So far this course has built the machinery: graphs, node and edge and graph-level tasks, message passing, the contagion dynamics that ripple through a network. Lovely theory. Now we point all of it at the two things that actually fund a quant desk and a compliance team: catching money that is being hidden and predicting money that is about to move.
Here is the unifying punchline, up front. Fraud detection and relational alpha are not new problems with new math — they are the exact node, edge, and graph tasks from the graph-tasks lesson, aimed at money instead of toy citation networks. The structure is the signal. A laundering ring is invisible one account at a time and obvious as a subgraph. A supplier’s earnings surprise is silent on the customer’s own price chart and loud along the supply-chain edge that connects them. Graph learning earns its keep exactly where the value lives between the nodes rather than inside them.
This lesson is the “point it at money” capstone before the honest audit. We will be witty about it, but the caveats are deadly serious — and the next lesson does nothing but stress-test them.
The unifying idea: same graph tasks, aimed at money
Before you read — take a guess
A team wants to (a) flag laundering accounts, (b) predict a firm's return from its suppliers, and (c) discover hidden links between wallets. In graph-learning terms, what are these three?
Analogy. You already own the toolbox. Earlier lessons sold you a hammer, a saw, and a drill and made you practice on scrap wood. This lesson hands you the actual house. Nothing about the tools changed — you are just hitting nails that are worth something.
Definition. Every problem in this lesson maps onto one of the canonical graph machine-learning tasks:
- Node classification / regression — label or score each node from its features and its neighbourhood . Fraud: is this account illicit (a label)? Alpha: what return will this firm post (a number)?
- Subgraph / graph classification — label a whole pattern rather than a single node. Fraud: is this little cluster of accounts a laundering ring?
- Link prediction — score node pairs for a missing or hidden edge. Fraud: do these two pseudonymous wallets secretly share an owner? Alpha: is there an undisclosed supply relationship?
Worked example. Imagine a single account that sends fifty small payments to fifty distinct counterparties and receives none. A per-row tabular model sees fifty boring rows. A node classifier with one round of message passing sees a node whose out-degree is fifty and in-degree is zero — a fan-out hub — and that structural feature, computed by aggregating over , is what tips the score. Same data; the graph framing surfaces a feature the flat table never had a column for.
| Money task | Graph-learning task | Where the signal lives |
|---|---|---|
| Flag a laundering account | Node classification | In the node’s neighbourhood pattern |
| Recognise a laundering ring | Subgraph / graph classification | In the whole motif |
| Forecast a firm’s return from peers | Node regression + propagation | Along economic edges |
| Find a hidden ownership/supply tie | Link prediction | In the absent-but-likely edge |
Misconception. “Graph models replace the features and models I already have.” No — they augment them. The node’s own features (transaction size, firm fundamentals, price history) still matter; the graph adds the relational channel on top. Throwing away node features to go “pure graph” usually throws away signal.
When to use it
Frame a finance problem as graph learning when the value is relational — when an entity is suspicious or predictable because of who it is connected to, not just its own attributes. If a flat per-entity model with no neighbourhood information already nails it, you do not need a graph; the graph earns its complexity only when structure carries signal the table cannot.
AML ring detection on transaction graphs
Before you read — take a guess
A launderer splits 90,000 units into ten transfers of 9,000 so each stays under a 10,000 reporting threshold, then funnels them into one collector account. Why does a per-account rule miss this?
Analogy. A laundering ring is a heist where every individual on camera is just buying groceries. One person buys flour, another buys yeast, a third buys a delivery van — all perfectly legal. Only when you draw the lines between them do you see a bakery being built to launder bread money. The crime is in the graph, not in any single frame.
Definition. Money laundering classically runs in three stages: placement (get dirty cash into the system), layering (shuffle it through many transactions to obscure its origin), and integration (bring it back looking clean). Anti-money- laundering (AML) is the work of detecting this. A transaction graph models it directly: nodes are accounts or wallets, directed weighted edges are transfers (direction = who paid whom, weight = amount and/or count, often timestamped). A graph neural network labels a node by aggregating its neighbourhood, so an account can “look guilty by association and by pattern” even when its own transactions are dull.
Why per-account rules miss it. Threshold rules (“flag any transfer above ten thousand”) are trivially defeated by design. Launderers deliberately structure activity below thresholds and spread it across many accounts. The three structural escapes:
- Fan-in (smurfing): many small inbound transfers converge on a collector.
- Fan-out: one source sprays funds to many mules.
- Layering chains / cycles: long directed paths or loops that recycle funds to blur their origin.
