Transformation Chain in Money Laundering & Fraud Detection

Money transfer operators and mobile money platforms process millions of low-value transactions daily. Their core function, receiving value from one party and delivering it to another, is legitimate by design. That same function is what makes them structurally attractive to two distinct categories of financial crime. The first category needs to convert physical criminal proceeds into traceable digital funds. The second needs to destroy the digital traceability of stolen funds by extracting them as cash. Both use the same architecture. Both are invisible to conventional monitoring. The pattern is called the transformation chain.

‍

1. The architecture of the pattern

A transformation chain is a bounded sequential path with three distinct components. The first is an injection event, a cash-in transaction through which value enters the network from an external source, whether a cash deposit at a branch, an agent location, or an electronic funding event. The second is a P2P relay chain, a sequence of peer-to-peer transfers between intermediate accounts within the network, each one moving value one step forward without accumulation. The third is an extraction event, a cash-out transaction through which value leaves the network, either as physical cash at a point of service or as a wire transfer to an external bank account.

What defines the pattern is not the number of hops, the amounts, or the identity of the accounts. What defines it is the ordered combination of typed boundary events enclosing a relay chain: the sequence begins with an injection, proceeds through intermediaries, and terminates with an extraction. The value does not stop. It does not accumulate. It transits.

Thinsaction transformation chain fraud aml financial crime detection — *Figure 1. The canonical structure of the transformation chain.*

‍

2. Why money transfer networks are structurally exposed

The transformation chain does not exploit a vulnerability in money transfer infrastructure. It exploits its normal function. Cash-in and cash-out are the two most ordinary operations an MTO or mobile money operator processes. A P2P transfer between two users requires no commercial justification, no invoice, and no counterpart documentation. The three transaction types that constitute the transformation chain are, taken individually, the least suspicious events in the operator's daily transaction volume.

This creates a structural gap between what each individual event signals and what the sequence reveals. The gap is not accidental. It is the operational logic of the pattern.

‍

Transaction type	What it looks like individually	Its role in the chain
CASHIN	Ordinary deposit event. A customer funds their account at a branch or agent. No threshold crossed, no counterpart flagged.	Injection point. Introduces value into the network from an external source, either physical cash or an electronic funding channel.
P2P	Standard peer-to-peer transfer between two registered users. Amounts are within normal ranges. No declared purpose required.	Relay node. Moves value one step forward along the chain without accumulation. Each P2P hop adds one layer of distance between injection and extraction.
CASHOUT	Routine withdrawal or wire transfer. A customer retrieves value from their account. Individually unremarkable.	Extraction point. Removes value from the network and converts it into a different form, physical cash or external digital funds, in the hands of the ultimate beneficiary.

‍Table 1. Transaction type roles: individual appearance versus function in the chain

‍

The critical observation is that a monitoring system evaluating transactions individually will see three unremarkable events. A system evaluating the sequence will see a complete layering cycle.

‍

3. Two crimes, one structure: the modal inversion

The transformation chain is used by two distinct criminal populations for opposite purposes. What separates them is the direction of the conversion between the injection event and the extraction event, the modal direction of the chain.

‍

The AML case: converting physical criminal proceeds into digital funds

In the money laundering use case, the injection event is a physical cash deposit. The extraction event is a bank wire transfer or digital disbursement. The direction is cash-to-digital.

The operational logic is straightforward. Criminal proceeds in physical cash form, generated by drug trafficking, human smuggling, tax fraud, undeclared labor, or other predicate offences, cannot be spent, invested, or transferred internationally without first acquiring a digital form. Physical cash is inert at scale. It carries no transaction history, but it also cannot be wired, it cannot purchase financial instruments, and it accumulates storage and logistics risk.

The transformation chain solves this. Cash is deposited at an agent or branch, crossing the threshold from the physical economy into the digital network. The P2P relay chain creates temporal and relational distance between the deposit and the final outflow. The wire transfer at the end carries the appearance of a legitimate electronic payment, it has a sender, a timestamp, and a reference number. The funds have been placed and layered within a single bounded operation.

