Cash withdrawals via mobile payment systems (M-Pesa, Airtel Money, Orange Money)

[Good Carder]

From carder to carders. While traditional carding in the US and Europe is suffocated by 3DS, BIN filtering, and AI anti-fraud, smart money has migrated to a place where protection still relies on a SIM card and the agent's word of honor. To Africa. M-Pesa in Kenya, Airtel Money in Nigeria, Orange Money in West Africa — these aren't just payment systems; they're entire financial ecosystems that handle trillions of dollars. Africa processes 74% of all mobile money transactions globally, with 1.1 billion registered accounts and an annual turnover of $1.4 trillion. That's more than the banking systems of many European countries combined. And here, you can still take someone else's phone number, access their wallet, and withdraw money through a network of agents who rarely check documents.

In this article, I will examine the architecture of mobile money, the SIM swap scheme involving corrupt agents, the role of the agent network in cashing out, the use of crypto exchanges for withdrawals, and the risks and restrictions imposed by African regulators.

Part 1. Mobile Money Architecture: How M-Pesa, Airtel, and Orange Money Work​

Africa has made a financial leap, leapfrogging the era of bank cards. Here, people don't have credit cards, but they do have mobile phones. And the mobile money system is built on three pillars: USSD, SIM-linking, and an agent network.

• USSD (Unstructured Supplementary Service Data) is an offline text interface that works on any phone. You dial a code (e.g., *100#), and the system guides you through a menu: send money, pay for goods, withdraw cash. USSD security is based on the fact that the session is tied to the active SIM card in the phone. However, if the SIM card is compromised, all protection is lost. Vulnerabilities also remain at the protocol level: fraudsters using a modified SIM card (ThinSIM) can intercept and initiate USSD commands without the victim's knowledge.
• The SIM card is the single point of entry. One-time passwords for logging into the bank, confirming transfers, resetting passwords — all are sent via SMS to the SIM card. If a fraudster gains control of the SIM card, they have access to everything. In 2024, a relative SIM swap in Kenya was carried out by an insider, compromising KSh 45,000 in a single attack by bypassing two-factor authentication: the victim's SIM card was replaced with another, and control of the SMS messages passed to the fraudsters.
• An agent network consists of cash pickup points, such as small shops, kiosks, and gas stations. You approach an agent, provide your phone number, and they give you cash, debiting it from your account. Identification often involves presenting an ID card, which can be counterfeited. According to research, agent fraud is one of the three main vulnerabilities of mobile money systems, along with smishing (SMS phishing) and phone theft/loss. Fraudsters posed as Safaricom agents to deceive customers into providing personal information and accessing accounts, thereby emptying the agents' reserve cash ("float").

Part 2. The SIM-swapping + drop agent scheme: cashing out in Kenya, Tanzania, and Nigeria​

2.1. Step 1: Collecting Victim Data​

It all starts with OSINT and social engineering. 63% of all digital financial fraud in Africa is related to identity theft, costing the continent $4 billion annually.

• ID leaks. Fraudsters are buying compromised passport data on the dark web.
• Phishing SMS. You receive a message from a "bank" or "operator" asking you to confirm your account. The link leads to a fake page where you enter your information (ID, PIN).
• Database hacks. Fraudsters use hacked API keys and insecure endpoints to exploit Airtel Money payment systems. Access to customer databases allows fraudsters to obtain everything from full names to passport details and phone numbers.

2.2. Step 2: SIM Swapping​

Armed with a fake ID and the victim's personal information, the carder goes to a mobile phone store (Safaricom, Airtel, MTN) and claims to have lost the SIM card. The store employee (sometimes corrupt, sometimes simply inattentive) issues a duplicate SIM card in the victim's name. From this point on, all SMS and calls go to the fraudster. The process itself has become more controlled, but in Kenya, carders can still use a fake ID and a fake police letter to trick the employee. The victim's SIM card is deactivated, losing service, and the fraudster gains access to M-Pesa and the victim's mobile banking.