Worked example — the fan-in that beats a threshold. Ten “smurf” accounts each send 9000 units into one collector account. Each transfer is below the 10000 reporting threshold, so a per-transaction rule fires zero alerts. But aggregate the collector’s neighbourhood:
where is the set of accounts sending into collector . The collector’s in-degree is ten and its total inflow is ninety thousand units — comfortably into reporting territory — and it then forwards roughly that whole sum onward in one or two hops. A node classifier whose message-passing step computes neighbourhood aggregates (degree, summed inflow, count of distinct senders) reads those features and scores the collector as suspicious. Each edge was legal; the node’s aggregated structure is not. That gap is the entire reason graphs beat flat rules here.
| View | What it sees at the collector | Verdict |
|---|---|---|
| Per-transaction threshold rule | Ten transfers, each 9000 (below 10000) | No alert |
| Graph node aggregation | In-degree ten, inflow ninety thousand, ten distinct senders, fast forward-out | Suspicious |
Suspicion is not proof
A graph fraud model outputs a ranked list of suspicion, never a conviction. Two hard realities ride along. First, extreme class imbalance: genuine laundering may be well under one in a thousand accounts, so a model that screams “all clean” is 99.9 percent accurate and 100 percent useless — you must evaluate with precision and recall on the rare class, not raw accuracy. Second, the adversary adapts: as soon as fan-in is flagged, launderers lengthen chains, add legitimate-looking intermediaries, and mimic normal traffic. A static model decays the moment it ships.
When to use it
Use graph AML when laundering is structured — deliberately fragmented to slip under per-entity rules — which is most of the serious cases. Treat the model as an alert prioritiser feeding human investigators, not an autonomous judge: it raises the most structurally suspicious nodes to the top of a queue, and people (with legal standards of proof) decide. If your laundering is just one giant obvious transfer, a threshold rule already catches it and you do not need the graph.
Fill in why structured laundering defeats simple rules.
Pick the right option for each blank, then check.
In a fan-in (smurfing) ring, each individual transfer is , so the crime is visible only as the aggregate pattern across the collector's neighbourhood.
Typologies and motifs: matching crimes to shapes
Before you read — take a guess
An AML team's graph model floods investigators with false positives by flagging every high-degree hub. What is the most likely cause?
Analogy. Detectives keep a catalogue of modus operandi — the safecracker who always drills the same spot, the forger who reuses one watermark. AML has the same playbook, except the “MO” is a shape in the graph. Learn the shapes and you learn the crimes.
Definition. A typology is a recognised laundering pattern; a motif is the small recurring subgraph that encodes it. Detecting them is subgraph / motif counting (how many times does this shape appear around a node?) feeding into a graph- or node-level classifier. The staple typologies:
| Typology | Graph motif | Why a flat table misses it |
|---|---|---|
| Smurfing | Fan-in: many senders into one collector | Each inbound transfer is small and below threshold; only the convergence is the tell |
| Layering | Long directed chain A to B to C to D | Each hop looks like an ordinary payment; the depth of the chain is invisible per-row |
| Round-tripping | Cycle: funds return to origin via intermediaries | No single row shows the loop closing back on itself |
| Mule network | Dense many-to-many cluster of pass-through accounts | Each account holds funds briefly; the cluster-level “hot potato” behaviour needs the graph |
Worked example — counting the loop. Round-tripping hides in a directed cycle. Take account . A per-account rule sees three accounts that each sent and received one transfer — utterly normal. A motif counter searches for directed 3-cycles and finds exactly one passing through . If sits on, say, seven distinct short directed cycles when a typical account sits on zero, that cycle-count feature ( versus a baseline near ) is a strong structural flag. The arithmetic is just counting closed directed paths — but it is a count the flat table has no column for.
Misconception / pitfall. “Hub shape equals guilt.” Emphatically no. A payroll processor is a giant fan-out. A popular exchange is a giant fan-in. A merchant acquirer is a dense many-to-many cluster. If your model keys on degree or motif counts alone, it will rank every legitimate hub as a top suspect and drown your investigators in false positives — the exact failure the pretest described. The fix is to learn the finer distinctions (timing, velocity, counterparty mix, known-entity labels) that separate a laundering cluster from a Tuesday at a payment processor.
When to use it
Reach for motif and typology features when you have a known catalogue of laundering shapes and want interpretable, auditable flags (“this account sits on seven cycles”). They pair well with a GNN: hand-crafted motif counts give a regulator-friendly explanation, while the learned message passing catches variants the catalogue missed. Do not deploy motif counts naked against the false-positive problem — always combine with features that exonerate legitimate hubs.
Match each laundering typology to the graph structure that exposes it.
Place each item in the right group.
- Mule network: many accounts shuffling funds among themselves
- Smurfing: many small deposits into one collector
- Ten accounts each wiring a sub-threshold amount to one node
- Layering: A to B to C to D pass-through
- Round-tripping: funds loop back to the origin
Relational / peer-firm alpha
Before you read — take a guess
A key automotive-chip supplier posts a strong positive earnings surprise before its carmaker customers report. How can a graph model turn this into alpha on the customers?
