Problem
Large-scale transaction environments generate noise around high-demand events. Anomalies — elevated decline rates, unusual device patterns, sudden volume spikes — may signal coordinated fraud but are difficult to identify and trace in real time without structured investigation.
The investigation prompt: "Something looks wrong tonight." The challenge is moving from that vague signal to a traceable, actionable recommendation without manual prompting at each investigation step.
Product concept
An autonomous multi-step investigation workflow that receives a vague anomaly signal, establishes a baseline, narrows to specific activity patterns, attributes behavior to device fingerprints, and produces a traceable blocklist recommendation — without human prompting at each step.
The system is designed to make the investigation steps visible and auditable, not just the final output.
How the system works
- Receives an initial anomaly signal (elevated decline rate observed on Zone 3)
- Establishes a baseline across 5,000 synthetic transactions (venue-wide decline rate: 11.8%)
- Detects Zone 3 with a decline rate of 48.6% against the 11.8% venue average
- Narrows the investigation scope to ticket resale activity
- Identifies three device fingerprints behind 214 of 222 declines in Zone 3
- Isolates the anomaly window: 17:30 to 17:59 UTC
- Calculates $37,159 in attempted fraudulent volume (synthetic data only)
- Produces a blocklist recommendation with traceable aggregation steps
Main conceptual workflow
The diagram below is a conceptual illustration of the system flow. It does not reproduce internal documentation.
My contribution
- Defined the product concept and multi-step investigation workflow architecture
- Made final architecture decisions for the agent system
- Integrated the agent with Google ADK, Gemini on Vertex AI, and MongoDB MCP Server
- Tested the workflow against synthetic transaction scenarios
- Deployed to Cloud Run and submitted the entry
Substantial Claude and ChatGPT assistance was used during development. The author owns product definition, workflow design, final architecture decisions, integration, testing, deployment, and submission.
Technical implementation
- Google ADK — agent orchestration framework
- Gemini on Vertex AI — LLM reasoning layer
- MongoDB MCP Server / Atlas — data source integration
- Cloud Run — containerized deployment
- React — frontend interface
Evidence and validation
Evidence labels
- All transaction data is synthetic — no real card numbers, customer identities, or real-world fraud events
- The $37,159 fraudulent volume figure is derived entirely from synthetic data
- Findings are traceable to visible aggregation queries within the system
- The workflow produces a recommendation; enforcement would require separate human review and authorization
- Public repository available at the link below for code inspection
Limitations and transparency
- Synthetic data: findings reflect patterns in fabricated data, not real fraud scenarios
- No real payment-system integration: the workflow is not connected to live transaction infrastructure
- No production use: the workflow has not been used in a real-world fraud investigation
- Substantial AI assistance during development: Claude and ChatGPT contributed to code and architecture; the author owns the product definition, workflow design, final architecture decisions, integration, testing, deployment, and submission
- No judge endorsement, winner status, or award has been claimed