What the criminal acquires is a digital origin story for money that had none.

‍

The fraud case: extracting digital fraud proceeds into untraceable cash

In the fraud use case, the injection event is an electronic funding, a card payment, an incoming wire, or a peer transfer originating from a fraud victim. The extraction event is a physical cash withdrawal at a branch or agent. The direction is digital-to-cash.

The operational logic is the inverse. Fraud proceeds are inherently digital. A compromised card payment, an authorized push payment fraud, a business email compromise disbursement, or the proceeds of a romance scam all arrive as traceable electronic transactions. They carry the fingerprint of the victim: the originating account, the transaction reference, the timestamp, the amount. That fingerprint is the primary evidence in any fraud recovery attempt.

The transformation chain dissolves it. Electronic funds enter the network as a cash-in. The P2P relay chain moves them across accounts, creating distance from the victim's transaction. The cash withdrawal at the end converts them into an untraceable physical form. Once the cash leaves the counter, the digital trail ends. The victim's bank can freeze the sender account. It cannot recover funds that no longer exist as an electronic balance.

What the criminal acquires is physical anonymity for money that was fully traceable.

The two directional variants of the transformation chain - Thinsaction fraud aml financial crime detection — *Figure 2. The two directional variants of the transformation chain.*

‍

The diagnostic value of modal direction

The modal direction of the transformation chain is not a secondary attribute. It is the first piece of information that tells an analyst, a MLRO, or an investigator which crime they are dealing with, which upstream actors to look for, and which downstream recovery actions are available.

Dimension	AML case	Fraud case
CASHIN type	Physical cash deposit at branch or agent.	Card payment, incoming wire, or peer transfer from fraud victim.
CASHOUT type	Bank wire transfer or digital disbursement.	Physical cash withdrawal at branch or agent.
Modal direction	Physical to Digital.	Digital to Physical.
Origin of funds	Criminal proceeds from predicate offences (drug trafficking, smuggling, tax fraud, undeclared labor).	Stolen funds from card fraud, APP fraud, BEC, romance scam, account takeover.
Criminal objective	Placement: acquire a digital origin story for physically held criminal proceeds.	Extraction: destroy the digital traceability of electronically received stolen funds.
P2P chain function	Layering: creates relational and temporal distance between cash deposit and wire disbursement.	Distance: separates the fraud victim's transaction record from the cash withdrawal point.
Investigation direction	Identify the beneficial owner of the cash-in; trace predicate offence; map the mule network upstream.	Identify the fraud victim; reconstruct the original fraudulent transaction; locate the cash-out agent.
Regulatory reporting	SAR for suspected money laundering; FATF Recommendation 20 obligations.	SAR for suspected fraud proceeds; victim notification obligations where applicable.

Table 2. Comparative profile of the two variants: AML case versus fraud case

‍

The practical consequence is significant. Two alerts from the same detection system, both identifying a CASHIN-P2P-CASHOUT sequence, may require entirely different investigation workflows depending on the modal direction. A compliance team that does not capture this distinction will route both cases through a generic AML investigation process, losing the speed required to initiate fraud recovery before funds are withdrawn, and losing the evidentiary framework required to build a placement case.

‍

4. The temporal dimension: compression as a structural invariant

Across both use cases, one signal is consistent: temporal compression. The transformation chain is fast. This is not incidental. It is an operational requirement.

In the AML case, speed limits exposure. A cash deposit sitting in an account for several days accumulates behavioral history, triggers velocity rules, and creates a reviewable dwell period. Moving through the chain within hours reduces each of these risks.

In the fraud case, speed is a race against recovery. Fraud victims and their banks typically initiate recovery within hours of recognizing an unauthorized transaction. Every minute between the fraud event and the physical cash withdrawal is a minute in which the funds remain recoverable. The chain compresses that window deliberately.

The empirical result is a pattern where a complete CASHIN-to-CASHOUT cycle, injection through two or three intermediate accounts and then extraction, completes within a window of minutes to a few hours. The sequence documented below completed in 29 minutes across four events.