Analogy. A supplier’s bad quarter is the cough before the customer’s flu. If the factory that makes your only engine part just warned on demand, you do not need to wait for the carmaker’s own report to update your view — the symptom already travelled down the supply chain. Relational alpha is listening to the cough.
Definition. Relational (peer-firm) alpha propagates a signal — an earnings surprise, a news-sentiment shock, an analyst revision — from one firm along economic edges (supplier-customer links, same-sector co-movement, shared ownership) to predict a connected firm’s return. In graph terms it is node regression where each node’s target (forward return) is informed by messages aggregated from . This is message passing used as alpha: the same aggregate-from-neighbours operation that flags a laundering hub, repurposed to forecast a price.
Worked example — weighted propagation of a surprise. A supplier posts an earnings surprise of . It has three customers, and we weight the propagated signal by each customer’s revenue share sourced from (how exposed each is):
| Customer | Revenue share from supplier () | Decay factor | Propagated signal |
|---|---|---|---|
| Customer | 0.50 | 0.5 | |
| Customer | 0.25 | 0.5 | |
| Customer | 0.10 | 0.5 |
The one-hop message into customer is a weighted sum over its supplier neighbourhood,
where is the source firm’s surprise, the edge weight (dependence), and a global decay capturing how much of a supplier’s news actually transmits. Customer , half-dependent on , inherits a expected nudge; the barely-exposed inherits . The same surprise, fanned out and scaled by the edge, becomes a cross-sectional return forecast.
Tie to the deep-learning course. A sequence model (RNN, TCN, attention) captures one firm’s own history — its price path, its seasonality, its momentum. The GNN adds the cross-firm channel the sequence model is blind to: information that lives in other firms and reaches this one along an edge. The two compose naturally — sequence model per node for the temporal signal, graph layer across nodes for the relational signal.
Relational alpha decays, crowds, and reverses
Three ways this bites. It decays: once everyone runs the same supplier-customer propagation, the lead-lag gets arbitraged into the price and the edge stops paying. It reverses: lead-lag is not a law — sometimes the customer’s order book leads the supplier, and a model that hard-codes one direction trades the wrong way. And the edges are noisy and stale: supply-chain maps are scraped from filings, news, and vendor datasets that lag reality by quarters, so you are often propagating along a relationship that ended last year. Garbage edges, garbage alpha.
When to use it
Use relational alpha when (1) you have a defensible economic edge — a real, reasonably current supply or ownership link, not a guessed correlation — and (2) the signal plausibly leads, i.e. the source firm’s news arrives before the target’s price has absorbed it. It is strongest right after a discrete event (an earnings surprise, a guidance cut, an M&A headline) on a well-mapped network. It is weakest, and most dangerous, when the edge data is stale or the lead-lag is actually the other way round.
Pick a term, then click its definition.
On-chain analytics on wallet graphs
Before you read — take a guess
A blockchain records every transfer publicly and pseudonymously. What does that make it, for a graph analyst?
Analogy. Imagine if every bank transaction on Earth were posted to a public bulletin board, forever, under nicknames instead of names. You could not immediately read “Alice paid Bob,” but you could watch the nicknames, see which ones always move together, and slowly deduce who is who. That bulletin board is a public blockchain, and the deduction is on-chain analytics.
Definition. On-chain analytics builds a wallet / address graph from raw blockchain data — nodes are addresses, edges are transfers — and runs graph tasks on it:
- Entity clustering — which addresses share one owner? (Node clustering / link prediction.)
- Illicit-flow tracing — connect an address to a known hack, scam, sanctioned entity, or mixer. (Labelled-source propagation / path tracing.)
- Exchange / mixer / service classification — label an address by behaviour (node classification).
Worked / illustrative example — clustering by common input. In a UTXO-model chain (think of coins as discrete bills, where a transaction spends specific bills), a single transaction often spends inputs from several addresses at once. The common-input heuristic says: if addresses , , and all appear as inputs to the same transaction, they are almost certainly controlled by one wallet — you generally need all the private keys to sign such a spend. So a transaction with inputs collapses those three nodes into one entity. A GNN then refines the heuristic: it learns from address behaviour (timing, amounts, counterparties) to merge clusters the naive rule split apart, and to avoid merging when the heuristic over-reaches. Account-model chains (one persistent balance per address, no discrete coins) break the common-input heuristic entirely, so the clustering tactics differ by chain model — a loose tie to the UTXO-versus-account distinction from earlier.
