A forensic reading of two SBI bank statements that, read together, expose a transnational investment-scam laundering syndicate operating at industrial throughput through India's UPI & NEFT rails.
Two SBI customer accounts processed 321,967 transactions moving ₹22.36 crore in aggregate, where 99.7% of inflows arrived as sub-₹2,000 UPI credits and almost every rupee was drained out within hours through standardised NEFT/RTGS payouts to a tightly-clustered set of recipient accounts. The retained balance in one account was 0.03% of inflow. This is not a customer using a bank account; this is a wallet being rented to a payment-aggregation engine.
4897735162098 — and 5,005 retail VPAs sent money into both accounts independently. This is a confirmed inter-mule layering network with shared victim pool. It is the signature of Money-Laundering-as-a-Service (MLaaS) — a managed pipeline rented out to multiple downstream fraud operators (investment scams, task-based scams, illegal betting, crypto-shell mining), most consistent with the modus operandi of Chinese-syndicate cyber-fraud rings operating against Indian retail victims.The accounts demonstrate eleven distinct AML red-flag patterns simultaneously. Most are individually detectable by any half-decent transaction-monitoring system, yet the activity ran. The remainder of this brief decomposes the patterns and proposes a concrete, rule-by-rule detection architecture SBI can deploy in its FCMS / AMLOCK / equivalent monitoring stack to interdict accounts like these before they complete the laundering cycle.
| Metric | Value |
|---|---|
| Total records | 95,474 |
| Credit transactions | 95,301 |
| Total credits | ₹6.98 Cr |
| Debit transactions | 173 |
| Total debits | ₹6.98 Cr |
| Net retained | ₹18,287 (0.03%) |
| Max balance held | ₹13.61 lakh |
| Velocity (turnover) | 51.3× |
| True activity window (from RTGS epochs) | ~5h 13m |
| Credit Side Profile | Value |
|---|---|
| Median credit ticket | ₹500 |
| Most common amount | ₹500 (25%) |
| Top-10 amounts cover | 93.4% of txns |
| Unique sender VPAs/phones | 68,682 |
| Phone-number-VPAs share | 88.7% |
| Unique sender banks (IFSC prefix) | 120 |
| Random 4-char "notes" | 93.9% |
| All credits routed via single source acct | 4897735162098 |
| Beneficiary | Txns | Channel | Destination Acct | Ticket Size |
|---|---|---|---|---|
| SHOP BASKET / S H O P BASKET | 127 | RTGS (INB) | 98561053319 | ₹4,00,113 – ₹4,18,378 |
| RAMSO ECOMMERCE PRIVATE LIMITED | 46 | RTGS (INB) | 98561053319 | ₹4,00,113 – ₹4,18,378 |
All 173 debits went to a single destination account. The two distinct names — "SHOP BASKET" and "RAMSO ECOMMERCE PRIVATE LIMITED" — sharing one account number indicates either a shell/proprietorship overlap or trade-name spoofing for narrative variety in statements.
| Metric | Value |
|---|---|
| Total records | 226,493 |
| Credit transactions | 225,791 |
| Total credits | ₹15.38 Cr |
| Debit transactions | 702 |
| Total debits | ₹15.31 Cr |
| Net retained | ₹6.42 lakh (0.42%) |
| Max balance held | ₹36.24 lakh |
| Velocity (turnover) | 42.4× |
| Credit Side Profile | Value |
|---|---|
| Median credit ticket | ₹300 |
| Most common amount | ₹100 (30%) |
| Unique sender VPAs/phones | 172,509 |
| Unique sender banks | 153 |
| Senders also seen in Acct A | 5,005 |
| Distinct outflow destinations | 42 sequential mule accts |
| NEFT remark | "COREPAY" (uniform) |
| All credits routed via single source acct | 4897735162098 |
The sequential account numbering (4698129, 4698130, 4698131, … 4698153 — 25 consecutive accounts in the same series) is mathematically certain to be a single batch of accounts opened at the same branch in close succession, likely within the same week, probably by the same on-the-ground KYC operator. This is the unmistakable fingerprint of a mule fleet — accounts opened by recruited individuals (often unwitting students, daily-wage labourers, the elderly, or unemployed) whose KYC and signed cheque-books / debit cards / UPI access are handed to syndicate handlers.