‍

Temporal compression in a transformation chain Thinsaction AML FRAUD financial crime detection — *Figure 3. Temporal compression in a transformation chain.*

‍

5. How the transformation chain differs from adjacent patterns

The transformation chain occupies a specific position in the typology landscape. It is related to several known patterns but is not reducible to any of them.

Smurfing, as characterized by Starnini et al. (2021) and formalized by Shadrooh and Norvag (2024), involves the fragmentation of a large amount into multiple small transactions distributed across several accounts, a scatter-gather or gather-scatter topology. The transformation chain does not fragment. It chains. A single injection point, a sequential relay, a single extraction point. The amount travels intact or with minor decay. There is no many-to-one or one-to-many fan structure.

The daisy chain, as described in the broader layering literature, is a relay sequence through a series of accounts with no typed boundary events. Any account can be an origin and any account can be a destination. The transformation chain is more constrained: the first event must be a CASHIN, the last event must be a CASHOUT. These typed boundaries are not incidental; they are the defining characteristic that gives the pattern its criminal function in the MTO context.

The funnel account pattern, documented by FinCEN (2014) and FATF, describes the convergence of multiple sources into a single account followed by onward movement. That is a many-to-one topology. The transformation chain is one-to-one-to-one-to-one: a single directed path with no convergence layer.

Pattern	Boundary structure	Directional logic	Primary signal	Relationship to transformation chain
Smurfing	No typed boundaries.	Fan-out from source, fan-in to destination.	Amount fragmentation across multiple parallel paths.	Different topology: parallel, not sequential.
Daisy chain	No typed boundaries.	Sequential relay, any origin to any destination.	Path length, relay speed, amount continuity.	Overlapping but less constrained: no typed entry/exit.
Funnel account	No typed boundaries.	Many-to-one convergence, then onward.	High in-degree at central node; geographic dispersion of sources.	Different topology: convergence, not sequential transit.
Transformation chain	Typed: CASHIN (injection) and CASHOUT (extraction).	Sequential directed path from typed entry to typed exit.	Typed boundary pair, P2P relay, temporal compression.	Distinct: typed boundaries define criminal function.

Table 3. Positioning the transformation chain within the typology landscape

‍

6. Why rule-based monitoring is structurally blind to both

The standard monitoring architecture deployed by most money transfer operators is built around transaction-level rules: thresholds on individual amounts, frequency counters over fixed windows, watchlist screening, and structuring detection based on cumulative cash below reporting limits.

Each of these mechanisms evaluates a transaction or an account in isolation. None of them evaluates a path.

The transformation chain does not cross any individual threshold because it is not designed around individual thresholds. The CASHIN amount is ordinary. The P2P transfers are ordinary. The CASHOUT amount is ordinary. No single event in the sequence triggers a rule. The pattern only becomes visible when the three events are read as a connected sequence, when the system asks not 'is this transaction suspicious?' but 'does this transaction form part of a suspicious sequence that began with a specific event type and terminates with another?'

That is a path query, not a threshold query. Rule-based monitoring systems are not designed to execute path queries across transaction types. They process rows. The transformation chain lives in the relationship between rows, specifically in the ordered relationship between typed rows within a bounded time window.

This is not a calibration failure. It is an architectural mismatch between what the monitoring system was designed to find and what the pattern requires to be found.

‍

7. From transactions to scored sequences: how detection works

Detecting the transformation chain requires three capabilities that are absent from conventional rule-based monitoring and only partially present in standard anomaly detection systems.

The first is a typed transaction graph. Transactions must be represented as directed edges in a graph where the edge type, CASHIN, P2P, or CASHOUT, is a first-class property, not a secondary attribute. Without edge typing, a CASHIN and a P2P transfer are indistinguishable graph edges, and the boundary constraints that define the pattern cannot be enforced.

