GNN AML Detection · Six Fraud Scenarios

TrustCircles FraudShield (Mindrops ML) · How GNN catches what row-by-row ML misses

Multi-hop shell layering — 4 hops

Origin Shell 1 · NL Shell 2 · DE Shell 3 · LU Extraction Crypto OTC €190k €185k €182k €178k HIGH 0.89

Why traditional ML fails

Each shell-to-shell transfer looks like a normal inter-company payment. Individually: clean. But the GNN sees the 4-hop chain and recognises the layering topology.

GNN feature importance (SHAP)

Hop-chain depth (4 hops)46%
Jurisdiction hopping28%
Amount decay pattern18%
Shell co. node type8%

Traditional ML score: 0.07 (missed)

GNN score: 0.89 (HIGH — escalated to Compliance Officer)

Circular transactions — money carousel

Acct A •••2211 Acct B •••4433 Acct C •••6655 Acct D •••8877 €40k €39k €38k €39k HIGH 0.94 3 loops in 6h

Why traditional ML fails

Each transaction is between existing account pairs with history. Row-by-row models see legitimate-looking bilateral activity. The GNN detects the cyclic graph topology — money returning to origin is the signal.

GNN feature importance (SHAP)

Cycle detection (3 loops)52%
Velocity (6h window)24%
Near-identical amounts16%
No economic rationale8%

Traditional ML score: 0.12 (missed)

GNN score: 0.94 (HIGH — escalated to Compliance Officer)

Fan-out rapid dispersion — 1 source → 6 mules in 8 min

Compromised Corp account HIGH 0.97 — Fraud Mule 1 Mule 2 Mule 3 Mule 4 Mule 5 Mule 6 €8,200 each · all to crypto exchanges Total: €49,200 — 8 minutes All 6 mules: new accounts opened same week Same device fingerprint → GNN shared-attribute edge

Why traditional ML fails

Each mule receives one payment that falls below thresholds. No single transaction is unusual. The GNN links all 6 via a shared device fingerprint edge — an attribute that isn't even a transaction.

GNN feature importance (SHAP)

Fan-out degree (1→6)38%
Shared device fingerprint33%
All new accounts same week20%
Uniform amount pattern9%

Traditional ML score: 0.19 (missed)

GNN score: 0.97 (HIGH — account frozen immediately)

Smurfing — 5 feeders, all below €5k threshold → mule → offshore

F1 €4,900 F2 €4,750 F3 €4,800 F4 €4,850 F5 €4,600 Mule •••8821 Aggregated €23,900 HIGH 0.91 Offshore acct Panama · €23,900 All 5 feeders: same IP subnet Coordinated within 4-hour window

Why traditional ML fails

Every feeder sends an amount individually below the €5,000 STR threshold. Five separate transactions — each clean. Traditional ML sees five low-risk payments. The GNN sees the star topology converging on one mule and the shared IP subnet linking all feeders as co-ordinated nodes.

GNN feature importance (SHAP)

Structuring velocity (5 feeders)42%
Amount clustering (<€5k each)29%
Shared IP subnet (non-tx edge)19%
Offshore destination risk10%

Traditional ML score: 0.08 per txn (all missed)

GNN score: 0.91 (HIGH — EDD questionnaire triggered, SAR drafted)

PEP proximity clustering — funds reach politician via 3 proxies

Corp •••9910 Contractor NL Proxy 1 Spouse Proxy 2 Sibling Proxy 3 Associate PEP •••0077 Gov. official HIGH 0.93 — PEP proximity GNN 2-hop PEP distance = 2 (threshold: 3) KYC watchlist: PEP not flagged on direct check

Why traditional ML fails

The PEP (Politically Exposed Person) does not appear directly in any transaction. Traditional KYC only checks direct counterparties. The GNN computes PEP proximity distance across the graph — flagging any account within 3 hops of a known PEP node as elevated risk.

GNN feature importance (SHAP)

PEP 2-hop proximity51%
Proxy family relationship27%
Contractor payment pattern14%
Geographic risk (origin)8%

Traditional KYC/ML: PEP not found (missed)

GNN score: 0.93 (HIGH — EDD triggered, PEP declared, SAR filed)

Trade-based money laundering — invoice fraud across 3 entities

Exporter NL Invoices goods at 3× market Invoice Goods Importer DE Overpays invoice Freight Co. Shell logistics €340k Offshore SPV Cayman · profit extraction HIGH 0.88 — TBML Invoice value 3.1× comparable market price GNN links exporter ↔ freight co. (same UBO node)

Why traditional ML fails

The bank only sees a legitimate trade payment — a large SWIFT transfer for an import invoice. There's no structuring, no velocity issue. The GNN links the exporter and freight company through a shared UBO (Ultimate Beneficial Owner) node in the entity graph, exposing the circular over-invoicing scheme.

GNN feature importance (SHAP)

Invoice vs. market price ratio44%
Shared UBO node linkage32%
Offshore SPV destination16%
Freight co. shell indicators8%

Traditional ML score: 0.11 (missed — looked like trade)

GNN score: 0.88 (HIGH — TBML typology, SAR filed under AMLR Art.74)

TrustCircles · FraudShield (Mindrops ML) · Jibe Company BV ·   · Confidential — For Internal & Partner Use