All projects
AML · Streaming

AEGIS Live — Real-Time Streaming AML

Real-time AML surveillance that scores live Bitcoin transactions the instant they arrive — a streaming graph + ML ensemble, explained alerts, and drafted SARs.

Live demo Source

The problem

Money laundering is confirmed retrospectively — live blockchain data never arrives with a "laundered: yes/no" label. So a credible system does what every real production AML stack does: it scores in real time, and humans confirm later. Live red flags are predictions; only sanctions exact-hits are ground truth.

The hard part is the combination: resilient live ingestion, an event bus that survives bursts, a sliding-window graph, a graph/ML ensemble, on-chain sanctions screening, and a GenAI SAR layer — all inside a low-latency budget, on free infrastructure.

Architecture

  1. 1

    Resilient WS ingestion

    BTC mempool + exchange ticker, per-feed reconnect, exponential backoff, heartbeat.

  2. 2

    Event bus

    Bounded queue with drop-oldest backpressure and adaptive sampling when it backs up.

  3. 3

    Rolling graph

    Sliding-window in-memory transaction graph (NetworkX); nodes age out.

  4. 4

    Live feature builder

    Strict train↔live parity — the live builder and the model share one FEATURE_NAMES list.

  5. 5

    Ensemble scoring

    Sanctions screen (exact + N-hop) | LightGBM | IsolationForest anomaly → a human-readable reason.

  6. 6

    Alert engine

    Threshold + dedup + rate-limit.

  7. 7

    Explain + SAR

    Subgraph explanation + LLM-drafted SAR (LiteLLM; deterministic template fallback).

  8. 8

    WebSocket hub → Wall

    Pushes to the Surveillance Wall UI; Postgres/SQLite store underneath.

Key tradeoffs

LightGBM + set-lookup sanctions on the fast path; heavier graph work off the hot loop.

Why · A single-digit-millisecond p95 budget, measured and CI-gated. Latency is a feature here.

One FEATURE_NAMES list shared by the live builder and the trained model, enforced by a parity CI gate.

Why · Train/serve skew is the silent killer of streaming ML — the gate fails the build on drift.

Honest labels — only sanctions exact-hits are "confirmed"; everything else is "risk / suspected".

Why · Live data has no laundering label; claiming otherwise would be dishonest.

Graceful degradation everywhere: feed down → demo source, model missing → heuristic, LLM down → template SAR, Postgres unset → SQLite.

Why · A live wall must always have motion; nothing takes the system fully down.

Eval results

single-digit-ms p95
Fast-path latency

p50/p95/p99 measured and displayed; a CI gate enforces the budget.

PR-AUC (high)
Detection

Synthetic AMLSim-style typologies — fan-in/out, peeling, pass-through — in live-parity features; Elliptic-swappable for labeled history.

enforced
Feature parity

Live builder and model share FEATURE_NAMES; the parity gate fails the build on drift.

Production proof

The artifact that keeps the numbers honest — the eval harness / monitoring gates that run in CI, not a one-off notebook result.

Eval / CI gates + nightly lists

CI · passing
Feature parity gated
Fast-path p95 gated
Detection PR-AUC / recall gated

aegis/eval/gates.py runs in CI on every push; a GitHub Action refreshes the OFAC sanctions list nightly.

Demonstrates the rare full stack — live ingestion, backpressure, a streaming graph, a graph/ML ensemble, sanctions screening, and a GenAI SAR layer — shipped as one low-latency system, solo, for $0.

Let's talk

I'm focused on finance AI — credit risk, RegTech, AML, and agentic investment research. Open to roles, mentorship, and collaborators in fintech, quant, and bank AI.

Email meLinkedIn

More case studies

Healthcare · Agentic AI

CADUCEUS — Virtual Molecular Tumor Board

M&A · Agentic AI

PRAETOR — Agentic M&A Due-Diligence Engine