Data breaches, phishing and spyware have compromised millions of end-user records and credentials. Mules are the preferred means for draining compromised accounts. These are unwitting accomplices who provide a stepping stone between the victim account and the attacker. The key role they play is to turn reversible traceable transactions into irreversible untraceable ones. This, together with the fraud protections enjoyed by US banking customers, generates some surprising findings. First, it is the mule’s money not the victim’s or the bank’s money that the attacker steals. Second, mule recruitment and not credential theft appears the true bottleneck in online fraud. Third, this suggests an explanation of why stolen credentials sell so cheaply: there is a shortage of mules.