--- title: Leading U.S. neobank busts laundering ring spanning 3,000+ accounts — Sardine Customer Story source_page: https://www.sardine.ai/customers/leading-u-s-neobank-busts-laundering-ring-spanning-3-000-accounts canonical: https://www.sardine.ai/customers/leading-u-s-neobank-busts-laundering-ring-spanning-3-000-accounts format: text/markdown --- **Quick links:** [Human page](https://www.sardine.ai/customers/leading-u-s-neobank-busts-laundering-ring-spanning-3-000-accounts) · [Home](https://www.sardine.ai) · [Customers](https://www.sardine.ai/customers) · [Blog](https://www.sardine.ai/insights/blog) · [Demo](https://www.sardine.ai/demo) --- # Leading U.S. neobank busts laundering ring spanning 3,000+ accounts **Industries:** Financial services A leading U.S. bank faced mounting financial and reputational risk due to suspected money laundering rings in its payments channels. Criminals exploited fragmented monitoring systems across ACH, wires, RTP, and digital banking to distribute illicit activity across thousands of accounts, keeping individual profiles below detection thresholds. This resulted in millions in illicit flows that bypassed controls, overwhelming compliance teams with false positives while true laundering networks went undetected. The bank turned to Sardine’s data consortium to break out of this cycle. Unlike legacy systems that focus narrowly on single entities or transactions, Sardine’s graph-powered approach mapped entire laundering ecosystems, linking accounts, devices, IPs, and counterparties across silos. Finding spoofed accounts and suspicious device activity, once a time-consuming manual task, could then be handled with a single click. By consolidating hundreds of low-value alerts into a single Community Alert, investigators gained immediate visibility into the full network, enabling faster disruption of mule activity, higher-quality SARs, and stronger regulatory alignment. The challenge: How fragmented silos masked millions in illicit flows Organized crime rings use sophisticated operations to launder money through the U.S. banking system. Their operations involve using thousands of mule accounts to move money at scale through what seem like ordinary accounts. A U.S. bank encountered serious issues with fighting these mule rings due to its reliance on legacy systems. Their system created unworkable data siloes which focused on one type of payment. A separate monitoring tool for ACH, wires, RTP, and digital payments made it impossible to view activity holistically and caused millions of dollars to bypass controls. The bank needed a way to view the bigger picture. Criminals understood that laundering large amounts of money on individual transactions was bound to get them caught. Instead, they used thousands of “low-risk” accounts to transfer small sums that were far less likely to be detected. These transactions added up to millions of dollars, effectively laundering massive sums through a “death by a thousand cuts” strategy. Due to the bank’s fragmented systems and entity-centric rules, many of the illicit transactions were getting through. The compliance team was flooded with false positives as people sent harmless transactions, while money launderers sent uncaptured payments. Shell companies masked who truly operated accounts, and criminals took advantage of the blind spots. The bank needed a new solution to tackle the issue. The solution: Sardine’s community risk intelligence Sardine combined graph intelligence with its device intelligence solution to dismantle the money laundering ring and surface red flags that legacy systems missed. By quickly moving to set up Community Detection, Risk Intelligence, and Device Intelligence, Sardine disrupted money laundering patterns and revealed cybercrime occurring within the neobank’s environment. Tracing the hops with Sardine Because money launderers make their operations as complex as possible to avoid detection, it’s impossible to catch on to their patterns with legacy tools that can only display limited transaction information. The neobank required a platform that could use Community Risk Intelligence to find and deter mule rings. For example, mule rings often use intermediary accounts to launder money. Each time they want to move money, they “hop” between different accounts to transfer funds. With Sardine’s Risk Intelligence tools, the retail bank was able to track links beyond 6+ hops across over 10 million customers and expose layered money laundering structures. The neobank was also able to leverage Community Detection to discover mule rings and front businesses that were being used to move money. Sardine’s allowed the neobank to create personalized rules and risk conditions to find potentially suspicious transactions. The neobank implemented Network-Based Risk Scoring, which elevated risk based on entity connections (e.g. sending a lot of small deposits to one business) rather than isolated behavior. To further help the neobank, Sardine consolidated hundreds of alerts into a Community Alert system, helping to focus investigator effort. Sardine also mapped complex ownership ties to unmask hidden relationships between accounts, devices, and payments. International device intelligence Money laundering has never stopped at a nation’s borders, and the rise of online banking has made international activities more lucrative for cybercriminals. The U.S. neobank relied on Sardine’s Device Intelligence to find money laundering rings operating across borders. Using Device Intelligence, the neobank was able to flag transactions where the location of a phone or computer was not the same as the IP Address, an inconsistency that showed clear illicit intent. Sardine can also detect jailbroken devices that are used to mask activity and bypass fraud controls. If accounts were showing large amounts of peer-to-peer transactions between 1-6 AM local time when no one should be awake, Sardine was also able to flag this as potential bot or mule behavior. Foreign cybercriminals utilize VPNs and proxy obfuscation to launder money. As seen in the chart below, one domestic account can often be a front for hundreds of accounts from other countries. The neobank was able to use Sardine to find the “true device location”, which was often in Bangladesh or Indonesia. The results: A 3,000 node bust The integration of Sardine’s Link Analysis and Community Detection turned what used to be a fragmented investigation into a full scale dismantling of the mule ring. The breakthrough didn’t come from a complex rule change, but from catching a human error in a machine-scale operation. The slip-up Every fraudster has a tell. For this particular ring, that tell was a single shared device. Initial graph analysis identified 100 mule accounts all tethered to one device ID. The operator of this ring made one fatal mistake: they briefly logged into a second, “backup” device to manage their accounts. By tracking that one-time login, Sardine’s Link Analysis surfaced a second, hidden cluster of 100 additional mule accounts linked to that “lonely” second device. Proximity to the fraudster’s hardware gave the bank enough evidence they would need to blacklist at least 100 “green” accounts that had no other red flags. These accounts were essentially “sleeper” nodes, waiting for a high-value transfer before they could be caught by standard KYC filters. Mapping the hubs The investigation scaled rapidly once Mobile User ID (MUID) aggregation was pulled into the graph. The data revealed a deliberate “hub-and-spoke” architecture designed to stay under the radar: The Hubs: Investigators found specific Mobile User IDs acting as central anchors for hundreds of seemingly unrelated accounts. The Two-ID Strategy: High-level operators were “multi-homing”. They would utilize one massive Hub ID for the bulk of their traffic, and a second, more exclusive ID shared with only a few other users. The 3,000-User Community: By tracing the hops between these overlapping hubs, the Community Detection algorithm identified a massive, coordinated network of approximately 3,000 users. The outcome Instead of playing “whack-a-mole” with 3,000 individual profiles, the bank used the graph to see the entire fraud infrastructure at once.They moved from chasing single transactions to neutralizing an entire 3,000-node community with just a few targeted blocks. Sardine’s impact: Detection to dismantlement The success of this investigation highlights a fundamental shift in how the bank approaches risk: they have stopped chasing the individual transactions and started neutralizing the infrastructure that powers them. By collapsing data silos into a single, graph-powered view, Sardine provided the technical leverage necessary to turn a single operator’s error into a total network teardown. There is no room for complacency in an era of machine learning and hyper-scaled fraud. As mule rings become more sophisticated, the key to maintaining a delicate balance between growth and security is a deep adaptive partnership. Sardine’s technology allows the bank to make the service their own by tailoring rules and risk conditions to their unique environment rather than relying on universal legacy logic. Maintaining the delicate balance between seamless growth and ironclad security requires a partner that sees the whole picture. Sardine is proud to work alongside innovators who recognize that in modern finance, stopping a transaction is good, but dismantling a network is where the real work lies.

