary amounts of money around. The formula was simple: onboard funds from a neobank or crypto exchange, tumble it around through a few hundred accounts, consolidate in a few receiver accounts, and exit all the funds to a traditional bank. Wash. Rinse. Repeat.
“Surely these fintechs did KYC on their customers?” you may say. And yes, they did. So how did all these bad accounts get created?
Example 3 - Shutting down gig economy workarounds
The answer came from an unexpected place: a gig economy platform.
This client initially contracted with us because they had workers from other countries spoofing their location to get higher geo-based pay. They had identity verification tools in place to ensure they weren’t onboarding synthetic identities, but the fraudsters kept finding their way around it.
The client notified us of a fraud ring they found out of Bangladesh that didn’t fit the typical pattern they were looking for. When we looked into it, something was off: all of the locations seemed to be clustered in a few small towns. One of our data scientists plotted the onboarding events on a map to show how the ring grew over time and a pattern emerged, clear as day. The fraudsters were going door-to-door and signing up anyone who was willing to share their information.
In the U.S., I’ve heard of criminals targeting the homeless, college students, and others to use their identities or bank accounts to commit fraud, but the scale of this was unlike anything I had ever seen before. Dozens of routes snaked through neighborhoods where new accounts were being created, each of them running from North to South and then back to their starting point on the next street over.
The criminals were paying people to open accounts and then using those same accounts to abuse the platform for financial gain.
This is the same mechanism behind how examples 1 and 2 were created: real people, real KYC, and real identities handed over to criminals, just with a twist.
Follow the device, not the dollar
What we found across these three clients shouldn’t have been all that surprising, but it was because nobody was looking for it. AML programs are built around the transaction. Fraud programs are built around the event. The pipeline that fraudsters have built runs underneath both of them.
I’ve spent time on both sides of this problem now, and the honest answer is that the tools able to close this gap already exist. From device intelligence to behavioral biometrics and network graphs, none of these are experimental anymore. We used them to find 50,000 connected accounts moving millions of dollars, so the question can’t be whether they work for AML. We know they do.
A lot of what we do today, like transaction monitoring, still works. But the fraud-to-laundering pipeline has evolved faster than the compliance tooling, and the gap is wide open. Closing it starts with asking questions like:
- How was this account created?
- What device was behind it?
- Who else shares that fingerprint?
A modern AML program that takes this seriously looks different from what most compliance teams have today. Device fingerprints are checked throughout the lifecycle, not just at the transaction layer. Network graphs surface account relationships across the portfolio, not just within a single customer's history. And fraud signals such as velocity, device reuse, and behavioral anomalies, feed directly into AML workflows instead of sitting in a separate system that compliance never sees.
If your program can't answer those three questions about any account in your portfolio, that's where they're getting in. The fraudsters figured out the gaps years ago. The question now is when compliance programs will catch up.