CONFIDENTIAL · BANK INTERNAL · FINANCIAL CRIMES UNIT
FILE REF · MMT-RBL-2026-04085 · v1.0
RESTRICTEDEyes Only · FIU/AML
Forensic Memorandum · 17 May 2026

The Mule that looked
like a small e-commerce LLP.

A pattern-of-life analysis of ESYECCO ESHOPEE LLP (RBL A/C 408594000095), reconstructing how a Tirur-based current account was operated as a pass-through node for a Chinese payment-gateway mule network — and the early-warning rules that would have caught it on Day 1.
Subject Account408594000095
EntityESYECCO ESHOPEE LLP
BranchTIRUR · 0479 · MLP-676102
Opened22 / 07 / 2024   (≈10 mo. old)
§ 01 · Executive Snapshot

What the data shows in one glance.

In ~72 hours of observable activity, this single current account moved sums consistent with a syndicated mule operation: hundreds of small inbound NEFTs, fan-out RTGS to a recurring shortlist of beneficiaries, and a session footprint spanning six countries, residential-proxy networks, Cloudflare WARP, a DigitalOcean VPS, and a server-side Java bot calling the same internet-banking endpoint every 30 minutes.

Pass-through Velocity (11 May)
205 ↘  45 ↗
Inbound credits vs outbound debits in a single day. Opening bal ₹1,556 → Closing ₹64,361. Funds touch the account and leave the same day.
Unique IPs / 17 days
21
One internet-banking login ID (MOHAMMED) authenticated from 6 countries — IN, HK, ID, MY, SG, FR.
Bot Logins from 10.x.x.x
368
All using Java/1.8.0_471 — server-side HTTP client, not a human browser. Fires at :16 and :46 past the hour.
Impossible-Travel events
13
Country-change between back-to-back sessions in < 60 min (some < 2 min). Physically impossible for one human user.
!

Verdict — confirmed mule / MLaaS node

The technical signature (Java bot + DC VPS + residential proxies + impossible travel) combined with the financial signature (low-balance pass-through, fan-in / fan-out, repeating ₹100–₹3,680 NEFT bouncebacks, recurring shadow-beneficiaries) is a textbook Money-Laundering-as-a-Service operation linked to overseas (PRC-linked) illegal-payment-gateway clusters seen across HK / MY / ID infrastructure.

The "merchant" is a façade. The account is the product; it is being rented out to multiple upstream PG operators, each pushing transactions through it on a schedule.

§ 02 · Twelve red flags that should have fired earlier

Anatomy of the operation.

Each flag below is independently visible from RBL's own log + statement data. Together they form an unambiguous signature.