The second is path extraction with temporal constraints. The system must search the typed graph for directed paths that begin with a CASHIN edge, traverse one or more P2P edges, and terminate with a CASHOUT edge, with all events falling within a defined time window. This is a subgraph query problem over a temporal multigraph. Tariq and Hassani (2023) demonstrated this class of detection at billion-scale transaction volumes. Starnini et al. (2021) showed that velocity constraints allow these queries to bypass the full computational complexity of subgraph isomorphism.

The third is multi-signal sequence scoring. Once a candidate sequence is extracted, its suspiciousness cannot be assessed by any single feature. The convergence of several signals, velocity of the chain, homogeneity of amounts across hops, recurrence of intermediate accounts across multiple chains, and the modal direction of conversion, produces a composite score that is significantly more robust than any individual indicator.

The detection pipeline for transformation chains Thinsaction AML fraud detection finance remittance — *Figure 4. The detection pipeline for transformation chains*

Analyst reading guide:

What the graph shows: A directed path of four events connecting a typed injection source to a typed extraction sink through two intermediate relay accounts. No branching, no return flow.
What the score says: The sequence is compact, fast, and internally coherent, the hallmarks of a deliberate relay operation rather than ordinary account activity.
What the modal direction tells the analyst: The CASHIN and CASHOUT types present in the event log determine the investigative direction, whether to search for predicate offence proceeds upstream or for a fraud victim downstream.
What determines escalation: The composite score qualifies the alert. The investigation that follows depends on the modal direction, the account profiles, and the recurrence of the pattern across the network.

‍

8. What the research literature says

The graph-based AML literature has converged on one consistent finding: suspicious financial behavior is structural and sequential, and detection systems that evaluate transactions in isolation systematically miss patterns that only become visible at the path level. Velocity, temporal order, and the directed flow of value between typed nodes are the signals that distinguish deliberate laundering sequences from ordinary transaction activity.

The transformation chain fits squarely within this research direction. What the existing literature has not yet addressed is the typed boundary constraint: the distinction between a generic relay chain and a sequence that begins with a typed injection event and terminates with a typed extraction event. That constraint is not a technical detail; it is what gives the pattern its criminal function in the MTO context, and it is what makes the modal direction of conversion analytically actionable.

‍

9. Regulatory standing: what is documented and what is missing

The vulnerability of money transfer operators and mobile money platforms to layering abuse is well documented by international regulatory bodies, though the transformation chain as a named, formalized typology does not appear in any existing guidance.

FATF and MONEYVAL's joint report on money laundering through money remittance and currency exchange providers (2010) established the foundational typological framework for the sector, documenting that remittance businesses have been implicated in all three stages of the laundering cycle, placement, layering, and integration, and identifying rapid fund movement, minimal account dwell time, and sequential transfer patterns as primary red flags. The report predates the mobile money era but its structural observations remain directly applicable.

FATF's Risk-Based Approach Guidance for Money or Value Transfer Services (2016) places an explicit obligation on MVTS providers to implement transaction monitoring proportionate to their documented risk exposure, including the monitoring of P2P transfer activity as a high-risk channel due to the absence of underlying commercial purpose requirements.

FATF's Professional Money Laundering report (2018) documents the use of layered mule networks operating through MVTS infrastructure, describing sequential transfer chains used to distance criminal proceeds from their origin, a structural description that maps directly to the P2P relay layer of the transformation chain.

FinCEN's 2025 notice on financially motivated sextortion schemes provides an explicit operational description of fraud proceeds being layered through P2P platform mule accounts and subsequently withdrawn as cash, a direct parallel to the fraud variant of the transformation chain, described at the level of individual case typology without formal pattern naming.

TRACFIN's annual analysis (2024) identifies payment operators and mobile money platforms as high-risk channels for rapid sequential transactions with no declared economic purpose, noting the systematic use of cash-in followed by rapid peer transfers and cash-out as a recurring pattern in suspicious activity reports.

