DEV Community

Cover image for Kafka Streams Make AI Agents Fraud Detection Smarter
Siddhartha Devineni
Siddhartha Devineni

Posted on

Kafka Streams Make AI Agents Fraud Detection Smarter

#kafka #ai #agents #frauddetection

How real-time streaming context transformed isolated AI agents into an intelligent fraud-fighting ensemble:

The $100 Transaction That Looked Normal (Until It Wasn’t):
A customer just made a $100 purchase. Looks normal, right?

Traditional fraud detection systems analyze this transaction in isolation:

  • Amount: $100 (reasonable)
  • Merchant: Familiar category
  • Location: Customer’s home city

Decision: Approve.

But here’s what they missed:

This was the customer’s 15th transaction in 3 minutes. Their average? 2 transactions per week. The previous 14 were all $5-$10 purchases at different online merchants — classic card testing before the big hit.

This is the blind spot of isolated transaction analysis.

The Real Problem: AI Without Context is Just Guessing

After working with fraud detection systems, I realized the core issue: LLMs analyze transactions like doctors examining symptoms without patient history.

Imagine telling your doctor: “I have chest pain.”

Without knowing:

  • Your medical history
  • Recent vital signs
  • Changes over time
  • Concurrent symptoms They’re just guessing. The same applies to fraud detection.

But what if AI agents could see the full picture in real-time?

Enter: Streaming Intelligence

I built a system where Kafka Streams enriches AI agents with real-time context before they analyze anything.

The Architecture:

architecture explanation

The key innovation: Instead of sending raw transactions to AI, Kafka Streams pre-processes them with:

  • Velocity context: Transaction count in the last 5 minutes
  • Customer baseline: Average amount, risk level, preferred categories
  • Behavioral delta: How much this deviates from normal

Now agents aren’t guessing because they have intelligence.

Would streaming context actually make a difference?

I simulated a card testing attack: 15 rapid $10 transactions followed by a $500 hit.

Without Streaming Context:

  • Transaction #15: $500 purchase

  • Analysis: “Unusual amount for merchant category”

  • Risk Score: 0.45 (below threshold)

Decision: APPROVED

The system saw an expensive transaction but missed the pattern.

With Streaming Context:

  • Transaction #15: $500 purchase

  • Velocity: 15 transactions in 3 minutes (customer avg: 2/week)

  • Amount delta: 10x customer average

Pattern: Progressive testing ($10 → $50 → $100 → $500)

  • BehaviorAnalyst: “Extreme velocity spike — automated behavior”
  • PatternDetector: “Classic card testing progression detected”

  • TemporalAnalyst: “Transactions every 12 seconds — scripted”

  • Risk Score: 0.92 (with streaming intelligence bonus)

Confidence: 99%
Decision: FRAUD DETECTED

The streaming context was the difference between missing fraud and catching it with certainty.

Technical Deep Dive: How It Works

Arcitecture Flowchart

Layer 1: Kafka Streams Enrichment

// Join transactions with customer profiles (KTable)
KStream enrichedStream = 
    transactionStream.join(
        customerProfileTable,
        (transaction, profile) -> 
            new EnrichedTransaction(transaction, profile)
    );

// Calculate velocity with tumbling windows
KTable<Windowed, Long> velocityCounts = 
    transactionStream
        .groupByKey()
        .windowedBy(TimeWindows.ofSizeWithNoGrace(Duration.ofMinutes(5)))
        .count();

// Combine for full streaming context
enrichedStream.join(velocityCounts, StreamingContext::create);
Enter fullscreen mode Exit fullscreen mode

Why this matters:

  • Velocity calculated in real-time (not batch ETL)
  • Customer profiles as KTables (latest state always available)
  • Exactly-once semantics (no duplicates in fraud detection)

Layer 2: Multi-Agent Analysis

Each agent gets a streaming-enhanced prompt:

STREAMING INTELLIGENCE:

  • Customer baseline: $47.23 average, 2.1 transactions/week
  • Current velocity: 9 transactions in last 5 minutes
  • Behavioral delta: 450% above average

TRANSACTION:

  • Amount: $2,500
  • Merchant: Electronics store
  • Location: Chicago, IL

Analyze this with streaming context…

Five specialists analyze in parallel:

  1. BehaviorAnalyst: “9 transactions in 5 min vs baseline 2/week = automated attack”

  2. PatternDetector: “Progressive amounts match card testing signature”

  3. GeographicAnalyst: “Location consistent, but velocity suggests takeover”

  4. RiskAssessor: “$2,500 is 53x customer average — high financial risk”

  5. TemporalAnalyst: “Transactions exactly 33 seconds apart — scripted”

Intelligent Consensus:

// Calculate base risk score (weighted voting)
double baseRiskScore = calculateWeightedRiskScore(agentInsights);

// Apply streaming intelligence bonus
double streamingBonus = 0.0;
if (streamingContext.velocityCount() > 3) {
    streamingBonus += 0.25; // High velocity
}
if (amountDelta > 3.0) {
    streamingBonus += 0.20; // Unusual amount
}

double finalRisk = baseRiskScore + streamingBonus;
Enter fullscreen mode Exit fullscreen mode

The streaming bonus is crucial: It amplifies risk when behavioral patterns deviate significantly, even if individual agents are uncertain.

