US consumer protections against fraud ensure that irreversible untraceable transactions are hard, and hence mules are necessary. Mules essentially receive bad transfers and initiate good ones. A surprising consequence is that in the series of transfers between victim, mule and attacker it is really the mule’s rather than the bank’s or the victim’s money that is stolen. This means that the size of the online fraud business is determined not by the number of credentials that can be stolen, but by the number of mules who can be recruited, and how much they can send. This suggests an explanation for the fact that stolen credentials sell for small fractions of the underlying account value: there is shortage of mules. It also suggests that banks find nvestments in back-end fraud detection provides greater return on investment than front-end schemes such as stronger authentication.