CUSTOMER STORY

Financial services

Leading U.S. neobank busts laundering ring spanning 3,000+ accounts

Content

A leading U.S. bank faced mounting financial and reputational risk due to suspected money laundering rings in its payments channels. Criminals exploited fragmented monitoring systems across ACH, wires, RTP, and digital banking to distribute illicit activity across thousands of accounts, keeping individual profiles below detection thresholds. This resulted in millions in illicit flows that bypassed controls, overwhelming compliance teams with false positives while true laundering networks went undetected.

The bank turned to Sardine’s data consortium to break out of this cycle. Unlike legacy systems that focus narrowly on single entities or transactions, Sardine’s graph-powered approach mapped entire laundering ecosystems, linking accounts, devices, IPs, and counterparties across silos. Finding spoofed accounts and suspicious device activity, once a time-consuming manual task, could then be handled with a single click. By consolidating hundreds of low-value alerts into a single Community Alert, investigators gained immediate visibility into the full network, enabling faster disruption of mule activity, higher-quality SARs, and stronger regulatory alignment.

The challenge: How fragmented silos masked millions in illicit flows

Organized crime rings use sophisticated operations to launder money through the U.S. banking system. Their operations involve using thousands of mule accounts to move money at scale through what seem like ordinary accounts. A U.S. bank encountered serious issues with fighting these mule rings due to its reliance on legacy systems. Their system created unworkable data siloes which focused on one type of payment. A separate monitoring tool for ACH, wires, RTP, and digital payments made it impossible to view activity holistically and caused millions of dollars to bypass controls. The bank needed a way to view the bigger picture.

Criminals understood that laundering large amounts of money on individual transactions was bound to get them caught. Instead, they used thousands of “low-risk” accounts to transfer small sums that were far less likely to be detected. These transactions added up to millions of dollars, effectively laundering massive sums through a “death by a thousand cuts” strategy.

Due to the bank’s fragmented systems and entity-centric rules, many of the illicit transactions were getting through. The compliance team was flooded with false positives as people sent harmless transactions, while money launderers sent uncaptured payments. Shell companies masked who truly operated accounts, and criminals took advantage of the blind spots. The bank needed a new solution to tackle the issue.

