Chasing Ghosts: Africa’s Drop Account Problem

The very idea of KYC emerged as a model for transaction attribution around the same time as the movement for the prohibition of numbered or anonymous accounts. At the time, the goal was to identify who was performing a transaction at a given time and answer why when it raised a red flag. But this paradigm reveals some cracks when held up against the scrutiny of modern financial crime typologies and indicators. One of such gaping holes is the growing menace of drop accounts, which is fast becoming a popular fixture of the African fraud and financial crime economy. 

We have all seen the numbers for fraud in Africa. Last year, 6 African countries ranked among the 15 countries least protected against fraud. At scale, there is a high probability that it is perpetuated by organized crime rings that may or may not include foreign threat actors. There is a tendency to assume that these organized crime rings are set up with a central controller at the helm and an army of mules helping out with fund movement. That may not always be the case.

The script is all too common. With drop accounts operated by someone other than their owner, the bank or a fintech is exploited, funds are moved out using multiple mule accounts, routed through another fintech, converted to crypto, or moved to a betting platform, and exited as bet winnings or crypto. That’s multiple carefully structured mule accounts across two or more institutions. Drop accounts challenge this presumption to an extent. We now know that moderately sized fraud schemes can be conceived and executed by a lone threat actor with enough cash in hand. 

The greater threat is that these accounts, often examined in a fraud context, pose even greater risk of other financial crimes, including sanctions evasion, shadow banking, proliferation financing, etc. The investigators in these cases will have the KYC, but no transaction attribution, and the pattern is becoming increasingly familiar with each new case. The accounts and addresses of interest have full KYC, but they are traced back to an account holder different from the person who executed the transaction.  

On one hand, one could perceive this as a weakness in the compliance frameworks of the key industry players. The KYC checkbox is assumed to be done at onboarding, with little focus on entity profiling and lifecycle monitoring. Too many firms continue to treat KYC as a one-time onboarding requirement rather than an ongoing effort to understand who is actually operating an account long after verification is complete. On the other hand, it reveals the insufficiency of KYC alone as a fraud control and how complementary controls are needed to fully address fraud and financial crime in Africa. 

A verified identity can still be a borrowed one

To put it simply, a drop account is one in which the registered owner is not the operational controller. They are opened in the name of a real individual, but the credentials are transferred or surrendered to a third party, often in exchange for a small fee. 

The concept of a drop account relies on two key players: the registered owner and the acquiring user. The registered owner may be willing or unwilling, depending on the circumstances. Willing participants are often incentivized with payment or are unaware of potential sinister purposes. This often plays out in scenarios where the registered owner and the acquiring user have some familiarity with each other as friends, family, or colleagues. The unwilling ones may be scam victims who are being manipulated, or someone whose identity has been stolen. 

On the surface, a drop account looks to many like a mule account. But there are conceptual differences between the two. The end goal of most drop accounts is to be activated as mule accounts. But when building fraud controls, understanding differences in behavioral indicators is important for sound judgment. A mule account can be a willing participant, with the registered owner as the actual controller, but that is far less common for drop accounts. 

I first came across a growing drop account market in Nigeria sometime in 2023 after following in stealth a fraud community tweet. Between that time and now, there has been massive growth in trade across different forums, with Telegram channels being the chief flea market. These channels offer accounts for sale on some of the biggest fintechs and crypto platforms on the continent.

The warning signs rarely show up during onboarding

It is impossible to find a single conclusive indicator to identify a drop account. They are very often elusive by design, as the exchange or surrender happens behind the scenes. Detection is only possible through a careful observation of a combination of patterns that likely mean nothing in isolation but are suspicious when combined. 

The scenario presents itself in different ways. In one of my own cases years ago, I noticed an unusual spike in multi-factor authentication deactivation requests. This is not always a red flag indicator on its own. Customers may lose their phones. Their SIM cards may get replaced. But the volume demanded a closer look. It was previously a considerable indicator for account takeover fraud, but it means so much more now. 

Spending some time in the Telegram channels and venues where these trades happen helped shed some clarity on what was happening. Buyers who want clean accounts on new devices are often found on these venues. Pricing depends largely on how long the account has been open, completion of tester transactions, MFA removal, and successful access from the buyer’s new device. Those otherwise random MFA removal requests immediately stopped appearing random. 

On a closer look at the flagged accounts, with the new insights, the pattern kept resurfacing. It starts with the MFA deactivation request. Then a new device is added. Sometimes, a new location shows up on the IP log. In rare cases, multiple accounts are created on a new device. Many of the accounts had one or two insignificant transfers on account before going dormant for months. Then they would suddenly go back to life with another small transaction, likely a buyer confirmation, followed closely by large value transfers outside of expected user activity.  

To the keen eye, these indicators are addressed through a number of controls outside of the casual onboarding program. A combination of device binding, name-matching controls, fraud network controls, and many others could pick up relevant detective signals. No single signal or control can sufficiently mitigate the risk of drop accounts, just the same way no single indicator can conclusively prove it. However, when all is taken together, a better behavioral story is told, as well as a better control environment is developed. 

Why criminals increasingly prefer real accounts over fake identities

For years, the financial services industry has treated identity fraud as a battle against the usual suspects—synthetic identities, deepfakes, fake documents, and onboarding manipulation. In recent years, the underground market has adapted. 

The reality in many African markets today is that it is a lot cheaper, easier, and faster for criminals to acquire a verified account than to attempt to bypass KYC and onboarding controls. Access to bypass tools costs a lot more and is a little restricted to closed Telegram channels and the darknet market. 

There is also an increased sophistication of KYC tools to detect them at scale. Avoiding that friction altogether, plus a simple napkin maths on cost comparison, makes drop accounts the choice instrument for criminals. 

In effect, parts of the underground economy have stopped attacking KYC directly and started routing around it. This is the difficult reality for many compliance teams: a technically sound customer onboarding program may still produce fraudulent accounts. 

The industry is chasing the wrong ghost

Threat actors and criminals are adapting to our controls. We should be as nimble and adaptable. Many African fintechs still treat KYC as a one-time onboarding requirement. But this is proving to be costly in the long term. 

The industry has directed a lot of energy to solving identity fraud at onboarding, neglecting the other phases of the customer lifecycle. While this is a cogent problem, there is a more menacing ghost to chase.

At its very best, onboarding only answers the question of whether the person presented at onboarding is truly who they say they are, and whether they satisfy the policy requirements to be taken on as a customer. But it says too little about who will ultimately control the account weeks or months later. This is the gap that the drop account menace exploits. A customer may meet all onboarding requirements and still become part of a fraud network shortly afterward. 

Two cogent lessons to take from this are that, firstly, KYC on its own was not designed to solve this problem and, secondly, it can, in fact, solve this problem if implemented across the life cycle of the customer and with the right complementary controls. Device IDs, location data, and other important data points that help to detect behavioral anomalies are, after all, KYC data. 

Detecting drop accounts would require institutions to invest resources into tracking the full lifecycle of the customer across key data points such as device intelligence, transactional context, linked accounts, and signs of coordinated control. For many cases that would emerge, the risk only begins after identity verification.