Fraud Detection Through Large-Scale Graph Clustering with Heterogeneous Link Transformation

TL;DR

<3-5 sentence high-level summary> The paper tackles industrial-scale fraud detection by modeling a heterogeneous account graph with hard (identity) and soft (behavioral) links. It introduces a principled graph transformation that merges hard-link components into super-nodes and reconstructs a weighted soft-link graph, enabling scalable LINE embeddings followed by HDBSCAN clustering to identify fraud rings. The approach doubles detection coverage over hard-link-only baselines while preserving precision, and it demonstrates practical deployment with near-real-time incremental updates. The framework is validated on a real-world dataset and is shown to be scalable, effective, and adaptable for production fraud-detection systems.

Abstract

Collaborative fraud, where multiple fraudulent accounts coordinate to exploit online payment systems, poses significant challenges due to the formation of complex network structures. Traditional detection methods that rely solely on high-confidence identity links suffer from limited coverage, while approaches using all available linkages often result in fragmented graphs with reduced clustering effectiveness. In this paper, we propose a novel graph-based fraud detection framework that addresses the challenge of large-scale heterogeneous graph clustering through a principled link transformation approach. Our method distinguishes between \emph{hard links} (high-confidence identity relationships such as phone numbers, credit cards, and national IDs) and \emph{soft links} (behavioral associations including device fingerprints, cookies, and IP addresses). We introduce a graph transformation technique that first identifies connected components via hard links, merges them into super-nodes, and then reconstructs a weighted soft-link graph amenable to efficient embedding and clustering. The transformed graph is processed using LINE (Large-scale Information Network Embedding) for representation learning, followed by HDBSCAN (Hierarchical Density-Based Spatial Clustering of Applications with Noise) for density-based cluster discovery. Experiments on a real-world payment platform dataset demonstrate that our approach achieves significant graph size reduction (from 25 million to 7.7 million nodes), doubles the detection coverage compared to hard-link-only baselines, and maintains high precision across identified fraud clusters. Our framework provides a scalable and practical solution for industrial-scale fraud detection systems.

Figures (6)

• Figure 1: Illustration of a fraud network. Fraudulent actors (dark figures) and legitimate users (blue figures with checkmarks) are connected through shared devices (phones with red backgrounds) and payment instruments (credit cards). These connections form implicit networks that can be detected through graph-based analysis.
• Figure 2: Overview of the proposed graph transformation framework. (a) Original heterogeneous graph with account nodes (teal circles) connected by hard links (red solid lines: phone, email, credit card, national ID) and soft links (blue dashed lines: device fingerprint, IP address, cookie). (b) Hard-link connected components are identified: Component 1 ($S_1$, red background) containing accounts A1, A2, A4, A5, and Component 2 ($S_2$, green background) containing accounts A6, A7, A9, A10, A11. Singletons A3 and A8 have no hard links. (c) Transformed graph where components are merged into super-nodes (orange rounded rectangles), connected only by weighted soft links. Edge weights reflect the number of aggregated soft links between super-nodes.
• Figure 3: Example of a heterogeneous account graph. User accounts (circles with green borders) are connected to various entities including phones, emails, IP addresses, credit cards, bank accounts, and ID documents (shown as boxes with green borders). Blue arrows represent strong connections between accounts and entities, while grey lines indicate weaker behavioral associations.
• Figure 4: Illustration of hard links vs. soft links in the graph transformation process. Upper region (Hard-Link Component 1): Accounts A, B, and C are connected by hard links (sharing verified credentials: phone, email, card). These form a tightly connected component that will merge into a single super-node. Lower region (Hard-Link Component 2): Accounts D and E share hard links (ID, bank account), forming another super-node. Cross-component soft links (dashed lines): Behavioral associations (shared device fingerprint between A and D; shared IP address between C and E) connect accounts from different hard-link components. After transformation, these soft links become weighted edges between the two resulting super-nodes. Within-component soft links: If any soft link exists between accounts within the same hard-link component (not shown), it would be discarded as redundant since those accounts already merge into one super-node.
• Figure 5: Complete fraud detection pipeline (Algorithm \ref{['alg:pipeline']}) illustrated in four stages. Stage 1 (Original Graph): Heterogeneous account network with user accounts (nodes) connected via hard links (e.g., shared phones, emails, cards—shown as solid lines) and soft links (e.g., shared devices, IPs—shown as dashed lines). Multiple link types create complex connectivity patterns. Stage 2 (Transformed Graph): Hard-link connected components are merged into super-nodes (larger circles), reducing the graph from 25M accounts to 7.7M super-nodes. Soft links between accounts in different super-nodes become weighted edges between super-nodes (edge thickness indicates aggregated weight). Soft links within the same super-node are discarded as redundant. Stage 3 (Node Embedding): LINE projects each super-node into a 128-dimensional embedding space that preserves network proximity. Visualization shows 2D projection where similar super-nodes cluster together. Stage 4 (Clustering): HDBSCAN identifies dense regions in embedding space as fraud clusters (highlighted with red dashed circles). Each cluster represents a potential fraud ring, prioritized by risk score for analyst review.

Theorems & Definitions (6)

• definition 1
• definition 2
• definition 3
• definition 4
• definition 5
• definition 6