Here's what you can do:
if web, then 1) figure out if your anti-fraud tools are operating properly. (it might be ghost accounts (multiple users from same ip/deviceid. if so, ban the ips and device ids. If are unable to identify whether its a common ip or device id, then figure out if they used the same password by checking the hash (provided you have a single salt for all the password hashes). Usually fraud chains will use a scripts that will use the same passwords. If you have visibility on their security questions, then check that. Check other factors like similar times of login or very close to each other. Find out how your anti-fraud tools were abused and fix it.
if app, make sure devices were not compromised. If you don't have multifactor authentication, get it.
What should you do?
if web or app, then lock out the offending account, fence the funds, and make sure that any account that signs up from then on and shares similar parameters to the offending account is flagged and comes under your review. (Ex: same ip/ same device ID/ same password hashes/same responses to security questions)
Who do you report it to?
If it is more than $25k, you can expect that reporting it to the police will get you somewhere. Regardless, report it, but don't expect any effort on their part if less than $25k. Probability of that is pretty low.
If you are using a credit card PSP, then alert them, and tell them what you have done to make sure it doesn't happen. Alert your bank too and let them know how you have made sure it wont occur.
If you are registered as a MSB with FINCEN , file a (suspicious activity report) SAR with FINCEN. Your compliance officer can do that. If you don't have a CO, your legal counsel can help.
Finally, how to automate your fraud detection for future instances? You could get some traditional products that come with your PSP , but I find them very bloated and typically not good. I am now becoming a big fan of "machine learning". You should look into companies that provide that service.
Hope it helps,