What is absent across all of these bodies of guidance is the formal recognition of the transformation chain as a pattern defined by its typed boundary events and the diagnostic significance of modal direction. No regulator currently identifies the CASHIN type and CASHOUT type combination as an autonomous risk indicator. No guidance specifies that the direction of conversion between injection and extraction events constitutes a signal for distinguishing money laundering from fraud-related activity. This gap has operational consequences: it means that the two criminal populations using the same structural pattern are likely to receive identical investigative treatment by compliance teams following existing guidance, resulting in suboptimal outcomes for both fraud recovery and money laundering prosecution.

‍

10. A practical read for compliance and investigation teams

The transformation chain presents a detection challenge that is architectural, not parametric. Raising thresholds, adding rules, or increasing manual review capacity does not address it. The pattern is designed to remain below every individual threshold. The only response that is structurally adequate is the capacity to execute typed path queries across a temporal transaction graph.

For a compliance or investigation team working within an MTO or mobile money operator, two questions determine whether the existing monitoring programme can surface this pattern.

The first: can the system reconstruct a directed path from a CASHIN event to a CASHOUT event through intermediate P2P transactions, bounded by a time window, and score the resulting sequence as a unit rather than as a set of individual events?

The second: when such a path is identified, does the system capture the modal direction of conversion, the event types at the injection and extraction endpoints, and use that information to differentiate between a potential AML case requiring upstream investigation and a potential fraud case requiring victim identification and downstream cash recovery?

If the answer to both is no, the two criminal populations using the transformation chain are passing undetected through the same infrastructure, at the same time, in opposite directions.

The pattern is not loud. It is not large. It is not unusual in any individual dimension. Its signal is structural, sequential, and directional. That is precisely what makes it durable.

