Aleksandr Ovchinnikov · Fraud Analyst · OSINT Specialist
📧 alexrmovch@gmail.com · 🔗 LinkedIn
Professional fraud investigation portfolio demonstrating end-to-end investigation methodology, SQL pattern detection, and OSINT intelligence gathering through detailed case studies.
Total Fraud Prevented: $25,000 (synthetic data)
Cases Completed: 6 investigations
Average Detection Time: 1.6 hours
SQL Query Precision: 98.7% (1.8% false positive rate)
Note
Disclaimer: All data in this repository is synthetic and created solely for demonstration purposes to showcase investigative methodology and technical skills.
Alert: 47 new accounts from single IP in 2 hours
Investigation Time: 47 minutes
Outcome: Discovered coordinated fraud ring with 1,247 accounts
Fraud Prevented: $5,000 (synthetic)
Key Findings:
- ❌ Same device fingerprint across all registrations (bot automation)
- ❌ Email domain registered 3 days before attack (disposable)
- ❌ Form submission time: 1.8 seconds average (bot speed vs human 15-45s)
- ❌ All transactions attempted to same merchant with stolen cards
Detection Method: Used SQL velocity clustering combined with device fingerprint correlation and OSINT domain analysis to identify the fraud ring within 47 minutes.
Network visualization of 47-account fraud ring linked by shared device fingerprints
| # | Investigation Type | Fraud Prevented | Detection Time | Status |
|---|---|---|---|---|
| #1 | Registration Fraud Ring | $5,000 | 47 min | ✅ Complete |
| #2 | Credential Stuffing → ATO | $2,000 | 1.2 hrs | ✅ Complete |
| #3 | Impossible Travel Detection | $1,500 | 23 min | ✅ Complete |
| #4 | Bot Network Identification | $15,000 | 3.5 hrs | ✅ Complete |
| #5 | Session Hijacking | $500 | 15 min | ✅ Complete |
| #6 | Email Domain Fraud Ring | $1,000 | 2.1 hrs | ✅ Complete |
SQL-based fraud detection rules performance on synthetic datasets:
| Detection Method | Precision | Recall | False Positive Rate | Use Case |
|---|---|---|---|---|
| Bulk Registration Detection | 98.7% | 91.2% | 1.8% | Bot network identification |
| Device Fingerprint Clustering | 96.8% | 88.4% | 3.2% | Account linkage analysis |
| Impossible Travel Detection | 99.5% | 76.5% | 0.5% | Geographic anomaly detection |
| Credential Stuffing Indicators | 94.2% | 83.1% | 2.1% | ATO prevention |
Industry Benchmark: 5-10% false positive rate
Portfolio Achievement: <3.2% across all detection methods
Business Challenge: Detect bot networks creating multiple accounts from same infrastructure
My Solution: SQL query clustering suspicious registrations by IP velocity and device sharing:
-- Production query from Case Study #1: Bulk Registration Detection
-- Detects: 5+ accounts from same IP with 3 or fewer unique devices
-- Execution time: ~2.3 seconds on 10K user dataset
WITH registration_velocity AS (
SELECT
registration_ip,
COUNT(DISTINCT user_id) AS accounts_created,
COUNT(DISTINCT device_fingerprint) AS unique_devices,
AVG(EXTRACT(EPOCH FROM form_submission_time)) AS avg_form_seconds
FROM users
WHERE registration_timestamp > NOW() - INTERVAL '24 hours'
GROUP BY registration_ip
)
SELECT
registration_ip,
accounts_created,
unique_devices,
ROUND(avg_form_seconds, 2) AS avg_form_time,
CASE
WHEN accounts_created >= 50 THEN 'CRITICAL'
WHEN accounts_created >= 20 THEN 'HIGH'
WHEN accounts_created >= 10 THEN 'MEDIUM'
ELSE 'LOW'
END AS risk_level
FROM registration_velocity
WHERE accounts_created >= 10
AND unique_devices <= 3
AND avg_form_seconds < 5 -- Bot speed threshold
ORDER BY accounts_created DESC;Business Impact:
- Detected 1,247-account fraud ring in 47 minutes
- 98.7% precision with only 1.8% false positives
- Prevented $5,000 in fraudulent transactions (synthetic)
- Created automated detection rule now running every 15 minutes
Demonstrated OSINT methodology across all investigations:
Email Intelligence:
- Domain age validation (WHOIS)
- MX record verification (DNS)
- Disposable email detection
- Breach correlation (Have I Been Pwned)
- 87% time reduction through automation (15min → 2min)
IP Geolocation Analysis:
- VPN/datacenter detection
- Geographic clustering
- Abuse reputation scoring
- Impossible travel calculation
- 90% automation rate
Device Fingerprint Correlation:
- Cross-account device linkage
- Bot signature detection
- Hardware consistency analysis
- Network graph construction
Registration Velocity Timeline
Spike in bot registrations detected within 2-hour window on Jan 15, 2026
Fraud Ring Network Graph
Visualization of account linkages through shared device fingerprints and IP addresses
Data Analysis:
- Advanced SQL (PostgreSQL): CTEs, window functions, clustering
- Python: pandas, numpy, scikit-learn, networkx
- Data visualization: matplotlib, seaborn, plotly
- Statistical analysis: anomaly detection, pattern recognition
Fraud Domain Expertise:
- Registration fraud patterns (bot networks, mass creation)
- Account takeover detection (credential stuffing, session hijacking)
- Behavioral anomaly identification (impossible travel, velocity abuse)
- OSINT investigation methodology
Business Analysis:
- Risk scoring frameworks (0-100 scale)
- False positive optimization (<3% target)
- Business impact quantification ($25K prevented)
- Operational efficiency metrics (1.6 hour avg detection)
frinv-notes/
├── Portfolio_Playbook.md # Master structural guide
├── case_studies/ # 6 detailed investigation reports
├── sql_queries/ # 10 production-ready SQL detection queries
├── osint_playbooks/ # Step-by-step OSINT investigation methodologies
├── analysis_notebooks/ # Jupyter notebooks with data analysis & ML
├── visualizations/ # Charts, graphs, network diagrams
├── methodology/ # Investigation frameworks & best practices
└── metrics/ # Detection performance & business impact tracking