2.3. Stage 3: Cash-out via a drop agent​

The most important stage is the conversion of virtual money into real cash.

1. The carder logs into M-Pesa using the victim's SIM card.
2. Transfers money to the account of a front agent or mule — a person who is willing to cash out the funds for a percentage. M-Pesa's agent network is so extensive that many transactions go undetected.
3. The drop goes to an agent (or is an agent themselves) and withdraws cash. Agent networks are often targeted by carders who use social engineering and exploit weak operational procedures.

• Real-life case: In 2025, in Kiambu District, Kenya, seven suspects (four men and three women) were arrested for drugging a victim, performing a SIM swap, and robbing her mobile phone and bank accounts of 250,000 Kenyan shillings ($1,900). They used sleeping pills to gain access to the phone and then had the SIM card replaced at a mobile phone store.

Part 3. The role of the agency network in cashing out​

Agents are the weak link in the mobile money ecosystem. According to the Ghana Mobile Money Association, fraudulent and cyberattacks against agents are on the rise. In Dar es Salaam, Tanzania, a financial services agent lost 7 million shillings after receiving fake messages purportedly from a mobile operator.

Attack methods against agents include:

• Social engineering: A fraudster calls an agent, posing as an operator employee, and says they need to "update the system" or "top up their float." They convince the agent to transfer money to the specified account.
• Fake agents: Fraudsters register as agents with fake documents, gain access to the system, and cash out funds.
• API hack: In Uganda, hackers compromised the Airtel Money system through a vulnerability in the API of a legitimate betting site (an Airtel partner) and withdrew approximately $2 million.

How to use drop agents for the scheme:

• A drop agent is someone who is either already a legal agent or registers as a small business. For a 20-30% commission, they cash out any amount, no questions asked.
• The "mistransfer" scheme: A fraudster transfers money to an agent's account, then calls and says, "Sorry, I made a mistake, please return it to a different number." The agent returns the money to a fake account, but the original transfer was already made from a stolen account. As a result, the victim loses the money, and the agent is flagged for fraud.

Part 4. Transferring money through crypto exchanges without KYC​

M-Pesa and other mobile money systems are becoming the ideal gateway to the world of cryptocurrency. A huge number of transactions pass through them, they are poorly regulated, and in many African countries, regulators have not yet implemented strict anti-money laundering (AML) procedures.

4.1 Why mobile money is ideal for money laundering​

• High volume, low oversight. Africa handles the majority of the world's mobile money transfers, but AML requirements for mobile money operators are often lower than for banks, creating vulnerabilities that can be exploited by fraudsters. Many operators are not required to meet the same standards as banks, and their oversight often focuses on financial inclusion rather than the risks of financial fraud.
• Anonymity in P2P transfers. Regulators are beginning to tighten controls, but for now, tracing the origin of funds on P2P platforms is much more difficult than with traditional banks.

4.2. Scheme: M-Pesa → P2P exchange → cryptocurrency → blank wallet​

In 2026, Binance actively participated in Operation Red Card 2.0, helping law enforcement combat fraud. Despite this, carders continued to use P2P transactions on the exchange for money laundering. The main scenarios include purchasing cryptocurrency from cash or fake wallets, then converting it to stablecoins and transferring it offshore. To evade AML monitoring, carders often use splitting operations and P2P interactions with fake sellers.

The scheme:

1. The fraudster receives cash from the drop agent.
2. He goes to a P2P exchange (NoOnes, Paxful, LocalMonero) and buys USDT or XMR from a merchant who accepts cash (or M-Pesa transfer).
3. The seller transfers the cryptocurrency to the fraudster's wallet.
4. The fraudster transfers the cryptocurrency to a cold wallet, where the connection with the original M-Pesa transaction is severed.