RF-01 · TECH
Server-side Java bot driving the login flow
368 of 848 events (43%) carry user-agent Java/1.8.0_471 — a JVM HTTP client, never a real human browser. These originated from a single internal-looking IP 10.192.8.136 and only execute the Process the login fields event.
→ Indicates programmatic credential replay / session keepalive against the corporate-banking portal. Likely runs inside an aggregator/PG backend that auto-funds the mule's session.
RF-02 · TECH
Periodic cron-style fingerprint
Bot logins cluster at minute :16 (144×) and :46 (92×) of the hour — a clean 30-minute schedule. Burst gaps of 1–3 seconds within each minute prove machine-generated traffic.
→ Classic "session warmer" pattern. The aggregator keeps the IB session alive so its operators (on residential-proxy IPs) can immediately push payments.
RF-03 · GEO
Logins from 6 countries on one user-id
Same login ESYEC0479.MOHAMMED seen from India · Hong Kong · Indonesia · Malaysia · Singapore · France within the same week. Foreign sessions ≈ 79 events (9% of total).
→ Indonesia (Jakarta, 61 events) and Hong Kong (Tung Chung / G-Core / HKT, 10 events) are dominant. Consistent with the China-linked PG operators rotating proxies across SE-Asia.
RF-04 · GEO
Impossible travel
13 instances where two consecutive sessions originate in different countries within < 60 min — including a Malaysia → Kerala hop in 5.7 minutes, and a Hong Kong → India hop in 1.2 minutes.
→ No human user can do this. Either credentials are shared with a syndicate, or sessions are being driven by multiple operators behind a proxy pool simultaneously.
RF-05 · TECH
Residential-proxy infrastructure (IPCola / Croxy)
Enrichment flags 203.175.14.44 / .45 (GOALNOW NETWORK, HK), 119.237.255.203 (HKT, HK) and 103.171.247.134 (GTPL, Kolkata) as known residential-proxy exit nodes branded IPCola & Croxy.
→ IPCola is a paid SOCKS5 residential proxy service used by fraud operators to make traffic look like Indian household ISPs while the controller sits offshore.
RF-06 · TECH
Cloudflare WARP & cloud-VPS sessions
104.28.x.x (Cloudflare WARP — VPN, 113 events) and 68.183.91.168 (DigitalOcean VPS, Bāshettihalli, 316 events) account together for ≈ 50% of activity. No legitimate small-LLP customer signs into their bank from a Linux VPS.
→ The DigitalOcean droplet is the operator's "control workstation." WARP masks the true origin.
RF-07 · TXN
Pass-through velocity / low end-of-day balance
11 May: opened with ₹1,556, closed at ₹64,361, after 205 credits + 45 debits. 13 May: opened at ₹2.49L, closed at ₹70,227 after 165 + 49 movements. Funds never accumulate.
→ A legitimate trading business builds a working balance. A mule strips it down within the working day to its operator.
RF-08 · TXN
Massive bulk-NEFT bounceback at fixed denominations
Hundreds of CIB/RTN/…/NEFT/IncorrectAccountNumber reversals at repeating amounts: ₹100, ₹110, ₹143, ₹153, ₹200, ₹287, ₹504, ₹1,070, ₹3,680. Identical amounts recur dozens of times the same day.
→ Signature of automated bulk-payout to gaming / wallet / scam-victim refund lists where many beneficiary accounts are stale or fabricated. Real merchant payments don't bounce at these volumes.
RF-09 · TXN
Fan-out RTGS to recurring shadow beneficiaries
Same counterparties drain the account multiple times a day in ₹2L–₹10L slabs: ADARSH TRADERS, LUMINATE DIGITAL MARKETING, LUCKY ONLINE SERVICES, AADI ENGINEERING, REBHEEM TRADING, SANGITA W/O VIJENDRA, SWAPNIL RAMDHAN TAWADE, SHIKHAR SRIVASTAVA, BHAMRAI GLOBAL TEXTILE, EKLAVYA INFRACON.
→ Each is almost certainly the next mule in the chain. Cross-pollination between any two of these names across banks should auto-flag.
RF-10 · TXN
UPI inflows from personal handles
UPI credits from CHOUDHARYABHINANDAN1@Y, RASWATH2007-2@OKICICI, 9911054683@YBL, 9842271920@PTYES into a current account of an LLP claiming to be an e-shopper. No invoice trail, no merchant VPA.
→ Typical "scam victim" or "low-tier mule" funnel — small UPIs pooled into the corporate account before the RTGS sweep.
RF-11 · KYC
Profile-vs-velocity mismatch
Tirur small-town LLP, current account opened ~10 months ago, no sanction / drawing limit, generic e-commerce naming ("ESHOPEE"), single director address (NT Saidalavi, NT Square, Poozhikunn). Yet daily turnover regularly crosses ₹1 crore.
→ Velocity-to-profile ratio is the cheapest, oldest mule signal — and it still works. The account should never have reached this throughput without an EDD trigger.
RF-12 · CORR
Bot login ⇄ human-UI action interleaving
Repeatedly: Java bot logs in from 10.192.8.136, and within 30–120 seconds the DigitalOcean Chrome session at 68.183.91.168 uploads a payment file / submits a transaction. Cross-correlation count of such pairs in May 11–13 alone: 30+.
→ Hand-off pattern: backend warms the session → frontend operator pushes the batch. Both work on the same authenticated session token.
§ 03 · Geography of one login-id

One account. Six countries. Twenty-one IPs.

All sessions below are tied to a single internet-banking user (ESYEC0479.MOHAMMED) on a single account, between 28 Apr and 15 May 2026.

KERALA · KARNATAKA · DELHI · KOLKATA · CHENNAI HONG KONG · GOALNOW · HKT · G-CORE JAKARTA · CLOUDFLARE WARP · 61 EVENTS JOHOR BAHRU · TTNET ROUEN · CLOUDFLARE WARP Sessions on user-id ESYEC0479.MOHAMMED · 28 Apr – 15 May 2026 21 unique IPs · 6 countries · 1 account · 1 login id
India hubs — Kerala (BSNL/Airtel), Karnataka (DigitalOcean VPS), Chennai/Delhi/Kolkata (Cloudflare WARP, Tata, GTPL)
Hong Kong — GOALNOW NETWORK (203.175.14.44/45) & HKT (119.237.255.203) flagged as IPCola residential proxies
Indonesia (Jakarta) — Cloudflare WARP egress · 61 events (~7%)
Malaysia (Johor Bahru) — TTNET (211.24.79.14)
Singapore — CYBERJET PTE LTD (hosting)
France — Cloudflare WARP exit · 3 events (typically proxy fallback)
10.192.8.136 — private/internal IP serving the Java/1.8 bot. 368 events. Likely an internal-banking ingress NAT for the syndicate's automation host.
§ 04 · Per-IP forensic table

Every address tells the same story.