‍

References

Akoglu, L., Tong, H., & Koutra, D. (2015). Graph-based anomaly detection and description: A survey. Data Mining and Knowledge Discovery, 29(3), 626-688.
Altman, E., Blanusa, J., von Niederhauser, L., Egressy, B., Anghel, A., & Atasu, K. (2023). Realistic synthetic financial transactions for anti-money laundering models. NeurIPS Datasets and Benchmarks Track.
Australian Transaction Reports and Analysis Centre (AUSTRAC). (2024). Indicators of Suspicious Activity: Remittance Sector. Australian Government, Canberra.
Autorite de Controle Prudentiel et de Resolution (ACPR) & Tracfin. (2024). Tendances et analyse des risques de blanchiment de capitaux et de financement du terrorisme en 2023. Banque de France, Paris.
Blanusa, J., Cravero Baraja, M., Anghel, A., von Niederhauser, L., Altman, E., Pozidis, H., & Atasu, K. (2024). Graph Feature Preprocessor: Real-time subgraph-based feature extraction for financial crime detection. Proceedings of the 5th ACM International Conference on AI in Finance (ICAIF), 222-230.
Chen, Z., Van Khoa, L. D., Teoh, E. N., Nazir, A., Karuppiah, E. K., & Lam, K. S. (2018). Machine learning techniques for anti-money laundering (AML) solutions in suspicious transaction detection: A review. Knowledge and Information Systems, 57(2), 245-285.
Deprez, B., Vanderschueren, T., Baesens, B., Verdonck, T., & Verbeke, W. (2024). Network analytics for anti-money laundering: A systematic literature review and experimental evaluation. arXiv preprint arXiv:2405.19383.
Egressy, B., von Niederhauser, L., Blanusa, J., Altman, E., Wattenhofer, R., & Atasu, K. (2024). Provably powerful graph neural networks for directed multigraphs. Proceedings of the AAAI Conference on Artificial Intelligence, 38(10), 11838-11846.
Europol. (2024). European Money Mule Action (EMMA 8), Operational Results. European Union Agency for Law Enforcement Cooperation, The Hague.
Financial Action Task Force (FATF) & MONEYVAL. (2010). Money Laundering through Money Remittance and Currency Exchange Providers. FATF/OECD, Paris.
Financial Action Task Force (FATF). (2016). Guidance for a Risk-Based Approach: Money or Value Transfer Services. FATF/OECD, Paris.
Financial Action Task Force (FATF). (2018). Professional Money Laundering. FATF/OECD, Paris.
Financial Action Task Force (FATF). (2023). Illicit Financial Flows from Cyber-Enabled Fraud. FATF/OECD, Paris.
Financial Crimes Enforcement Network (FinCEN). (2019). Advisory on Imposter Scams and Money Mule Schemes Related to the Coronavirus Disease 2019 (COVID-19) Pandemic. FIN-2019-A005. U.S. Department of the Treasury.
Financial Crimes Enforcement Network (FinCEN). (2025). FinCEN Notice on Financially Motivated Sextortion Schemes. FIN-2025-NTC. U.S. Department of the Treasury.
Jensen, R. I. T., & Iosifidis, A. (2022). Fighting money laundering with statistics and machine learning. IEEE Access, 11, 8889-8903.
Jensen, R. I. T., & Iosifidis, A. (2023). Qualifying and raising anti-money laundering alarms with deep learning. Expert Systems with Applications, 214, 119037.
Johannessen, F., Yurchenko, V., Meling, H., Frid-Nielsen, S., & Stokke, O. M. (2025). Finding money launderers using heterogeneous graph neural networks. Journal of Finance and Data Science, 11, 100175.
Li, X., Liu, S., Li, Z., Han, X., Shi, C., Hooi, B., Huang, H., & Cheng, X. (2020). FlowScope: Spotting money laundering based on graphs. Proceedings of the AAAI Conference on Artificial Intelligence, 34(4), 4731-4738.
Shadrooh, S., & Norvag, K. (2024). SMoTeF: Smurf money laundering detection using temporal order and flow analysis. Applied Intelligence, 54. https://doi.org/10.1007/s10489-024-05545-4
Starnini, M., Tsourakakis, C. E., Zamanipour, M., Panisson, A., Allasia, W., Fornasiero, M., Li Puma, L., Ricci, V., Ronchiadin, S., Ugrinoska, A., Varetto, M., & Moncalvo, D. (2021). Smurf-based anti-money laundering in time-evolving transaction networks. In Y. Dong, N. Kourtellis, B. Hammer, & J. A. Lozano (Eds.), Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track. ECML PKDD 2021, Lecture Notes in Computer Science, vol. 12978, pp. 171-186. Springer, Cham. https://doi.org/10.1007/978-3-030-86514-6_11
Tariq, H., & Hassani, M. (2023). Topology-agnostic detection of temporal money laundering flows in billion-scale transactions. In Machine Learning and Principles and Practice of Knowledge Discovery in Databases. ECML PKDD 2023, Communications in Computer and Information Science, vol. 2137, pp. 402-419. Springer, Cham. https://doi.org/10.1007/978-3-031-74643-7_29
Tariq, H., & Hassani, M. (2026). Extracting money laundering transactions from quasi-temporal graph representation. arXiv preprint arXiv:2604.02899.
Vilella, S., Lupi, A., Ruffo, G., Fornasiero, M., Moncalvo, D., Ricci, V., & Ronchiadin, S. (2023). Exploiting graph metrics to detect anomalies in cross-country money transfer temporal networks. Companion Proceedings of the ACM Web Conference 2023, 942-945. https://doi.org/10.1145/3543873.3587602
Wan, F., & Li, P. (2024). A novel money laundering prediction model based on a dynamic graph convolutional neural network and long short-term memory. Symmetry, 16(3), 378. https://doi.org/10.3390/sym16030378
Weber, M., Chen, J., Suzumura, T., Pareja, A., Ma, T., Kanezashi, H., Kaler, T., Leiserson, C. E., & Schardl, T. B. (2018). Scalable graph learning for anti-money laundering: A first look. arXiv preprint arXiv:1812.00076.
Weber, M., Domeniconi, G., Chen, J., Weidele, D. K. I., Bellei, C., Robinson, T., & Leiserson, C. E. (2019). Anti-money laundering in Bitcoin: Experimenting with graph convolutional networks for financial forensics. KDD Workshop on Anomaly Detection in Finance. arXiv:1908.02591.

‍

The Transformation Chain: One Pattern, Two Crimes