Layer 3: Intelligent Routing

// Route based on confidence and risk
enrichedDecisionStream
 .split()
 .branch((key, decision) -> 
   decision.isFraudulent() && decision.confidenceScore() > 0.8,
   Branched.withConsumer(ks -> ks.to("fraud-alerts")))
.branch((key, decision) -> 
   decision.isFraudulent() || decision.requiresManualReview(), 
   Branched.withConsumer(ks -> ks.to("human-review")))
.defaultBranch(Branched.withConsumer(ks -> 
   ks.to("approved-transactions")));
Enter fullscreen mode Exit fullscreen mode

Layer 1 (Enrichment):

“Kafka Streams enriches every transaction with real-time velocity and customer baseline before AI sees it. This is the secret sauce — AI never analyzes blind.”

Layer 2 (Multi-Agent):

“Five specialized agents analyze in parallel using CompletableFuture, then the coordinator synthesizes their insights with weighted voting plus a streaming intelligence bonus for high velocity or unusual amounts.”

Layer 3 (Routing):

“Instead of dumping everything into a review queue, we intelligently route based on confidence. High-confidence fraud gets auto-blocked immediately. Uncertain cases go to analysts. This optimizes both automated blocking and human analyst time.”

Real Detection Examples

The system routes transactions based on AI confidence and fraud determination, demonstrating intelligent decision-making across the entire risk spectrum:

High-Confidence Fraud Alert: IMMEDIATE AUTO-BLOCK

  • Routed to fraud-alerts topic

Customer Profile

{
  "customerId": "CUST-001",
  "averageTransactionAmount": 253,
  "dailySpendingLimit": 4064,
  "transactionCategories": [
    "GROCERY",
    "RETAIL"
  ],
  "primaryLocation": "Los Angeles",
  "riskLevel": "LOW"
}
Enter fullscreen mode Exit fullscreen mode

Transaction Summary

{
  "transactionId": "TXN-RAPID-43a7220a",
  "customerId": "CUST-001",
  "amount": 54,
  "currency": "USD",
  "merchantId": "MERCHANT-SUSPICIOUS-5",
  "merchantCategory": "ONLINE",
  "location": "Unknown Location",
  "timestamp": "2025-10-12T17:48:44",
  "metadata": {
    "rapidFire": true,
    "channel": "ONLINE",
    "deviceId": "BOT-DEVICE-3",
    "sequence": 13
  }
}
Enter fullscreen mode Exit fullscreen mode

AI Agent Analysis (5 agents + streaming intelligence)

Phase 1: Individual Streaming-Enhanced Analysis

Agent Risk Score Key Finding
BehaviorAnalyst 85% High velocity (9 txns/5min) highly unusual for LOW-risk customer. Small amounts may be detection avoidance tactic.
PatternDetector 85% Matches card testing attack pattern: rapid transactions + small amounts + suspicious merchant.
RiskAssessor 64% Velocity multiplier (1.5x) + suspicious merchant category increases risk despite low amount.
GeographicAnalyst 85% Geographic impossibility: 9 transactions from different locations in 5 min = physically impossible travel. Unknown location suggests VPN/proxy.
TemporalAnalyst 70% High transaction volume in short timeframe indicates automated script activity.

Phase 2: Collaborative Insights

After agents debated findings:

Pattern + Temporal collaboration: High velocity + suspicious merchant = automated attack pattern
Behavior + Risk collaboration: Low-risk customer + unusual velocity = compromised account
Streaming Consensus: All factors combined indicate coordinated automated attack

Final Decision

{
  "type": "AI_FRAUD_ALERT",
  "transactionId": "TXN-RAPID-43a7220a",
  "confidence": 100,
  "priority": "HIGH",
  "finalRiskScore": "99.4%",
  "decision": "FRAUD DETECTED",
  "reason": "AI agents with streaming intelligence detected fraud",
  "intelligenceSources": [
    "Real-time velocity (9 txns/5min)",
    "Customer baseline deviation",
    "Geographic impossibility",
    "Attack pattern matching"
  ]
}
Enter fullscreen mode Exit fullscreen mode

Why was This Auto-Blocked?