IP / Identifier Country · City ASN / Provider Risk Tags Events Role in the operation
10.192.8.136 — (RFC-1918 internal) — (not seen on Internet) BOT 368 Java/1.8 cron-bot. Login warmer firing at :16 and :46 past the hour.
68.183.91.168 India · Bāshettihalli AS14061 DigitalOcean LLC DC/VPS 316 Primary operator workstation — does file uploads, txn submissions, beneficiary edits.
104.28.245.127 Indonesia · Jakarta AS13335 Cloudflare WARP VPN/RELAY 61 Operator using mobile WARP from Jakarta — drives sessions interleaved with the bot.
104.28.225.171 India · Chennai (anycast) AS13335 Cloudflare WARP VPN/RELAY 46 WARP exit. Used continuously alongside the Java bot on 11-May.
111.92.122.63 / 111.92.126.221 India · Kanayannur (Kerala) AS17465 Asianet Broadband ISP 14 Likely the genuine account-holder's home broadband — used only on a few login attempts.
203.175.14.44 / .45 Hong Kong · Tung Chung AS152320 GOALNOW NETWORK RES-PROXY IPCola 8 Paid residential-proxy exit (IPCola) sold to fraud operators. PRC-linked infra.
2401:4900:8fdc:c5da::/64 India · Kanayannur AS24560 Airtel Telemedia ISP-v6 8 Probable real Airtel home line of the account holder.
104.28.225.172 / 104.28.193.171 / 104.28.216.30 India · Chennai / France · Rouen AS13335 Cloudflare WARP VPN/RELAY 10 Additional WARP exits — France appearance shows the operator hops geos at will.
103.171.247.134 India · Kolkata AS135872 GTPL KCBPL RES-PROXY Croxy 5 Croxy residential-proxy exit — same operator family as IPCola.
211.24.79.14 Malaysia · Johor Bahru AS9930 TTNET (Time) ISP-foreign 4 Foreign retail broadband — first session of the campaign on 07-May.
117.242.74.245 India · Malappuram (Kerala) AS9829 BSNL ISP 3 BSNL line in Malappuram — likely the account-holder's secondary line.
14.194.240.174 India · Delhi AS45820 Tata Tele ISP 1 One-off — geographic outlier vs declared Tirur address.
119.237.255.203 Hong Kong AS4760 HKT (Netvigator) RES-PROXY IPCola 1 Residential-proxy exit — 25% days-seen with IPCola in last month.
91.199.84.208 Hong Kong AS199524 G-Core Labs HOSTING 1 G-Core HK datacentre — opaque cloud egress.
163.128.98.59 Singapore AS154562 CYBERJET PTE LTD HOSTING 1 SG hosting provider — used once for a foreign credential-validation event.
§ 05 · The hand-off rhythm

How a bot keeps the door open while a human walks through it.

Sampled window from 13 May 2026, 09:00–10:30 IST showing how the server-side Java login (10.x) interleaves with file-upload and txn-submit events from the DigitalOcean droplet (68.183.91.168).

