Antifraud Module

The Antifraud Module monitors financial transactions in real time and applies a configurable rules engine to calculate a risk score. When the score exceeds the high-risk threshold, the operation is automatically blocked and logged for later review in the BackOffice panel.

Transaction types monitored: PIX (deposit and transfer), Crypto (deposit and withdrawal), PIX→Crypto conversion, Internal and external transfers.

What you can do here

• View the antifraud log — browse all analyzed transactions; filter by risk level, block status, and operation type.
• Manage the Blacklist — add, query, and remove PIX keys, wallets, and addresses considered suspicious.
• Manage the Whitelist — mark wallets and keys as trusted to reduce false positives.
• Review blocked transactions — analyze the block reason (triggered rules and score) and, if warranted, manually release the operation.

Prerequisites

Requirement	Detail
Antifraud audit permission	Access to the log and the lists (see the Audit group in the menu)
Target user with status === 'APPROVED'	Required to manually release a blocked transaction

For specific permission details, see Audit → Antifraud Log and Blacklist.

How the risk score works

Each transaction goes through a set of rules specific to its operation type. Each rule that fires adds its weight to the total score.

Score	Risk Level	System Action
0 – 39	Low	Automatically approved
40 – 99	Medium	Approved; flagged for optional manual review
≥ 100	High	Automatically blocked (wasBlocked = true)

Rules with weight −999 act as exceptions: if a similar transaction was previously approved, the score is offset and the block does not occur.

Rules by operation type

PIX — Deposit (pix_deposit)

Rule	Description	Weight
pix_key_mismatch	PIX key does not belong to the user	80
high_value_deposit	Deposit > R$ 20,000	50
high_frequency_deposits	More than 3 deposits in 1 hour	30
multiple_remitters	More than one sender in 24 hours	60
night_time_deposit	Deposit between 00:00 and 06:00	30
fast_crypto_withdraw_after_deposit	Crypto withdrawal within 5 min after the deposit	80
new_device_or_ip	New IP or device	20

Crypto — Deposit (crypto_deposit)

Rule	Description	Weight
wallet_not_whitelisted	Wallet never registered before	50
mixer_origin_detected	Received from a mixer or privacy pool	100
from_exchange_without_kyc	Received from an exchange without KYC	80
above_average_crypto	Amount 3× above the user's average	40
triangulated_funding	Received shortly after a withdrawal from another account	90

PIX — Transfer (pix_transfer)

Rule	Description	Weight
hasPreviouslyApprovedSimilarTransaction	Similar transaction already approved	−999
high_frequency_pix	More than 5 PIX sent in 1 hour	30
high_value_in_short_time	More than R$ 10,000 in 1 hour	50
blacklisted_recipient	Recipient PIX key is on the blacklist	100
night_transfer	Transfer > R$ 1,000 between 00:00 and 06:00	40
new_recipient	New recipient (never received before)	30
pix_crossed_flow	PIX in with immediate PIX out	50
unusual_ip_or_device	IP or device different from usual	20

Crypto — Withdrawal (crypto_withdraw)

Rule	Description	Weight
hasPreviouslyApprovedSimilarTransaction	Similar transaction already approved	−999
high_value_withdraw	Withdrawal > R$ 20,000	70
unverified_wallet	Wallet without associated KYC	50
multiple_destinations	More than 3 destinations on the same day	60
withdraw_after_suspicious_pix	Recent suspicious PIX before the withdrawal	80
device_new_for_withdraw	New device	30
ip_different_for_withdraw	IP diverges from history	20
to_blacklisted_destination	Destination is a mixer or anonymous exchange	100

PIX → Crypto Conversion (pix_crypto_conversion)

Rule	Description	Weight
immediate_conversion	Conversion with balance received less than 5 min ago	40
high_frequency_conversions	3 or more conversions in 1 hour	50
external_wallet_not_verified	External wallet not verified	60
wallet_not_linked_to_user	Crypto address not linked to the user	80
pix_from_third_party_to_crypto	PIX from a third party converted directly to user's crypto	90
atypical_conversion_value	Amount 5× above the historical average	40

Internal Transfer (internal_transfer)

Rule	Description	Weight
hasPreviouslyApprovedSimilarTransaction	Similar transaction already approved	−999
high_value_deposit	Amount > R$ 20,000	50
pix_crossed_flow	Internal crossed flow (in and immediate out)	50
withdraw_after_suspicious_pix	Recent suspicious PIX	80
unusual_ip_or_device	New IP or device	20

External Transfer (external_transfer)

Rule	Description	Weight
hasPreviouslyApprovedSimilarTransaction	Similar transaction already approved	−999
high_value_deposit	Amount > R$ 20,000	50
night_time_deposit	Transfer between 00:00 and 06:00	30
to_blacklisted_destination	Destination account is on the blacklist	100
unusual_ip_or_device	New IP or device	20

Sanctioned wallets (OFAC)

The system automatically synchronizes the blacklist with the OFAC (Office of Foreign Assets Control) sanctioned crypto-asset address lists:

• https://sanctionslist.ofac.treas.gov/Home/SdnList
• https://github.com/0xB10C/ofac-sanctioned-digital-currency-addresses

Any wallet present in these lists is automatically added to the blacklist and triggers the to_blacklisted_destination rule (weight 100, high risk level).

Related pages

• Antifraud Log — querying and filtering all analyzed transactions
• Blacklist — managing suspicious keys and wallets
• Whitelist — managing trusted keys and wallets
• Audit Alerts — notifications for high-risk events

Technical reference — Internal architecture

• AntifraudTransactionMapper — standardizes PIX, crypto, and transfer inputs into the antifraud model.
• AntifraudCoreHandler — processes and records each analyzed transaction.
• AntifraudRuleEngineService — evaluation engine; loads rules from antifraud_rules_by_category.json (can be versioned separately, no new code deploy required).
• AntifraudService — implements the function for each rule (e.g., hasFrequentDeposits, isNightDeposit).
• AntifraudTransactionDao — persists analyzed transactions.
• The rules file can be updated without a new code deploy.