OffBooksAI

This era's Anti-AI AI: built for the age of AI-powered fraud.

Comment

What it does

OffBooksAI is a real-time adversarial fraud detection system. A red-team AI (FraudGPT) continuously generates novel money laundering attacks — fan-outs, circular routing, binary tree splits, micro-transfer chains — while a blue-team AI (DefenseAI) monitors every transaction, identifies fraud rings through graph analysis, and automatically writes new detection rules every time an attack slips through. No human in the loop. No deployment cycle. Seconds.

The system runs on two modes. Battle Mode is fully autonomous — the two AIs spar in a continuous loop, with the live transaction graph updating in real time, color-coded by risk. Attack Mode gives manual control across five difficulty levels, from textbook fan-out structuring to near-invisible stealth transfers. Both modes share the same rule engine, so rules DefenseAI writes during a battle are immediately active when you manually launch an attack.

Every detection generates a full AI-written investigation report grounded in FATF financial crime typologies — not just an alert, but a case file: what happened, why it's fraud, the evidence, and what to do.

How we built it

The stack has three layers working together:

ML layer — XGBoost trained on 10,000 real Kaggle credit card fraud transactions, SMOTE-balanced to handle the 1.51% fraud rate. Loaded frozen at startup and used for per-transaction inference on every round.

Graph layer — NetworkX-powered graph engine running PageRank, betweenness centrality, and Louvain community detection on the live transaction network. Each round, RingScout scores suspicious clusters using a weighted blending formula across all active rules.

LLM layer — Both FraudGPT and DefenseAI are powered by GPT-OSS-120B through HuggingFace inference endpoints. We built a dual-endpoint async client with automatic failover, null-content guards, and a fallback strategy library so the demo stays live even when endpoints are slow.

The frontend is a single HTML file — D3.js for the force-directed transaction graph with directional arrows and dollar-amount edge labels, Server-Sent Events for real-time streaming, and a design built specifically so someone with zero technical background can follow what's happening.

Challenges we ran into

LLM reliability under demo conditions. HuggingFace inference endpoints return null content when overloaded, causing silent crashes deep in the agent loop. We built a two-endpoint failover, a guaranteed non-null return path, and a diverse fallback strategy library — so even complete LLM failure produces varied, meaningful behavior rather than a frozen screen.

Counter independence. Both tabs originally shared the same state dictionary in the backend, so one attack launched in Attack Mode would appear on Battle Mode's scoreboard. Separating attack_state and battle_state required tracing every counter increment across four interdependent functions.

Graph readability. Fraud ring nodes would scatter across the canvas because D3's force simulation doesn't know they're related. We added a custom clustering force that continuously nudges flagged nodes toward their ring's centroid, combined with pre-seeded starting positions and stronger inter-ring link physics.

Making it explainable. Every technical term we used internally — "PageRank anomaly," "fan_out," "ml_consensus" — meant nothing to a non-technical judge. We rebuilt the UI three times, replacing jargon with plain English throughout, and reduced agent panels to a single sentence each with full detail available on click.

Accomplishments that we're proud of

DefenseAI genuinely works. After an hour of continuous battling it had written 39 new rules — each named, described, and immediately active — on top of 10 pre-loaded ones. That's not a simulation. Those rules were written by the LLM in response to real evasions, and they meaningfully changed the system's detection behavior.

The ML model hits AUC 0.9999 with zero missed fraudulent transactions on the test set. On real Kaggle data with a realistic class imbalance.

We built the entire system — ML pipeline, five-agent backend, real-time graph frontend, dual-endpoint LLM infrastructure — in 24 hours.

And we made it legible. The live transaction graph, the plain-English outcome cards, the single-sentence agent status panels — someone who has never heard of a fraud ring can watch the demo and understand what's happening. That matters as much as the technical results.

What we learned

Static systems are solved problems. The interesting question is always: what happens when the attacker adapts?

Building FraudGPT as a genuine adversary — one that tracks its failures, avoids caught patterns, and changes topology each round — forced DefenseAI to be genuinely robust rather than just memorizing known attacks. That tension is what makes the system work. The product isn't the model. It isn't the rules. It's the loop.

We also learned that reliability is a feature. An AI system that crashes during a demo is worse than one that produces a slightly worse answer. Every engineering decision in the LLM layer — the failover, the null guards, the fallback library — was made because demo conditions are adversarial in their own way.

What's next for OffBooksAI

The immediate next step is persistence — right now DefenseAI's learned rules reset when the server restarts. Storing the rule graph in a database means every session builds on every previous session. The system gets permanently smarter over time, not just within a single demo window.

Beyond that, three directions:

Real transaction feeds. Plugging into a bank's transaction stream via API rather than replaying Kaggle data. The agent architecture is already built for this — only the data source changes.

Multi-institution learning. Rules DefenseAI writes in response to attacks at one institution could be shared (anonymized) across a network of banks. A new laundering technique that appears at one bank gets a rule written within seconds — and that rule propagates to every institution in the network before the same attack can be attempted elsewhere.

Regulatory integration. The investigation reports are already grounded in FATF typologies. The next step is structured output into SAR (Suspicious Activity Report) format, so DefenseAI doesn't just detect fraud — it files the paperwork.

Built With

Share this project:

Updates