A structured library of fraud detection signals used in risk engines, fraud monitoring systems, and AI-agent trust architectures.
Maintained by Gururaj G J — Fraud Intelligence Specialist | Founder, Zarelva
A practitioner-built reference library of fraud detection signals used in fraud intelligence, risk architecture, and investigation workflows.
This repository documents fraud signals and correlation patterns observed across payment platforms, online services, and digital marketplaces.
The goal is to structure fraud detection thinking around signals, patterns, and correlation rather than isolated incidents.
Most fraud investigations focus on a single event. This library is built on a different premise: fraud is a system, and detecting it reliably requires understanding how signals cluster, correlate, and escalate across multiple dimensions simultaneously.
This is intended to serve as a practical reference framework for fraud analysts, risk architects, and Trust & Safety practitioners building or improving detection systems.
Fraud rarely operates within a single dimension. Attackers correlate activity across devices, networks, identities, and timing patterns to evade detection.
This library documents the signals fraud and risk teams should monitor to identify coordinated abuse, multi-account fraud, payment fraud, and identity manipulation.
This library is organized to mirror how a layered fraud detection system actually works — signals flow upward from raw data through correlation into actionable investigation:
┌────────────────────┐
│ Device Signals │ ← Emulator detection, device sharing, ID cycling
└─────────┬─────────┘
│
▼
┌────────────────────┐
│ Network Signals │ ← VPN/proxy, datacenter IPs, IP velocity
└─────────┬─────────┘
│
▼
┌────────────────────┐
│Behavioral Signals │ ← Session anomalies, credential stuffing, ATO patterns
└─────────┬─────────┘
│
▼
┌────────────────────┐
│Transaction Signals │ ← Card testing, chargeback abuse, mule patterns
└─────────┬─────────┘
│
▼
┌────────────────────┐
│ Signal Correlation │ ← Patterns that combine signals into typologies
└─────────┬─────────┘
│
▼
┌────────────────────┐
│ Risk Scoring Engine│ ← Weighted signal scoring + rule engine
└─────────┬─────────┘
│
▼
┌────────────────────┐
│Investigation Workflow│ ← Case management, evidence, escalation
└────────────────────┘
Key Principle: No single signal is fraud. Correlation across multiple layers is how real fraud detection systems separate genuine abuse from noise.
| File | Description |
|---|---|
| device-signals.md | Device fingerprint anomalies, emulator signals, hardware inconsistencies |
| network-signals.md | IP, proxy, VPN, and ASN-based risk indicators |
| behavioral-signals.md | Session patterns, velocity, timing, and interaction anomalies |
| transaction-signals.md | Payment fraud patterns, card abuse, chargeback signals |
| fraud-signal-correlation.md | How signals combine into fraud typologies: account farms, ATO, mule clusters, synthetic identity |
Each signal file contains:
- Signal name — what it is
- Why it matters — fraud context and attacker behavior
- Detection approach — how to surface it in your systems
- Risk level — Low / Medium / High / Critical
The correlation file documents how signals combine into recognizable fraud typologies, with a quick-reference matrix and 7 fully documented attack patterns.
This library is intended for:
- Fraud analysts building detection rules
- Risk architects designing fraud frameworks
- Trust & Safety teams reviewing platform abuse
- Fintech teams scaling faster than their risk controls
Signals from this library can feed into fraud scoring engines and risk decision workflows.
Example pipeline:
Transaction / Agent Activity
↓
Fraud Signal Detection
↓
Risk Scoring Engine
↓
ALLOW / REVIEW / BLOCK
The signals in this library are designed to feed into fraud scoring engines, rule-based risk systems, and AI-agent trust architectures, such as the Zarelva Agent Risk Engine.
https://github.com/Gururaj-GJ/zarelva-agent-risk-engine
6+ years investigating financial crime across Amazon, Google, Flipkart, and G2 Risk Solutions. Founder of Zarelva, a fraud intelligence and risk architecture consulting initiative.
Connect: LinkedIn | Portfolio | Zarelva
This library is a living document. Signals are updated based on real investigation patterns.