The activity profile satisfies the textbook FATF, FIU-IND, and RBI AML typologies for digital-rails money laundering. Each pattern below is observed directly in the data; the bracketed evidence is verifiable on inspection of the statements themselves.
The classic anti-AML technique — break one large deposit into many tiny ones — taken to its logical extreme. Account A received 95,301 individual credits with a median of ₹500; Account B received 225,791 credits with a median of ₹300. Each individual credit is invisible to threshold-based monitoring; the aggregate is criminal.
Account A retained 0.03% of inflow; Account B retained 0.42%. A legitimate business account, even a thin-margin one, retains 5–40% of inflow as working capital, taxes, or operational float. Retention below 1% is a defining feature of a layering account — money exists only to be moved.
Account A's RTGS reference numbers carry embedded Unix epoch timestamps revealing the true activity window: 2025-07-01 15:10:42 IST to 20:24:05 IST — five hours and thirteen minutes. That is ~5 transactions per second sustained for a fraction of a working day, well outside human input rates. Both files display dates in cells that appear to be normalised statement-render dates, but the embedded RTGS/NEFT references encode the real chronology.
The fan-in / fan-out is forensically diagnostic. 241,191 distinct retail senders across both accounts → one upstream "TRANSFER FROM" source account (4897735162098) → 43 destination accounts (1 in Acct A, 42 in Acct B). This hourglass shape is the canonical signature of a payment-aggregator-style laundering pipeline.
UPI permits a free-text note. Human users write things like "Rent", "Food", "Tea", "Mom". In Account A, 93.9% of notes are exactly four random alphanumeric characters (e.g., 29go, jlgo, k9go, m9go, c1f, p6f) — characteristic API-generated reference tokens emitted by an aggregator/orchestrator app. The remaining 6% are stub strings like "Payme", "UPI P", "Paid" — also auto-generated, just from a different code path.
While phone-number VPAs are valid, an 89% concentration is anomalous. Sophisticated UPI users tend to use bank/app-issued VPAs (name@okhdfcbank, name@paytm). Bare 10-digit phone-number VPAs are easy to spoof, easy to recruit via task-based scams ("install this app and send ₹500 — get ₹600 back"), and easy to recycle across syndicate handlers.
Sender VPA overlap between two seemingly unrelated SBI accounts is statistically near-impossible for organic activity. The 5,005 shared retail VPAs (out of ~68k in A and ~172k in B) prove these two SBI accounts are nodes in the same syndicate, sharing a victim/contributor pool routed by the same aggregator (4897735162098).
Account A's debits cluster between ₹4,00,113 and ₹4,18,378 — a 4.5% spread around ₹4 lakh. Account B's debits cluster between ₹1,99,950 and ₹2,49,838 — sweeping at ~₹2 lakh. These ticket sizes are calibrated below typical RTGS scrutiny thresholds, branch-manager-approval thresholds, and FIU-IND CTR triggers (₹10 lakh+), and below the ₹50 lakh wire-instrument STR floor. RTGS has no statutory upper limit on a per-transaction basis, but operational and compliance frictions kick in at well-known internal bank thresholds. The actor knows them.
Account B's payouts fan out to 42 distinct accounts at SBI Aurangabad (branch 10-824301), with account numbers running in tight numerical ranges: 4697153→4697164 (12 consecutive), 4698129→4698153 (25 consecutive). Account numbers are assigned sequentially by SBI's CBS on customer onboarding. Sequential numbers at a single branch = accounts opened in the same opening session, the same day or the same week, by the same KYC processor — a mule-onboarding episode.
