persona-logo
Published June 08, 2026
Last updated June 08, 2026

How link analysis unravels identity mule rings

Link analysis can help you find and stop identity mule attacks by uncovering links between accounts rather than focusing on identity verification during onboarding.
Louis DeNicola
Louis DeNicola
4 min
Key takeaways
Identity muling is when individuals willingly share their identity, ID documents, or accounts with fraudsters, often in exchange for money.
Because identity mules often use legitimate documents and selfies, they can be difficult to spot with traditional identity verification techniques.
Link analysis tools like Persona’s Graph can evaluate a variety of attributes to find suspicious connections between accounts that might point toward the existence of a mule ring on your network or platform.

Identity verification helps prevent fraud by requiring would-be fraudsters to verify that they are real people and who they say they are. But what about a user who opens an account with their legitimate ID and selfie and then hands the keys to a bad actor? 

That’s exactly what happens with identity muling, and this type of second-party fraud can be difficult to detect. Even a multi-layered defense that combines government ID, selfie, and database verifications could miss these soon-to-turn-bad accounts. 

The secret to surfacing these accounts is to look for suspicious connections between accounts rather than focusing on the legitimacy of the individual users. And that’s exactly why link analysis is a critical part of many anti-fraud strategies. 

What are identity mules?

Identity mules are people who willingly help a bad actor open an account by completing an identity verification request, usually in exchange for money. Identity muling typically takes one of these forms:

  • The mule opens an account using their real ID and selfie and then turns it over to the bad actor. The bad actors often guide the mule through the identity verification process. 

  • The mule gives the bad actor images and recordings of their identifying documents and a selfie. Sometimes, these are collected from the mule when the mule creates an account. The bad actors inject the selfies into verification flows when opening accounts. 

  • The bad actor creates a fake ID for the mule, who then uses it to open an account for the fraudster. The combination of a real selfie with fake (or stolen) information essentially creates a synthetic identity mule. 

Fraudsters pay identity mules to open accounts because the accounts often appear legitimate during onboarding. These accounts can then be used to engage in many types of fraud, including:

Blog
3 fraud vectors to watch: synthetic identities, deepfakes, and identity mules
Read now

Link analysis can help you find and stop identity mule attacks by uncovering links between accounts rather than focusing on identity verification during onboarding. It’s a data science technique for understanding relationships and connections between data points. 

Fraud fighters use it to find accounts or transactions linked by one or more attributes, such as a device fingerprint or a government ID number. Many link analysis tools, including Persona’s Graph, also have visual interfaces for investigators.  

It’s normal for user accounts to occasionally share certain attributes. For example, multiple users share an IP address, physical address, or device if they live together. However, fraudsters also often reuse tactics and assets, such as images or devices, across attacks. 

Link analysis can still be helpful because you can use it to find:

  • Accounts that were created on the same device or IP address

  • Selfies that look suspiciously similar, like they were taken in the same place

  • Groups of accounts that were created on different devices but share other connections

  • Connections that are multiple degrees or “hops” away

You can see how the identity mule rings operate 

Consider an identity mule ring with a fraud ringleader or broker who pays mules to open accounts and hand over the login credentials. The fraudster shares the login information with their crew, who use a shared device to log in and monetize the accounts. 

undefined

That’s likely what’s playing out in the image above, which is a real result from Persona’s Graph Explorer. The multi-hop search revealed that the group of accounts sharing an IP address (shown on the right) was connected to a group of people sharing a device (on the left). 

You can spot identity mule rings even when the selfies are real

Similarly, consider a scenario where the fraudster is recruiting identity mules on the street. Or, if they have a steady stream of mules who complete verifications at the same house or office.

The mules open their accounts under a fraudster’s guidance. If the identity verification process includes government ID verification, then multiple mules may submit their IDs with similar backgrounds (e.g., a driver’s license placed on the exact same desk or countertop each time). 

Likewise, if it includes selfie verification, then selfies submitted by mules in the same location may share similar backgrounds or lighting. A link analysis tool that includes image similarity nodes, like Persona’s Graph, can surface these similarities for further investigation. 

undefined

Just one piece of the identity fraud puzzle

Link analysis is a powerful tool for surfacing different types of fraud, including identity mules, synthetic identities, and AI-driven fraud. But it’s important to remember that it’s just one layer of a broader anti-fraud strategy. That means it works best when deployed in conjunction with, not in place of, other tools and methods. 

Interested in learning more about how link analysis and Persona’s Graph can help you fight fraud? Read eight ways one of our fraud analysts uses Graph each day, or reach out for a demo

ebook
Learn more about link analysis and Graph in "The fraud leader's guide to link analysis"
Watch now

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Louis DeNicola
Louis DeNicola
Louis DeNicola is a content marketing manager at Persona who focuses on fraud and identity. You can often find him at the climbing gym, in the kitchen (cooking or snacking), or relaxing with his wife and cat in West Oakland.
Continue reading