Transforming Risk Control using Real-World Graph Algorithms with NebulaGraph

In our earlier post, What Are Graph Algorithms—and How Can They Solve Real Business Problems?, we showed how graphs reveal hidden patterns in networks. Now, let’s get practical.

Financial crime has evolved. Today’s fraudsters don’t act alone, and they operate in coordinated rings, sharing devices, IPs, and identities to bypass rule-based systems. Traditional databases miss these signals because they analyze records in isolation.

Graph databases like NebulaGraph change that. They enable three powerful algorithms that detect, dissect, and disable fraud at scale. In this blog, we’ll explain exactly how and what it takes to deploy them in production.

Why Risk Control Needs Graphs

Fraud is a team sport. Whether it’s loan stacking, coupon abuse, or fake reviews, attackers rely on shared infrastructure: the same phone number, device ID, or IP address reused across dozens of accounts.

A relational table sees only rows.

A graph sees the network.

In a property graph:

Nodes = users, devices, IPs, accounts, and products
Edges = logins, transactions, shared contacts, co-applications
Properties = timestamps, amounts, risk labels, verification status

This structure captures the relational DNA of fraud, enabling algorithms to spot collusion that’s invisible in flat data.

Three Essential Graph Algorithms for Risk Control

Connected Components: Uncovering Hidden Fraud Rings

Core Idea:

Group all entities that are connected—directly or indirectly—into a single “component.” If Account A shares a device with Account B, and B logs in from an IP also used by Account C, all three belong to the same group.

Why It Works:

Individual fake accounts often look normal. But as part of a group, their collective behavior, like bulk registration or synchronized ordering, becomes obvious.

Use Cases:

Spam Registration Gangs: Cluster accounts linked via shared IPs/devices. Flag the entire group if one member is confirmed fraudulent.
Order-Boosting Rings: Detect merchants colluding with 100+ accounts by grouping “account → product → shipping address → payment device” paths.

Best Practices:

Filter out small components (<5 nodes) to avoid false positives from families or coworkers.
Assign higher weights to “account–device” edges than “account–IP” (devices are harder to spoof).

In NebulaGraph: Use GET SUBGRAPH to extract components, then apply business logic in downstream services.

Degree Centrality: Pinpointing the Core Infrastructure of Fraud

Core Idea:

Measure how many direct connections a node has. High out-degree (e.g., one IP logging into 100 accounts) or high in-degree (e.g., one device used by 50 accounts) signals shared attack infrastructure.

Why It Works:

Instead of blocking hundreds of accounts, you neutralize the resource enabling them. One banned device can stop an entire operation.

Use Cases:

Malicious IPs/Devices: An IP with 50+ new, unverified accounts in a week is likely a botnet.
Account Farming Brokers: “Hub” accounts that invite or link hundreds of sub-accounts show extreme out-degree.

Best Practices:

Compute degree separately per relationship type (e.g., “device–account” vs. “IP–account”).
Use sliding time windows (e.g., last 7 days) to ignore long-term legitimate sharing.

In NebulaGraph: Run real-time degree queries with MATCH (n)-[e]->() RETURN count(e).

Dense Subgraph Mining: Isolating True Fraud Cells Within Noisy Networks

Core Idea:

Find clusters where most nodes are directly connected to each other—not just loosely linked through intermediaries. These “dense subgraphs” mirror real-world fraud cells.

Why It Works:

Large connected components often mix multiple independent gangs (e.g., one using a proxy pool for coupon abuse, another for fake reviews). Dense subgraph mining separates them for precision action.

Use Cases:

Multi-Gang Resource Sharing: Split one big component into distinct subgraphs, and then apply tailored rules (block orders for one, restrict coupons for another).
Cross-Platform Fraud: Link app, mini-program, and web accounts via shared devices/phones into a single dense cluster—even if no single platform shows red flags.

Best Practices:

Use Louvain (for hierarchical clustering) or Label Propagation (LPA) (for speed and simplicity)—both natively supported in NebulaGraph.
Tag subgraphs by behavior (e.g., “high-frequency ordering” → “brushing gang”).
Set a density threshold (e.g., ≥30% internal connectivity) to avoid over-clustering.

In NebulaGraph: Run CALL louvain() or CALL lpa() directly in GQL—no data export needed.

Key to Implementing Graph Algorithms in Risk Control

Running an algorithm in a notebook isn’t the same as stopping fraud in production. Based on real deployments at banks, insurers, and e-commerce platforms, here’s what actually works:

1. Design Your Graph Schema Around Behavior, Not Just Entities

Don’t just model “user” and “transaction.” Include risk-relevant relationships:

USED_DEVICE, LOGGED_IN_FROM_IP, SHARED_CONTACT_WITH, ORDERED_SAME_PRODUCT_AS

Clear edge semantics make algorithms more accurate and queries more intuitive.

