Autonomous fraud investigation agent built for Google's "Building Agents for Real-World Challenges" Hackathon, MongoDB Track.
On a busy match day, payment systems process thousands of transactions per hour. Fraud teams can see that something is wrong. They cannot always tell where it's coming from, who's behind it, or what to do about it before more damage is done.
Traditional dashboards surface metrics. They don't investigate.
You give the agent a single vague signal:
"Something looks wrong tonight."
The agent takes it from there. It decides what to query, interprets the result, and uses that to determine the next query. No fixed script. No predefined path.
In the demo run, starting from that one sentence, the agent:
- Established a baseline across 5,000 transactions
- Spotted Zone 3 declining at 48.6%, against an 11.8% venue average
- Narrowed the anomaly to ticket resale transactions specifically
- Identified three device fingerprints behind 214 of 222 declines
- Reconstructed the attack window: 17:30 to 17:59 UTC
- Calculated $37,159 in attempted fraudulent volume
- Generated a blocklist recommendation
Each step followed from the previous one. The agent chose every query based on what it just found.
React Frontend (Cloud Run)
↓
Google ADK Agent, Gemini 3.5 Flash on Vertex AI
↓
MongoDB MCP Server (Cloud Run)
↓
MongoDB Atlas
The agent composes aggregation pipelines at runtime based on what it finds. It is not working from a predefined list of queries.
Examples from a live run:
$match/$groupto establish the baseline decline rate$matchon zone, then$groupto surface the Zone 3 outlier$matchon zone and merchant category combined$matchwith$inon device fingerprint arrays$projectwith$hourto bucket transactions by time$sumon transaction amounts for financial impact
Every pipeline is visible in the UI. Each step has a "View Atlas Query" toggle that shows the exact aggregation used to produce that finding.
5,000 synthetic transactions across 6 Toronto zones, match-day traffic window 15:00 to 21:00 UTC, with a hidden coordinated bot attack:
- Zone 3 accounts for 48.6% of all declines
- The attack runs through ticket resale exclusively
- Three device fingerprints are responsible for 300 of 457 Zone 3 ticket resale transactions
- The attack window is exactly 17:30 to 17:59 UTC
- $37,159 in attempted fraudulent volume across the three devices
Available in the Devpost submission.
MIT