--- 13 May 2026 ---
09:00:52  68.183.91.168  Chrome/148  Mac OS X     validates user credentials on first auth screen
09:16:00  10.192.8.136  Java/1.8                  Process the login fields  ← bot warmup
09:20:57  68.183.91.168  Chrome/148  Mac OS X     Attaches a file and validates the form fields
09:21:08  68.183.91.168  Chrome/148  Mac OS X     Uploads a file and validates the mandatory fields
09:33:36  68.183.91.168  Chrome/148  Mac OS X     validates user credentials on first auth screen
09:46:00  10.192.8.136  Java/1.8                  Process the login fields  ← bot warmup (T+30 min)
09:46:05  10.192.8.136  Java/1.8                  Process the login fields
09:53:38  68.183.91.168  Chrome/148  Mac OS X     Attaches a file and validates the form fields
09:55:39  68.183.91.168  Chrome/148  Mac OS X     Attaches a file and validates the form fields
09:55:50  68.183.91.168  Chrome/148  Mac OS X     Uploads a file and validates the mandatory fields
10:07:32  68.183.91.168  Chrome/148  Mac OS X     validates user credentials on first auth screen
10:10:35  68.183.91.168  Chrome/148  Mac OS X     Attaches a file and validates the form fields
10:10:51  68.183.91.168  Chrome/148  Mac OS X     Uploads a file and validates the mandatory fields
10:16:00  10.192.8.136  Java/1.8                  Process the login fields × 7 in 17 seconds
10:29:31  68.183.91.168  Chrome/148  Mac OS X     Attaches a file and validates the form fields
10:29:52  68.183.91.168  Chrome/148  Mac OS X     Uploads a file and validates the mandatory fields
"Two different IPs, two different user-agents, one authenticated session. That's not a small business owner reconciling her books — that's a syndicate running shifts."
§ 06 · Statement signatures

What a Chinese-PG mule statement looks like.

The technical signature is mirrored on the money side. Three sub-signatures repeat across both statement days.

SignatureWhat to look forWhy it indicates a Chinese-PG mule
S1 · Bulk-NEFT bounceback 50+ CIB/RTN/.../NEFT/IncorrectAccountNumber in one day, at repeating denominations: ₹100, ₹110, ₹143, ₹153, ₹200, ₹287, ₹504, ₹890, ₹1,070, ₹3,680. Mass payouts to fake/stale beneficiary lists — the lists are generated programmatically by the upstream PG. A real business does not bounce ₹110 to 40 different accounts in one afternoon.
S2 · "Auto Reversal" loops BU : 2234xxx Auto Reversal entries at the same denominations as the failed NEFTs. The system credits the funds back the same day. Closed-loop bookkeeping — failed payout → re-pooled → re-attempted to a fresh mule. Each cycle generates an audit-trail of noise that conceals the genuine layering legs.
S3 · RTGS fan-out to repeat names 2–10 RTGS debits per day to the same shortlist: ADARSH TRADERS, LUMINATE DIGITAL MARKETING, AADI ENGINEERING, LUCKY ONLINE SERVICES, REBHEEM TRADING, SANGITA W/O VIJENDRA, SHIKHAR SRIVASTAVA, BHAMRAI GLOBAL TEXTILE, EKLAVYA INFRACON, OVIYASREE AGENCIES, KING WORLD FURNITURES, AVIARA ENTERPRISE. These are the next-hop mule accounts. The same set is rotated daily, with one or two new additions per week to defeat static-rule monitoring.
S4 · Personal-UPI inflows into a current account UPI deposits from VPAs like CHOUDHARYABHINANDAN1@Y, RASWATH2007-2@OKICICI, 9911054683@YBL — personal handles, no merchant VPA, no QR-merchant flag. Funnel from low-tier victim-facing mules (online "task" scams, gaming top-ups, OTP-coerced UPIs) into the corporate pool.
S5 · Pass-through balance signature Daily turnover > ₹1 crore but closing balance always < ₹1 lakh (10-May closing ₹1,556; 11-May closing ₹64,361; 13-May closing ₹70,227). Sanction limit ₹0 / drawing power ₹0. The account never accumulates working capital. It is purely a corridor.
S6 · IMPS round-tripping with cluster names IMPS from QWERYCRAFT ANALYTICAL, KING WORLD FURNITURES, OVIYASREE AGENCIES, STEEL CRAFT KMB, CORNERS CAFE IIB, MUKUL CYCLE STORE — same names recur as both senders and receivers across days. Same-syndicate mule-to-mule transfers. A node simultaneously deposits and withdraws to the same counterparty within hours.
§ 07 · Twelve detection rules for Day-1 catch

Rules an AML engine should fire — and when.

These rules are computable from the data RBL already collects (login logs + IP enrichment + statement events). Each is written so it can sit on a Flink / KSQL / Drools stream and fire in real time before the first crore moves.