Pseudonymity is not anonymity, but tracing breaks
The chain is transparent, so naive tracing feels easy — follow the edges. Then the adversary fights back. Mixers and privacy tools (CoinJoin, tumblers, shielded pools) deliberately scramble the input-output mapping so the common-input heuristic and edge tracing collapse. Chain-hopping — bridging funds across blockchains — snaps the trail at the bridge. And ground-truth labels (this address is a known exchange, that one a sanctioned wallet) are scarce, noisy, and often crowdsourced, so a confident illicit label can be flat wrong. Transparent does not mean traceable.
When to use it
Use on-chain graph analytics for compliance screening (is this counterparty wallet tied to a sanctioned entity or a hack?), forensic tracing of stolen funds, and labelling exchange or service addresses. It is at its best where the heuristics hold — common-input clustering on UTXO chains, propagation from a few high-confidence labels. It is at its worst, and you should be loudest about uncertainty, when funds have passed through a mixer or hopped chains, or when your only labels are a noisy public blocklist.
If the blockchain is fully public, why is tracing illicit funds still hard?
Answer. Public means visible, not attributable. You can see every edge, but you cannot natively see who owns each address, and adversaries actively destroy the link between flows. Mixers pool many users’ coins and re-issue them so the input-to-output mapping is statistically scrambled; bridges move value to another chain where the trail restarts; and the labels that tie pseudonyms to real entities are scarce and noisy. Graph models help — clustering and propagation recover a lot of structure — but they output probabilistic attribution, never certainty, and a determined launderer can push that probability low enough to be useless as evidence.
The common honest caveat (bridge to next lesson)
Before you read — take a guess
Across BOTH fraud detection and relational alpha, which problem is the single biggest threat to a graph model's reported performance?
Step back and the two halves of this lesson rhyme. Whether you are hunting laundering rings or harvesting peer-firm alpha, the same four gremlins are waiting. Labels are scarce and noisy — confirmed laundering cases and clean supply-chain maps are both rare and error-prone. Classes are imbalanced — fraud is a needle in a haystack, and naive accuracy lies about it. The world fights back — the launderer adapts to your last model and the alpha edge decays as it crowds. And the big one, the gremlin that quietly invalidates more graph papers than any other: these models leak badly if you split carelessly. Connected nodes that should be on the same side of the train/test line end up on both; future edges sneak into past training; a “test” node has already whispered its label to a training neighbour through one hop of message passing. Your backtest glows, and live performance faceplants.
Next: the honest audit
This was the optimistic capstone — here is where graphs put money on the table. The next lesson is the cold shower: how graph splits leak, why standard cross-validation is not enough on a network, and how to audit a graph model honestly before you trust a single number it prints. Bring everything you just learned; we are about to stress-test all of it.
Recap
You took the whole graph-learning toolbox and aimed it at money. Fraud detection turned out to be node and subgraph classification on a transaction graph, where structured laundering hides under per-account thresholds and only the fan-in, chain, cycle, and cluster motifs give it away — while legitimate hubs threaten to bury you in false positives. Relational alpha turned out to be node regression with message passing as the engine, propagating a supplier’s surprise along weighted economic edges to forecast a customer’s return, adding the cross-firm channel a single-firm sequence model never sees. On-chain analytics turned out to be the same transaction-graph game on a public, pseudonymous ledger, where clustering and tracing recover structure until a mixer or a chain hop fights back. And all of it shares one set of honest caveats — scarce labels, imbalance, an adapting adversary or decaying edge, and the leakage trap that the next lesson exists to expose.
Big picture
Fraud rings and relational alpha
- Graph learning aimed at money
- Unifying idea
- Fraud = node / subgraph classification
- Relational alpha = node regression + propagation
- Hidden ties = link prediction
- AML ring detection
- Transaction graph: accounts, directed weighted transfers
- Per-account rules miss structured laundering
- Fan-in beats the threshold (ten times nine thousand)
- Suspicion, not proof; imbalance; adversary adapts
- Typologies and motifs
- Smurfing = fan-in
- Layering = chain
- Round-tripping = cycle
- Mule network = dense cluster
- Pitfall: legit hubs (exchanges, payroll)
- Relational / peer-firm alpha
- Propagate surprise along economic edges
- Weighted by dependence (revenue share)
- Adds cross-firm channel to sequence models
- Decays, crowds, reverses; stale edges
- On-chain analytics
- Public pseudonymous wallet graph
- Entity clustering (common-input heuristic)
- Illicit-flow tracing and classification
- Mixers and chain-hopping break tracing
- Shared honest caveats
- Scarce, noisy labels
- Class imbalance
- Adversary adapts / edge decays
- Leakage from careless splits (next lesson)
- Unifying idea
Mixed check: did the structure click?
Ten accounts each transfer nine thousand units into one collector under a ten thousand reporting threshold. Why does a per-transaction rule fail while a graph model succeeds?
Check your answer to continue.