Account A's debits show two payee names — "SHOP BASKET" and "RAMSO ECOMMERCE PRIVATE LIMITED" — both resolving to the same destination account number 98561053319. NEFT/RTGS allow free-text beneficiary names; CBS only validates account number + IFSC. This is the abuse: present an "e-commerce" cover story in the narrative field, while every rupee funnels to one numbered destination. The names "SHOP BASKET" and "S H O P BASKET" (note the spaces) is a known evasion against simple string-match rules.
Both statements display all activity on a single date (Acct A: 31-Mar-2026 — note this is a future date relative to current system time; Acct B: 20-Apr-2026). Decoding the RTGS reference numbers in Acct A yields actual processing times of 01-Jul-2025. This is most likely a CBS statement-render artefact when transactions are exported across boundaries, but it has a security implication: investigators relying on transaction-date stamps in CBS-exported statements without cross-validating embedded UTR/RTGS reference timestamps will get the wrong forensic timeline.
In aggregate: ₹22.36 crore moves through this two-account snapshot in concentrated bursts. Forty-three downstream accounts absorb the funds. The same upstream aggregator (4897735162098) services both. Five thousand of the retail "victim" VPAs appear in both inflow streams. The same SBI branch (Aurangabad 10-824301) hosts twenty-five sequentially numbered destination accounts. This is one operation, not two.
The Indian CERT-In, I4C (Indian Cyber Crime Coordination Centre), Enforcement Directorate, and FIU-IND have, over 2023–2025, repeatedly characterised a specific operating pattern of organised-crime cyber-fraud rings — predominantly Chinese-syndicate-operated, headquartered in scam compounds in Cambodia, Laos, Myanmar (the KK-Park / Sihanoukville / Bavet cluster), with on-the-ground recruitment partners in India. The activity in these two SBI accounts is highly consistent with that pattern.
k9go.The detection problem is not one of clever rules; it is one of shifting the temporal window from end-of-day batch to streaming, combining behavioural baselines with network-topology features, and giving the FCMS engine enough latency budget to actually act. Both accounts described here would have been intercepted in under thirty minutes by a properly tuned streaming detection stack. They were not.
| Layer | Time-budget | Purpose | Outcome |
|---|---|---|---|
| L0 — Onboarding / KYC re-risk | T+0 (account opening) | Flag mule-fleet onboarding episodes at the branch level | Hold first-credit drawdown |
| L1 — Streaming velocity rules | ≤ 1 minute | Detect burst inflow / outflow events at the account level | Trigger soft-block on outflows above ₹50k |
| L2 — Behavioural-baseline rules | 5–15 min rolling | Detect deviation from the account's own historical profile | Generate Level-1 AML alert; require step-up authentication on debits |
| L3 — Network/Graph analytics | 15 min – 4 hrs | Detect inter-account funnel structures: shared senders, sequential mule numbering, common upstream aggregators | Generate STR / EFRMS hold; freeze inter-account transfer ability pending review |
| L4 — Daily reconciliation | T+24 hrs | Confirm STR filings to FIU-IND, share with I4C if predicate offence suspected | Regulatory disclosure + law-enforcement co-ordination |
Each rule below is written to be implementable in a standard transaction-monitoring engine (BAE, AMLOCK, FCM, or in-house) with parameters tuned to the throughput observed in the two analysed accounts. Severity is the recommended initial alert level. False-positive control is via a 30-day calibration window before production cut-over.
≥ 500 incoming UPI credits in any rolling 60-minute window where median ticket ≤ ₹2,000 and ≥ 80% of credits fall in ten round amounts (₹100/200/300/500/1k/2k/3k/5k/10k).
Outflow ≥ 95% of inflow in any 24-hour rolling window, with absolute inflow ≥ ₹10 lakh, AND account age < 12 months OR declared "purpose" is salary/savings.
Two or more customer accounts receive ≥ 80% of their UPI inflow from the same upstream "TRANSFER FROM" account in any 7-day window, with combined inflow ≥ ₹50 lakh.
Same branch shows ≥ 8 accounts opened within any 30-day window, with account numbers within a 30-number contiguous range, where any 3 of them receive > ₹5 lakh inflow within 90 days of opening.