DR-01 · TECH · CRITICAL
Non-browser user-agent on corporate IB
Stream: auth_log · Window: real-time
IF user_agent MATCHES /^(Java|python-requests|Go-http|curl|okhttp|Apache-HttpClient)/i THEN raise UA-NON-BROWSER alert AND block session for step-up MFA
Action: immediate session kill + freeze outbound; queue for FCU review.
DR-02 · TECH · CRITICAL
Cron-like periodicity on a single login-id
Window: 24h rolling, evaluated hourly
IF count(login_events grouped by user_id, minute_of_hour) > 10 AND distinct(minute_of_hour) <= 3 THEN raise BOT-SCHEDULE alert
Why: A human cannot log in at exactly :16 and :46 every hour. ESYECCO's bot tripped both.
DR-03 · GEO · CRITICAL
Impossible travel
Real-time on every successful auth
IF country(curr_ip) ≠ country(prev_ip on same user_id) AND (curr_ts - prev_ts) < 4 hours AND haversine(curr, prev) > 1500 km THEN raise GEO-IMPOSSIBLE + step-up to OTP+selfie
Bonus: if either side is on a residential-proxy/VPN ASN, escalate to HARD-BLOCK.
DR-04 · TECH · HIGH
Residential-proxy / WARP / hosting-ASN logins
Real-time on every auth
IF ip_enrichment IN (residential_proxy=true OR vpn=true OR service_name IN ('IPCola','Croxy','Cloudflare WARP','Bright Data','Smartproxy')) AND account_type = 'CURRENT/CORPORATE' THEN raise PROXY-ON-CORP + require OTP+device-binding
Small-LLP current accounts logging in via WARP are anomalous. Block silently and notify FCU.
DR-05 · TECH · HIGH
Cloud-DC ASN on a retail/LLP current account
Real-time
IF asn_type = 'hosting' AND provider IN ('DigitalOcean','Linode','Vultr','OVH','Hetzner','AWS','GCP','Azure','Alibaba') AND segment IN ('Retail','SME','LLP') THEN raise DC-ON-RETAIL
No legitimate Tirur micro-LLP logs in from a Bāshettihalli droplet. Step-up + manual review.
DR-06 · CORR · CRITICAL
Concurrent multi-IP session on one user-id
Sliding 5-min window
IF distinct(IP) on same user_id within 300s ≥ 2 AND at least one IP is hosting/VPN/proxy THEN raise SESSION-SHARING
Forensic detail captured in §05 — bot ⇄ operator hand-off — would have fired here at least 30 times in 3 days.
DR-07 · TXN · CRITICAL
Pass-through velocity
EOD batch + intraday top-of-hour
IF count(credits in last 24h) > 50 AND count(debits in last 24h) > 20 AND (closing_bal / max(daily_credit_total)) < 0.05 AND account_age_days < 365 THEN raise PASS-THROUGH-VELOCITY
ESYECCO's 11-May ratio: closing ₹64K vs credit-total ~₹83L → ratio 0.0008. Should have shut the account by EOD.
DR-08 · TXN · CRITICAL
Bulk-NEFT bounceback fingerprint
EOD batch · 24h rolling
IF count(CIB/RTN/NEFT entries) > 30 in 24h AND distinct(rounded_amount) <= 12 AND mode(amount) IN ('100','110','143','153','200','287','504','1070','3680','...') THEN raise BULK-NEFT-BOUNCEBACK
Auto-tag account "DORMANT-PG-PAYOUT". Suspend outbound until KYC re-verification.
DR-09 · TXN · HIGH
Repeat-beneficiary fan-out
Daily
IF count(distinct RTGS debits to same beneficiary_name) ≥ 3 in 24h AND avg(amount) > ₹1,00,000 AND beneficiary_name appears in fan-out across ≥ 2 unrelated source accounts in 30 days THEN raise FANOUT-SHADOW-BENE
Build a graph: nodes = beneficiary names, edges = source accounts. Beneficiaries with degree ≥ 5 = mule cluster.
DR-10 · TXN · HIGH
Personal-VPA UPI into corporate current account
Real-time on every UPI credit
IF account_type = 'CURRENT' AND payer_vpa NOT IN (merchant_vpa_registry) AND payer_vpa MATCHES /[a-z]+\\d{0,4}@(ybl|okhdfcbank|okicici|paytm|...)/i AND count(such credits in 24h) > 5 THEN raise UPI-RETAIL-INTO-CORP
RBI/NPCI know the merchant-VPA list — anything outside it landing in a current account is suspect.
DR-11 · KYC · HIGH
Velocity-vs-profile mismatch
Nightly batch
IF declared_business_turnover (KYC) < ₹1 Cr/yr AND observed_24h_turnover > declared_annual_turnover / 100 THEN raise PROFILE-MISMATCH
ESYECCO would have tripped this on its first ₹10L day, ~9 months before this report.
DR-12 · BEHAV · HIGH
Device-fingerprint instability
Rolling 7-day
IF distinct(IP) on user_id ≥ 8 in 7 days AND distinct(country) ≥ 2 AND distinct(user_agent_family) ≥ 3 THEN raise FINGERPRINT-CHURN
ESYECCO: 21 IPs / 6 countries / 11 distinct UA strings in 17 days — would have scored off the chart.
§ 08 · Catching the next one at Day 1

What should change at onboarding and in the first 30 days.