Clear Attack Indicators:

  • Velocity Intelligence: 9 rapid transactions = 3x velocity threshold
  • Geographic Impossibility: Multiple locations in minutes (physically impossible)
  • Pattern Match: Small amounts + high velocity = classic card testing
  • Agent Consensus: All 5 agents agreed

Final Risk Score: 99.4% (well above 80% threshold)

Streaming Context Enhanced Decision:

  • Traditional AI: Would see isolated $54 transaction (might approve)
  • The agentic fraud engine: Kafka streams provided velocity plus baseline context → detected attack

Result: Immediate block, no human review needed

Streaming Context Detected

HIGH VELOCITY ALERT: 9 transactions in 5 minutes
Customer Baseline: $253 average, LOW risk tier
Merchant: Suspicious category (ONLINE)
Location: Unknown (potential VPN/proxy)
Amount: $54 (below average - card testing indicator)

What I Learned Building This

1. Context is King

Raw LLMs analyzing isolated data = mediocre results.
Streaming context makes AI smarter.

2. Multi-Agent > Single Agent

One agent might miss patterns, but the five specialists with weighted voting catch nuanced fraud.

3. Kafka Streams for real-time context feed

Kafka Streams is simpler, faster, and perfect for real-time AI enrichment.

4. Intelligent Routing Matters

Not all fraud is equal. Routing high-confidence cases to auto-block and uncertain ones to humans optimizes analyst time.

5. Local LLMs are Production-Ready

Llama 3.1 8B via Ollama performed surprisingly well and it will be faster than a cloud-based model. But your hardware has to support it.

The Code: Try It Yourself

The entire system is open source. One-click demo in GitHub Codespaces -no API key required.

Tech Stack:

  • Java 21 + Spring Boot 3.4
  • Kafka Streams
  • Spring AI (Groq API or local Ollama)
  • Docker

Architecture Highlights:

  • Exactly-once processing (critical for financial data)
  • Parallel agent execution (CompletableFuture)
  • Tumbling windows for velocity (5-minute windows)
  • Customer profile KTables (always up-to-date)
  • 5 custom AI agents with weighted consensus (fraud decisions)
  • Intelligent routing with confidence thresholds (branching to topics)

Real-World Applications

This architecture isn’t just academic. Here’s where it fits:

1. Financial Services

  • Credit card fraud detection
  • Wire transfer monitoring
  • Account takeover prevention

2. E-commerce

  • Checkout fraud
  • Coupon abuse detection
  • Bot attack identification

3. Gaming

  • Cheat detection
  • Account sharing identification
  • Virtual economy fraud

4. Insurance

  • Claims fraud detection
  • Application fraud screening

The pattern is universal: Any domain where real-time behavioral context enhances AI decisions.

What’s Next?

This is v1.0. Here’s what I’m considering for v2.0:

1. Feedback Loop

Currently, agents store analyst feedback but don’t retrain. Next: aggregate feedback and periodically adjust agent prompts or weights based on historical accuracy.

2. Agent Experimentation Framework

A/B test different agent configurations:

  • Which agents should have higher weights?
  • Weighted voting vs. unanimous agreement?
  • Let data decide.

3. Additional Agents

  • Device Fingerprinting Agent: Detect account takeover via device inconsistencies
  • Network Analysis Agent: Identify fraud rings using graph analysis
  • Merchant Risk Agent: Real-time merchant reputation scoring

4. Production Deployment

  • Kubernetes with Strimzi (Kafka operator)
  • Grafana dashboards for agent performance

5. Advanced Streaming Features

  • Multiple velocity windows (1-min, 5-min, 1-hour)
  • Streaming joins with external risk data (IP reputation, device intelligence)
  • Cross-customer pattern detection (fraud rings)

The Bigger Picture: Streaming + AI

This project taught me something bigger than fraud detection:

The future of AI applications is streaming-first.

We’re moving from: Batch → Model → Decision (yesterday’s data)

To:

Stream → Context → AI → Decision (now’s data)

LLMs are powerful but blind without context. Streaming pipelines provide that context in real-time.

Kafka + AI isn’t just a tech combo — it’s a paradigm shift.

Try It, Break It, Fork It

The repo is MIT licensed. Feel free to:

  • Learn from the architecture
  • Adapt for your use case
  • Contribute improvements
  • Use in production (though test thoroughly!)

If this helped you, give it a ⭐ on GitHub!

It’s a portfolio project, but also a real demonstration of where I think fraud detection (and AI systems generally) should go.

Thanks for reading! If you found this valuable, share it with your network. Let’s build smarter AI systems together.

More in-depth technical details about this system are available at: [github.com/siddharthaDevineni/agentic-fraud-engine]

Built with ❤️ for the Kafka + AI community

Top comments (0)