≥ 20 outbound RTGS transfers in 24 hrs, each within a tight ±5% band of an internal scrutiny threshold (₹2 L, ₹4 L, ₹5 L, ₹9 L, ₹49 L are common syndicate setpoints).
Distinct credit-senders in rolling 24h ≥ 100 × distinct debit-beneficiaries in same window, AND inflow ≥ ₹10 lakh.
≥ 70% of UPI-credit narration fields in last 1,000 txns match the regex ^[a-z0-9]{2,4}$ (random short tokens).
Same destination account-number appears in outbound payments under ≥ 2 distinct beneficiary-name strings within 7 days, where Levenshtein/Jaro-Winkler distance between names > 0.4 (i.e., they are clearly different names not just typos).
Two SBI customer accounts share ≥ 500 common third-party-VPA senders within a 30-day window.
Median inter-arrival time of UPI credits in any rolling 5-min window < 500 ms, over ≥ 100 credits.
≥ 50 outbound NEFT in 24 hrs with identical narration field (e.g., "COREPAY", "PAYOUT", "REFUND") to ≥ 20 distinct beneficiary accounts.
≥ 85% of UPI credit senders in last 1,000 txns use bare phone-number VPAs (^[6-9]\d{9}$ prefix) and credit ticket ≤ ₹5,000.
≥ 80% of total monthly transaction count happens within a single 6-hour window in a single calendar day.
≥ 75% of credits in last 500 txns are exact round amounts (multiples of ₹100 ≤ ₹10k).
Distinct sender-IFSC count in any rolling 1-hour window > 50, where the customer's declared profile is "salaried individual" or "small-trader".
Account opened within last 90 days, cumulative inflow in any 30-day window > 20× declared expected monthly turnover (from account-opening form) OR > ₹25 lakh, whichever lower.
Any account where first significant inflow (> ₹1 lakh) and first outflow occur on the same calendar day AND outflow ≥ 80% of inflow.
Outbound transfers to ≥ 10 destination accounts whose account numbers fall within a contiguous range of 50, at the same branch IFSC, within 24 hours.
Inflow to customer account from any VPA appearing on the I4C / 1930-helpline known-victim list within last 12 months — accumulate count.
≥ 5 distinct outbound beneficiary-name strings paired with the same account number over 30 days.
Any third-party VPA sending to ≥ 3 distinct SBI customer accounts within 7 days, with cumulative amount ≥ ₹50,000.
Forensic rule run on statement-export: where statement-rendered txn date differs from RTGS/NEFT UTR embedded date by > 24 hrs for ≥ 5% of records.
Weighted score across R-01 through R-22. If CMAI ≥ 65/100 within any rolling 24-hour window, auto-trigger Level-3 freeze.