Most of the above rules are reactive. The mule is already operational. The cheaper win is to refuse to open the account, or to ring-fence it for a probationary period.

StageControlTriggerOutcome if fired
Onboarding LLP-name n-gram screen Names containing generic e-commerce tokens (shopee, shoppe, ecart, ezshop, onlinemart, digital, traders, enterprise, agencies, holdings) combined with a rural pincode and a sub-1-year-old LLP registration. Enhanced Due Diligence + director video-KYC + 90-day probation with ₹5L daily debit cap.
Onboarding IP-at-application screen Application or first-login from VPN/Cloudflare WARP / residential-proxy / hosting ASN. Block account activation until in-branch verification.
Day 1 – 30 Velocity ramp Any inbound day > ₹50K in the first 30 days for a non-priority current account without sanctioned limit. Soft-freeze outbound until purpose-of-funds declaration and 1-st invoice upload.
Day 1 – 90 Counterparty whitelist RTGS/NEFT to a non-whitelisted beneficiary in the first 90 days. Hold + cooling period + OTP + branch call-back.
Continuous Cross-bank beneficiary graph Beneficiary name appears as recipient from ≥ 3 unrelated source accounts within RBL + shared via NPCI's emerging Beneficiary-Risk-Hub. Auto-add to internal blacklist; future debits require manual approval.
Continuous SIM-binding for IB Login attempt from a foreign IP without prior travel-flag notification. Force OTP + selfie on a registered device only.
§ 09 · A composite "Mule Probability Score"

One number a relationship manager can act on.

A simple weighted score combining the above rules. Re-computed nightly. A score of ≥ 60 auto-freezes outbound; ≥ 75 triggers an STR draft to FIU-IND.

ComponentWeightESYECCO score
Non-browser UA seen on IB+25+25
Cron-style login periodicity+15+15
Impossible-travel events ≥ 3 in 30 days+15+15
Residential-proxy or WARP on corp IB+10+10
Cloud-DC ASN on retail/LLP segment+10+10
Concurrent multi-IP session+10+10
Pass-through velocity (closing/credit < 0.05)+15+15
Bulk-NEFT bounceback fingerprint+15+15
Fan-out to shadow beneficiaries+10+10
UPI from personal VPAs into current a/c+5+5
KYC velocity-vs-profile mismatch+10+10
Device-fingerprint churn (≥8 IPs / 7d)+10+10
TOTAL / 150 150 / 150

ESYECCO ESHOPEE LLP tripped every single component — a perfect score. A correctly-tuned engine would have caught it on or before 10 May 2026, before the largest fan-out days.

§ 10 · Recommended actions

Immediate, near-term, and structural.

NOW · within 24h
Subject account
1. Freeze A/C 408594000095 (outbound). 2. Notify FIU-IND with STR ref MMT-RBL-2026-04085. 3. Preserve last 90 days of logs, IB session tokens, MFA artefacts. 4. Reverse-lookup the 12 shadow beneficiaries across RBL + RBI's Bharat Bill DB. 5. Issue cyber-cell alert for IPs 203.175.14.44/45, 119.237.255.203, 68.183.91.168, 10.192.8.136.
NEAR · within 30 days
Engine
1. Deploy rules DR-01 … DR-12 on the IB stream. 2. Subscribe to a residential-proxy & VPN ASN feed (IPInfo Privacy, MaxMind GeoIP2 Anonymous, IPQS). 3. Add JA3/JA4 TLS fingerprinting at the IB edge — Java's TLS fingerprint is trivially separable from a real browser. 4. Wire the Mule Probability Score into the FCU dashboard with auto-freeze at ≥ 60.
STRUCTURAL · 90 days
Network
1. Build a cross-bank beneficiary graph; share signals via the upcoming RBI fraud-intel sandbox. 2. Add SIM-binding + device-binding for corporate IB by default. 3. Limit new LLP current accounts to ₹10L/day for first 90 days, manually reviewable. 4. Train the FCU model on this case as a labelled positive — it spans every signal class.