4.3. Real-World Cases of Money Laundering Through Cryptocurrency​

• $4 million via USDT. Fraudsters stole over $4 million from a Kenyan bank, laundering the stolen funds through USDT. Mobile money and cryptocurrency P2P transactions are the main channels for moving the stolen funds.
• $2.1 billion in suspicious transactions. The intergovernmental task force GIABA has uncovered $2.1 billion in suspicious cryptocurrency transactions in West Africa. This is just the tip of the iceberg.

Section 5. Regulatory Risks and Restrictions​

African regulators are on the alert. In 2026, they will actively tighten controls on mobile money and cryptocurrencies. Key trends and restrictions for 2026:

5.1. Transaction Restrictions and Limits​

• Kenya (M-Pesa): The daily transfer limit is KSh 500,000 ($3,800). The maximum account balance is KSh 500,000. Since 2026, the Kenya Revenue Authority (KRA) has automatically monitored all transactions above KSh 500,000 per month. If this threshold is exceeded, the account is subject to audit, and funds can be frozen for 14 days without a court order. In 2025, more than 42,000 M-Pesa accounts were flagged for amounts above KSh 500,000, and 3,200 of them were frozen.
• Nigeria (CBN): The temporary limit for new mobile banking accounts in the first 24 hours is ₦20,000 ($13). Banks are required to implement real-time monitoring of incoming and outgoing transactions and device binding. Banking apps can only be active on one device.
• AML Detection Threshold: In many African countries, transactions over the equivalent of $1,000 are automatically checked.

5.2. Liveness Checks and Enhanced Verification​

In Nigeria, the Central Bank has introduced mandatory liveness verification when opening or reactivating an online account. Liveness verification requires the user to perform actions in real time (blink, smile, or turn their head). This directly hinders the use of counterfeit documents that cannot pass dynamic biometrics. While this won't completely stop the use of fake documents, it will require more effort to access accounts and conduct transactions without biometrics.

Part 6. OPSEC and the Carder Checklist​

• Data Collection: Use leaked IDs and phishing SMS messages to obtain the victim's passport information and M-Pesa PIN. Personalized attacks using leaked databases increase the chances of success.
• SIM swapping: Fake the victim's ID (or find a corrupt mobile phone store employee) and request a duplicate SIM card. In Kenya, carders forge IDs and police letters to gain access to accounts. Services from corrupt mobile phone store employees can be found on darknet forums.
• Drop Agent: Use a fake agent (or a drop agent who has agreed to a 20-30% commission) to cash out. The agent network remains vulnerable to social engineering and exploitation of operational weaknesses.
• Crypto-shim: Convert cash to crypto via a P2P exchange (NoOnes, LocalMonero). Use an intermediate wallet and XMR to break the chain.
• Regulatory restrictions: Do not exceed KSh 500,000 per month per M-Pesa account. Use multiple accounts to split your withdrawals. Keep in mind that the Kenya Revenue Authority tracks cumulative monthly withdrawals, not one-time transactions.
• Covering your tracks: After cashing out, destroy your SIM card, close your accounts, and change your proxy. Don't use the same SIM card for multiple transactions.

Summary​

Mobile money systems in Africa are the "Wild West" of the payments industry. M-Pesa, Airtel Money, and Orange Money process trillions of dollars, but their security still hinges on the honesty of agents and vulnerable SIM card tethering. The "SIM swap + drop agent" scheme allows virtual money to be converted into cash in a matter of hours.

The next step is cryptocurrency. Through P2P exchanges, mobile money is converted into USDT or XMR, which then enters the global market without AML checks.

The main barriers are regulatory limits (KSh 500,000 in Kenya, ₦20,000 in Nigeria) and new liveness verification requirements (biometrics). But for those who know how to circumvent restrictions and cover their tracks, Africa remains a gold mine.

A quick one-line reminder:
"SIM swap + drop agent + crypto P2P = cash out in 2 hours. M-Pesa is the wallet, ID is the key, agent is the exit. USDT is clean money. KSh 500,000 limit, ₦20,000 is the first day, liveness is a hindrance, but not a wall. Africa is the last bastion of carding. Use it before it's shut down."