2. Run Algorithms Natively, Avoid Data Export Bottlenecks

Many teams export graph data to Python or Spark for analysis. This adds latency, complexity, and sync issues.

NebulaGraph runs 20+ algorithms natively—from PageRank to Louvain—on live data, with results written back as node properties for instant scoring.

Algorithm	Description	Scenario	Properties name	Properties type
PageRank	The rank of pages	Web page ranking, key node mining	pagerank	double/string
Louvain	Louvain	Community mining, hierarchical clustering	louvain	int/string
KCore	K core	Community discovery, financial risk control	kcore	int/string
LabelPropagation	Label propagation	Information spreading, advertising, and community discovery	lpa	int/string
Hanp	Label propagation advanced	Community discovery, recommendation system	hanp	int/string
ConnectedComponent	Weakly connected component	Community discovery, island discovery	cc	int/string
StronglyConnectedComponent	Strongly connected component	Community discovery	scc	int/string
ShortestPath	The shortest path	Path planning, network planning	shortestpath	string
TriangleCount	Triangle counting	Network structure analysis	trianglecount	int/string
GraphTriangleCount	Graph triangle counting	Network structure and tightness analysis	count	int
BetweennessCentrality	Intermediate centrality	Key node mining, node influence computing	betweenness	double/string
ClosenessCentrality	Closeness centrality	Key node mining, node influence computing	closeness	double/string
DegreeStatic	Degree of statistical	Graph structure analysis	degree,inDegree,outDegree	int/string
ClusteringCoefficient	Aggregation coefficient	Recommendation system, telecom fraud analysis	clustercoefficient	double/string
Jaccard	Jaccard similarity	Similarity computing, recommendation system	jaccard	string
BFS	Breadth-First Search	Sequence traversal, shortest path planning	bfs	string
DFS	Depth-First Search	Sequence traversal, shortest path planning	dfs	string
Node2Vec	-	Graph classification	node2vec	string

Fig: Some Graph Algorithms Natively Supported by NebulaGraph

3. Combine Structural Signals with Behavioral Rules

Algorithms find suspicious groups; business logic decides what to do. Example workflow:

Step 1: Run connected components nightly
Step 2: Tag components where >30% of accounts are high-risk
Step 3: At login time, check if the user belongs to a tagged component → trigger step-up auth

This hybrid approach balances automation with control.

4. Prioritize Explainability for Compliance & Trust

Risk teams need to justify decisions. Use NebulaGraph visualization tools to:

Visualize detected communities
Trace paths between flagged accounts
Export subgraphs as audit evidence

5. Automate Retraining with Fresh Data

Fraud tactics evolve weekly. Set up pipelines to:

Ingest streaming events (via Kafka or Flink)
Re-run community detection daily
Update risk scores in real time

Static graphs become obsolete fast.

Conclusion:

You need relationship intelligence to fight modern fraud. And that starts with three proven graph algorithms:

Connected Components expose hidden fraud rings by grouping indirectly linked accounts.
Degree Centrality identifies core attack infrastructure like shared devices or IPs, so you can disable dozens of bad actors with one action.
Dense Subgraph Mining (via Louvain or LPA) isolates true fraud cells within noisy networks, enabling precise, targeted responses.

But algorithms alone aren’t enough. Success requires:

✅ A behavior-aware graph schema

✅ Native execution (no data exports)

✅ Integration with real-time decision engines

✅ Visual explainability for analysts

This isn’t theoretical. Organizations across fintech, Web3, and e-commerce are already using NebulaGraph to turn relationship data into a strategic defense layer:

BlockSec leverages graph technology to trace cross-chain money laundering flows and detect suspicious wallet clusters in real time (read how).
In stablecoin ecosystems, graph models monitor billions in transactions to uncover coordinated wash trading and reserve manipulation (see the case study).
Web3 platforms rely on graphs to manage sybil attacks and governance collusion, where traditional tools fail completely (why graphs win in Web3 risk).
Easy Cash built a real-time anti-fraud engine that blocks loan stacking rings the moment they form—cutting losses by 40% (learn more).
Global payment leader Airwallex uses NebulaGraph to detect merchant collusion and synthetic identities across 130+ countries (explore their architecture).
Akulaku scaled its intelligent risk platform to process millions of daily events, using connected components and dense subgraphs to stop fake applications before approval (read the full story).

The pattern is clear: when fraud becomes networked, defense must become relational. The question isn’t if you should adopt graph-based risk control, but how quickly you can deploy it.

Ready to map your fraud network?

→ Try NebulaGraph Cloud free for 14 days

→ Contact us