The solution: Sardine’s community risk intelligence

Sardine combined graph intelligence with its device intelligence solution to dismantle the money laundering ring and surface red flags that legacy systems missed. By quickly moving to set up Community Detection, Risk Intelligence, and Device Intelligence, Sardine disrupted money laundering patterns and revealed cybercrime occurring within the neobank’s environment.

Tracing the hops with Sardine

Because money launderers make their operations as complex as possible to avoid detection, it’s impossible to catch on to their patterns with legacy tools that can only display limited transaction information. The neobank required a platform that could use Community Risk Intelligence to find and deter mule rings.

For example, mule rings often use intermediary accounts to launder money. Each time they want to move money, they “hop” between different accounts to transfer funds. With Sardine’s Risk Intelligence tools, the retail bank was able to track links beyond 6+ hops across over 10 million customers and expose layered money laundering structures.

The neobank was also able to leverage Community Detection to discover mule rings and front businesses that were being used to move money. Sardine’s allowed the neobank to create personalized rules and risk conditions to find potentially suspicious transactions. The neobank implemented Network-Based Risk Scoring, which elevated risk based on entity connections (e.g. sending a lot of small deposits to one business) rather than isolated behavior.

To further help the neobank, Sardine consolidated hundreds of alerts into a Community Alert system, helping to focus investigator effort. Sardine also mapped complex ownership ties to unmask hidden relationships between accounts, devices, and payments.

International device intelligence

Money laundering has never stopped at a nation’s borders, and the rise of online banking has made international activities more lucrative for cybercriminals. The U.S. neobank relied on Sardine’s Device Intelligence to find money laundering rings operating across borders.

Using Device Intelligence, the neobank was able to flag transactions where the location of a phone or computer was not the same as the IP Address, an inconsistency that showed clear illicit intent. Sardine can also detect jailbroken devices that are used to mask activity and bypass fraud controls. If accounts were showing large amounts of peer-to-peer transactions between 1-6 AM local time when no one should be awake, Sardine was also able to flag this as potential bot or mule behavior.

Foreign cybercriminals utilize VPNs and proxy obfuscation to launder money. As seen in the chart below, one domestic account can often be a front for hundreds of accounts from other countries. The neobank was able to use Sardine to find the “true device location”, which was often in Bangladesh or Indonesia.

The results: A 3,000 node bust

The integration of Sardine’s Link Analysis and Community Detection turned what used to be a fragmented investigation into a full scale dismantling of the mule ring. The breakthrough didn’t come from a complex rule change, but from catching a human error in a machine-scale operation.

The slip-up

Every fraudster has a tell. For this particular ring, that tell was a single shared device.

Initial graph analysis identified 100 mule accounts all tethered to one device ID. The operator of this ring made one fatal mistake: they briefly logged into a second, “backup” device to manage their accounts. By tracking that one-time login, Sardine’s Link Analysis surfaced a second, hidden cluster of 100 additional mule accounts linked to that “lonely” second device.

Proximity to the fraudster’s hardware gave the bank enough evidence they would need to blacklist at least 100 “green” accounts that had no other red flags. These accounts were essentially “sleeper” nodes, waiting for a high-value transfer before they could be caught by standard KYC filters.

Mapping the hubs

The investigation scaled rapidly once Mobile User ID (MUID) aggregation was pulled into the graph. The data revealed a deliberate “hub-and-spoke” architecture designed to stay under the radar:

The Hubs: Investigators found specific Mobile User IDs acting as central anchors for hundreds of seemingly unrelated accounts.
The Two-ID Strategy: High-level operators were “multi-homing”. They would utilize one massive Hub ID for the bulk of their traffic, and a second, more exclusive ID shared with only a few other users.
The 3,000-User Community: By tracing the hops between these overlapping hubs, the Community Detection algorithm identified a massive, coordinated network of approximately 3,000 users.

The outcome

Instead of playing “whack-a-mole” with 3,000 individual profiles, the bank used the graph to see the entire fraud infrastructure at once.They moved from chasing single transactions to neutralizing an entire 3,000-node community with just a few targeted blocks.

Sardine’s impact: Detection to dismantlement

The success of this investigation highlights a fundamental shift in how the bank approaches risk: they have stopped chasing the individual transactions and started neutralizing the infrastructure that powers them. By collapsing data silos into a single, graph-powered view, Sardine provided the technical leverage necessary to turn a single operator’s error into a total network teardown.

There is no room for complacency in an era of machine learning and hyper-scaled fraud. As mule rings become more sophisticated, the key to maintaining a delicate balance between growth and security is a deep adaptive partnership. Sardine’s technology allows the bank to make the service their own by tailoring rules and risk conditions to their unique environment rather than relying on universal legacy logic.

Maintaining the delicate balance between seamless growth and ironclad security requires a partner that sees the whole picture. Sardine is proud to work alongside innovators who recognize that in modern finance, stopping a transaction is good, but dismantling a network is where the real work lies.