| Tier | Trigger | System action | Customer-visible | SBI internal |
|---|---|---|---|---|
| T1 — Soft Watch | Any L1 rule fires once | None automated. Logged. | None | FCMS dashboard tag; RM notified |
| T2 — Outflow Throttle | L2 rule fires OR 2+ L1 rules in 24 hrs | Cap RTGS/NEFT/IMPS outflows at ₹49,000/day pending review | "For your protection, larger outflows require branch verification today" | L2 alert in AMLOCK / FCM; analyst review within 2 hrs |
| T3 — Outflow Freeze (Reversible) | L3 rule fires OR CMAI ≥ 65 | Block all RTGS/NEFT outflows; UPI capped at ₹5,000/day; cards blocked | SMS + email: "Please contact your home branch / call 1800-XXXX immediately to verify recent activity" | L3 alert; mandatory analyst + RM call-back within 30 min; STR drafted |
| T4 — Full Freeze + Disclosure | T3 not resolved in 24h OR confirmed predicate offence | All outflows frozen; account in "Section 102 CrPC posture" | Branch-counter notice only; no app/online access | STR filed with FIU-IND; intimation to I4C / NCRP; police lien if applicable |
For an account profile matching the two analysed here, a properly-instrumented monitoring stack achieves the following:
| Time elapsed | Cumulative activity | Detection state | Action |
|---|---|---|---|
| T+0 min | First 50 credits, total ₹25k | Below thresholds | Logged |
| T+2 min | 500 credits, ₹2.5 L | R-01 fires (smurfing velocity), R-10 fires (sub-second inter-arrival) | T2 throttle: outflow cap ₹49k/day, analyst paged |
| T+8 min | 2,000 credits, ₹10 L | R-07 fires (bot-notes ≥ 70%), R-12 fires (phone-VPAs ≥ 85%), R-14 fires (round-amount > 75%). CMAI ≥ 55. | Analyst reviewing — RM notified |
| T+15 min | 5,000 credits, ₹25 L. First debit attempt of ₹4 L. | R-06 fires (sender-asymmetry), R-15 fires (geo-sender diversity). CMAI ≥ 75. | T3 freeze: debit blocked at switch; account marked. |
| T+30 min | RM has called account holder; cannot verify; cannot reach declared address. | R-09 / R-21 fire on cross-account graph. | T4: STR drafted, FIU-IND alerted within EOD. |
Net effect: ~₹6.7 Cr of layering blocked at the SBI rails. Recovery to victims becomes possible because funds are still in the system.
Detection is necessary but not sufficient. The two accounts in this analysis were not blocked because something in SBI's monitoring stack, escalation chain, or branch-level KYC process failed to act on signals that should have been present. The following are the structural recommendations.
These two account statements describe one fragment of a much larger operating system — a payment-aggregator-shaped laundering pipeline servicing multiple downstream fraud rings, harvesting from a hundred-thousand-strong retail-victim pool, drained into a small fleet of branch-clustered terminal mule accounts that almost certainly off-ramp into USDT or shell-company invoices abroad. The actors are skilled. The pipeline is robust. The unit economics are favourable.
The defence against this is not exotic. The rules listed in §07 are individually unremarkable; their combination, applied to streaming data with low-latency action, is what changes the equation. Every one of the eleven patterns identified in §03 leaves a trace that is mathematically obvious in the data. SBI has the data. The question is whether the institutional posture is to wait for the regulator to ask, or to interdict at the first 500 random-token-noted micro-credits.
The two accounts described here moved ₹22.36 crore in concentrated bursts. The wider operation they belong to moves orders of magnitude more, every day, across the Indian banking system. A bank that detects this in fifteen minutes saves victims; a bank that detects it at end-of-day batch produces an STR after the fact. The technology gap between these two postures is not large. The will gap, sometimes, is.
| Indicator | Account A | Account B |
|---|---|---|
| Smurfing (R-01) | ✓ | ✓ |
| Pass-through retention < 1% (R-02) | ✓ (0.03%) | ✓ (0.42%) |
| Common upstream funnel-source (R-03) | ✓ | ✓ (same 4897735162098) |
| Sequential mule cluster on outflow (R-04, R-18) | — | ✓ (25 contig. at Aurangabad) |
| Sub-threshold RTGS sweeping (R-05) | ✓ (~₹4L band) | ✓ (~₹2L band) |
| Diverse-sender / single-beneficiary (R-06) | ✓ 68,682:1 | ✓ 172,509:42 |
| Bot-notes ≥ 70% (R-07) | ✓ (93.9%) | ✓ (similar) |
| Trade-name spoofing (R-08) | ✓ | — |
| Cross-account sender overlap (R-09) | ✓ (5,005 shared) | ✓ |
| Sub-second credit gap (R-10) | ✓ (5 tps) | ✓ |
| Uniform-narration NEFT (R-11) | — | ✓ ("COREPAY") |
| Phone-VPA dominance (R-12) | ✓ (88.7%) | ✓ |
| Working-hours burst (R-13) | ✓ (5h13m) | ✓ (1 day) |
| Round-amount concentration (R-14) | ✓ (93.4%) | ✓ |