A running point broker is an intermediary that recruits people to rent out bank accounts, wallets, or exchange identities for moving illicit funds. The role is important because it turns identity access into a transferable service, creating the first stage of laundering and the first major attribution gap.
Expanded Definition
A running point broker is a facilitation role in illicit finance where a person or group recruits account holders, wallet owners, or exchange users to let their identities and accounts be used as conduits for moving criminal funds. In practice, the broker sits between the source of illicit value and the first usable financial rail, turning a human identity into a rented access point. That makes the role especially important in fraud, money mule networks, account takeover chains, and laundering typologies that rely on disposable or obscured attribution.
The concept is best understood as an identity and access abuse pattern rather than a banking product or a formal fraud category. It overlaps with money mule recruitment, but the broker is distinct because they organise the supply of access, coordinate throughput, and often manage trust between parties. Definitions vary across vendors and law enforcement reporting, but the core security meaning is consistent: the broker converts access into a service that can be bought, transferred, and reused. For governance context, the NIST Cybersecurity Framework 2.0 is useful for mapping how identity misuse, fraud detection, and response controls should align across the organisation.
The most common misapplication is treating a running point broker as a single mule or account holder, which occurs when investigators miss the coordination layer that recruits, times, and routes the transactions.
Examples and Use Cases
Implementing detection and response for running point brokers rigorously often introduces false-positive pressure, requiring organisations to weigh stronger fraud interruption against customer friction and account review workload.
- A broker recruits students to open wallets, then routes multiple low-value transfers through them to obscure the origin of stolen funds.
- A broker buys access to exchange identities that have passed basic verification, then uses them to cash out criminal proceeds before accounts are frozen.
- A broker coordinates a chain of bank accounts so that each transfer appears to be a normal peer-to-peer payment, reducing the chance of immediate scrutiny.
- A broker uses messaging channels to match willing account holders with laundering tasks, setting fees based on volume, speed, and account longevity.
- A financial institution detects a cluster of accounts with shared device signals, repeated beneficiary reuse, and rapid pass-through behaviour, indicating brokered access rather than isolated fraud.
For defenders, the operational clue is often not the payment itself but the pattern around it: recruitment language, repeated onboarding across related identities, and transaction chains that show temporary control rather than genuine economic activity. Guidance from the NIST Cybersecurity Framework 2.0 helps teams connect detection, analysis, and incident handling instead of treating each suspicious account as a separate event.
Why It Matters for Security Teams
Running point brokers matter because they expose a control gap between identity verification and actual account use. A bank or platform may know who opened the account, but still fail to see who is operating it, coordinating it, or monetising it. That gap is central to laundering, fraud chaining, sanctions evasion, and synthetic trust formation. For security and fraud teams, the term is useful because it frames the threat as a networked abuse model, not just a bad actor with a single compromised account.
This also has direct identity implications. Where identity verification is weak, reversible, or easy to rent, a broker can industrialise misuse by turning one verified identity into repeated downstream access. That is why account lifecycle controls, behavioural monitoring, mule detection, and rapid interdiction all matter together. In identity-beyond-IAM contexts, the lesson is that proofing is not the same as control of use, and trust in onboarding does not guarantee trust in transaction execution. Organisations typically encounter the full operational cost only after suspicious funds have already moved through multiple accounts, at which point brokered access becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-63 set the technical controls, and DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Asset and identity visibility helps trace brokered account abuse across users and systems. |
| NIST SP 800-63 | IAL2 | Identity proofing strength affects how easily verified identities can be repurposed by brokers. |
| OWASP Non-Human Identity Top 10 | NHI lifecycle and secrets misuse | Brokered access mirrors NHI abuse patterns where credentials and identities are rented or reused. |
| DORA | Operational resilience depends on detecting fraud and identity abuse that can disrupt financial services. |
Inventory identities and account pathways so brokered misuse can be detected and contained faster.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org