FRAUDASAURUS
FRAUD DETECTION FOR THE DIGITAL AGE
INCOMING TRANSMISSION... Agent, we've detected suspicious patterns across ARFI's digital banking platform. Someone is exploiting the gap between core and digital. Your mission: Investigate fraud vectors and identify the mastermind behind the operation known only as "CARMEG SANDIEGO." THE STAKES: $17.9 MILLION in fraud exposure hiding in plain sight. THE TARGETS: $13.9M structuring ring + $4M dormant abuse. THE DATA: Already there. Just wasn't being queried. Good luck, Agent. The institution is counting on you. [TRANSMISSION END]
STRUCTURING
$13.9M BSA/AML Violation Ring
Six accounts making identical $7,980 transfers - just under the $10,000 CTR threshold - 4-5 times per day for 18+ months. The clearest fraud signal in the dataset. Transaction memos reference 'DEPOSIT AT ATM... JLASTNAME TX'.
| Account ID | Txns | Total | Avg | Pattern |
|---|---|---|---|---|
| 8d857485... | 351 | $2,800,980 | $7,980 | $7,980 x 351 (Member #39903) |
| db903a36... | 315 | $2,513,700 | $7,980 | $7,980 x 315 (Member #7000) |
| 4d847cfd... | 291 | $2,322,180 | $7,980 | $7,980 x 291 (Member #33250) |
| cb9e5eca... | 277 | $2,210,460 | $7,980 | $7,980 x 277 txns |
| bd4f341d... | 260 | $2,074,800 | $7,980 | $7,980 x 260 txns |
| 6e86aaaa... | 253 | $2,018,940 | $7,980 | $7,980 x 253 (Member #39903) |
STRUCTURING SENTINEL flags accounts with 3+ identical amounts ($3K-$9,999) in 7 days, or daily totals exceeding $10K with no single transaction above threshold. These 6 accounts were running since April 2024 - $31,920 to $39,900 per day per account - totaling $13.9M over 18 months.
ACCOUNT TAKEOVER
Credential Attack Detection
Analysis of 2,144 login attempts revealed brute force patterns, credential stuffing, and suspicious IP velocity. CarMeg's own account 'ilovemlms' shows 25 failed logins from 5 IPs - managing too many fake identities.
| Username | Failed | Success | Fail % | IPs | Activity |
|---|---|---|---|---|---|
| bannowanda1 | 59 | 92 | 39% | 12 | Sustained brute force, 12 source IPs |
| ilovemlms | 25 | 6 | 81% | 5 | CarMeg account - credential stuffing |
| brandygalloway06 | 14 | 0 | 100% | 1 | 14 failures in 2 min - brute force |
| jessica | 6 | 0 | 100% | 6 | Each attempt from different IP - botnet |
| wandaa1 | 10 | 146 | 6% | 25 | 25 distinct IPs - unusual for legitimate user |
LOGIN GUARDIAN tracks failed login velocity and unique IP counts. 'bannowanda1' (JAMES EVANS on mposkey@ email - name mismatch!) shows 59 failures from 12 IPs. 'brandygalloway06' hit 14 consecutive failures in 2 minutes - textbook brute force. 'jessica' attempted from 6 different IPs - every attempt from a new source.
DORMANT ABUSE
$4M Core-Digital Gap Exploit
By joining Symitar lastfmdate with Banno transactions, we found accounts appearing dormant in core banking but actively moving money through digital channels. The real owner isn't watching - and neither was the core system.
| Member # | Last Core | Digital | Txns | Amount | Risk |
|---|---|---|---|---|---|
| 0000000006 | 2012-10-26 | 2024-03-15 | 3120 | $4,094,081 | CRITICAL |
| 0000034996 | 2019-10-01 | 2024-03-15 | 1113 | $145,736 | HIGH |
DORMANT WATCHER joins symitar.account_v1_raw.lastfmdate with banno transactions_fct. Member #6 shows last core activity in October 2012 - over 12 years ago - yet has 3,120 digital transactions totaling $4.09M. This is exactly the kind of account CarMeg targets: abandoned by its owner, unmonitored by the core system.
CARMEG SANDIEGO
The mastermind behind the fraud ring
- Structuring (BSA Violation)
- Multi-Identity Fraud
- Account Takeover Attempts
- Synthetic Identity Creation
- Money Laundering
FRAUD RING IDENTIFIED - DEFENSE SYSTEM DEPLOYED
Detects repeating sub-$10K amounts and daily aggregation patterns. Found 6 accounts making identical $7,980 deposits.
Monitors failed login velocity, IP diversity, and brute force patterns. Flagged 47 suspicious accounts.
Joins Symitar lastfmdate with Banno transactions to find core-dormant/digital-active gaps.
Clusters accounts by shared email bases, IPs, and login timing. Unmasked CarMeg's 11 accounts.
MISSION COMPLETE! CarMeg SanDiego has been UNMASKED as Meg Bannister. The 4-detector defense system is now operational. FINAL STATS: - Total Fraud Exposure: $17.9M - $7,980 Structuring Ring: $13.9M (6 accounts, 1,747 transactions) - Dormant Account Abuse: $4M (Member #6, dormant 12+ years) - CarMeg's Accounts: 11 under 6 aliases - Alerts Generated: 248 across 204 accounts - CRITICAL: 2 | HIGH: 16 | MEDIUM: 181 | LOW: 5 The data was always there. Now it's being watched. THE DINOSAUR CAUGHT THE THIEF.