| { |
| "version": 1, |
| "seed": 42, |
| "histories_path": "data/synthetic/token_ids.npy", |
| "stage_names": [ |
| "pre_attack", |
| "probing", |
| "monetization", |
| "exfiltration", |
| "dormant" |
| ], |
| "type_names": [ |
| "victim_fraud", |
| "account_takeover", |
| "scam_redirected", |
| "declined_legit" |
| ], |
| "cast": [ |
| { |
| "pattern": "probing_then_takeover", |
| "display_name": "Customer A \u2014 card just got tested", |
| "customer_idx": 16, |
| "flagged_idx": 39, |
| "stage_label": 1, |
| "stage_label_name": "probing", |
| "type_label": 1, |
| "type_label_name": "account_takeover", |
| "description": "3+ small-amount CNP transactions in the 6-tx window before tx39, and the flagged transaction uses a device that appears nowhere else in the history. Probing in progress on a compromised card.", |
| "context_text": "Upstream fraud detector escalated transaction 39 at score 0.84. Assess pattern stage and type.", |
| "diagnostics": { |
| "probe_density": 5, |
| "post_attack_density": 0, |
| "novel_device": true, |
| "signature_clean": false, |
| "recent_authorize_density": 7 |
| }, |
| "original_customer_idx": 147105 |
| }, |
| { |
| "pattern": "exfiltration_takeover", |
| "display_name": "Customer B \u2014 full attack chain", |
| "customer_idx": 6, |
| "flagged_idx": 11, |
| "stage_label": 3, |
| "stage_label_name": "exfiltration", |
| "type_label": 1, |
| "type_label_name": "account_takeover", |
| "description": "Probing cluster preceding the flag AND multiple large unfamiliar-merchant charges around tx11. Novel device. Mature account takeover, attacker is harvesting.", |
| "context_text": "URGENT: tx 11 flagged at 0.92. Pre-decline window closing \u2014 classify now.", |
| "diagnostics": { |
| "probe_density": 0, |
| "post_attack_density": 3, |
| "novel_device": true, |
| "signature_clean": false, |
| "recent_authorize_density": 0 |
| }, |
| "original_customer_idx": 34242 |
| }, |
| { |
| "pattern": "monetization_victim", |
| "display_name": "Customer C \u2014 handed over card info", |
| "customer_idx": 0, |
| "flagged_idx": 22, |
| "stage_label": 2, |
| "stage_label_name": "monetization", |
| "type_label": 0, |
| "type_label_name": "victim_fraud", |
| "description": "Probing-then-big-purchase pattern at tx22, but the device fingerprint matches the customer's normal devices. Customer likely shared credentials under social engineering.", |
| "context_text": "Investigation requested for transaction 22. Upstream model score 0.78. Stage + type?", |
| "diagnostics": { |
| "probe_density": 3, |
| "post_attack_density": 1, |
| "novel_device": false, |
| "signature_clean": false, |
| "recent_authorize_density": 0 |
| }, |
| "original_customer_idx": 7105 |
| }, |
| { |
| "pattern": "scam_redirected", |
| "display_name": "Customer D \u2014 romance scam pattern", |
| "customer_idx": 7, |
| "flagged_idx": 22, |
| "stage_label": 1, |
| "stage_label_name": "probing", |
| "type_label": 2, |
| "type_label_name": "scam_redirected", |
| "description": "Customer's last 16 transactions show 5+ CNP charges to unfamiliar merchants on the customer's own device. Pattern consistent with customer-authorized scam payments.", |
| "context_text": "Hey, tx 22 pinged the fraud detector at 0.66. What's going on?", |
| "diagnostics": { |
| "probe_density": 4, |
| "post_attack_density": 0, |
| "novel_device": false, |
| "signature_clean": false, |
| "recent_authorize_density": 5 |
| }, |
| "original_customer_idx": 44699 |
| }, |
| { |
| "pattern": "dormant_false_positive", |
| "display_name": "Customer E \u2014 false alarm", |
| "customer_idx": 10, |
| "flagged_idx": 28, |
| "stage_label": 4, |
| "stage_label_name": "dormant", |
| "type_label": 3, |
| "type_label_name": "declined_legit", |
| "description": "Flagged transaction matches the customer's normal signature: home country, CVV match, AVS match, familiar merchant, no probe cluster, no exfil density. Likely an upstream rules false-positive.", |
| "context_text": "Investigator review on tx 28 (detector 0.61). Need stage + type.", |
| "diagnostics": { |
| "probe_density": 0, |
| "post_attack_density": 0, |
| "novel_device": false, |
| "signature_clean": true, |
| "recent_authorize_density": 0 |
| }, |
| "original_customer_idx": 75149 |
| }, |
| { |
| "pattern": "pre_attack_signal", |
| "display_name": "Customer F \u2014 early warning", |
| "customer_idx": 13, |
| "flagged_idx": 25, |
| "stage_label": 0, |
| "stage_label_name": "pre_attack", |
| "type_label": 1, |
| "type_label_name": "account_takeover", |
| "description": "Single anomalous transaction at tx25 with no chain evidence yet (no probe cluster, no exfil density). Device is novel. Step-up auth + watch.", |
| "context_text": "tx25 flagged @ 0.71. Classify.", |
| "diagnostics": { |
| "probe_density": 0, |
| "post_attack_density": 0, |
| "novel_device": true, |
| "signature_clean": false, |
| "recent_authorize_density": 3 |
| }, |
| "original_customer_idx": 96744 |
| } |
| ], |
| "subset_note": "customer_idx values have been remapped to [0, N) for HF Space deployment. original_customer_idx preserves the source pool index." |
| } |