GeoComply × Webull — ACH Fraud Prevention Demo

ACH Transfer Request

$2,500.00

ACH Deposit via Plaid

🏦

Source Bank

Chase ••4821

→

🛡️

GeoComply

✓ Verified

→

📈

Webull Account

WB-8827341

Approved

👤

User Profile

GeoComply Core™ — 270M+ masked IPs scanned

📋

Evidence Report

Transaction IDTXN-20260420-0937

Timestamp2026-04-20 09:37:12 CST

GPS Coordinates30.2672° N, 97.7431° W

Device Fingerprintd8f2a1...c903

Session Hashsha256:9b1e...4f7d

Dispute Ready✓ Yes

🎯

Real-Time Risk Assessment

✓

Allowed

Decision

Low Risk — Auto-Approved

Long-time user on recognized device and home network. All geolocation checks passed.

🔒

GeoComply Verification Pipeline

📡

Wi-Fi Environment Emulation Detected

Network layer forensics by GeoComply Core™

Critical

What GeoComply Found

The device is broadcasting fabricated Wi-Fi access point data to trick location services into believing it is near a legitimate U.S. residential network. GeoComply's SDK detected that the reported BSSID/SSID pairs do not exist in any known Wi-Fi mapping database — they were synthetically generated to simulate a home network in Miami, FL.

Forensic Evidence

Reported SSID	"ATT-FIBER-Martinez-5G"
Reported BSSID	5C:E9:1E:A4:00:3F (fabricated)
Wi-Fi DB Match	✕ No match — BSSID unregistered globally
Signal Strength	-22 dBm (impossibly strong for real AP)
Nearby APs Detected	0 (real environments show 5-30 APs)
RF Fingerprint	No multipath, no noise floor variation
Tool Signature	Matches "WiFi-Faker Pro v3.2" toolkit

How The Attack Works

The fraudster is using a Wi-Fi location emulator — software that feeds fake access point scan results to the OS location stack. Normally, a device scans nearby Wi-Fi routers and cross-references their MAC addresses with mapping databases (Apple's, Google's) to triangulate position. The emulator injects phantom APs with MAC addresses chosen to map to a target zip code, making the device appear to be in Miami while it is physically overseas. GeoComply catches this because: (1) the reported APs don't exist in any crowdsourced radio map, (2) the signal profile is impossibly clean with no RF noise or multipath reflections, and (3) zero neighboring APs are visible — a physical impossibility in any populated area.

📱

Cloned Application Binary Detected

App integrity analysis by GeoComply SDK

Critical

What GeoComply Found

The Webull application running on this device is not the authentic App Store build. It is a repackaged clone with modified code signatures and injected dynamic libraries that intercept GeoComply SDK calls, feeding back falsified location and device data.

Forensic Evidence

Bundle Identifier	com.webull.investment (name matches)
Code Signature	✕ INVALID — not signed by Apple cert
Binary Hash (SHA-256)	a41f...e092 ≠ expected c7d3...b418
Injected Dylibs	3 found: libLocFake.dylib, libSSLBypass.dylib, libHookKit.dylib
Install Source	Sideloaded via TrollStore (not App Store)
App Version Claimed	v12.8.0 (current) — version string spoofed
SDK Integrity	GeoComply SDK tampered — response hooks active

How The Attack Works

The attacker obtained the legitimate Webull IPA, decompiled and repackaged it with three malicious dynamic libraries injected into the app bundle:

libLocFake.dylib — Hooks into CoreLocation to return spoofed GPS coordinates for Miami, FL.
libSSLBypass.dylib — Disables certificate pinning so the attacker can intercept and modify API traffic between the app and Webull servers (MITM).
libHookKit.dylib — Intercepts GeoComply SDK attestation responses before they reach the server, replacing the real device/location data with fabricated "clean" results.

GeoComply detects this because its SDK performs binary self-attestation at runtime — it hashes its own code segment and compares it against the known-good build. The mismatch triggers an immediate integrity failure.

🔓

Jailbreak Exploit Chain Detected

Device integrity deep scan by GeoComply

Critical

What GeoComply Found

This device has been jailbroken using a kernel-level exploit chain, giving the attacker root filesystem access and the ability to inject code into any running process — including the Webull app and GeoComply SDK. The jailbreak actively hides itself using concealment tweaks, but GeoComply's multi-layered integrity checks identify it through behavioral and environmental anomalies.

Jailbreak Exploit Chain — Step by Step

Initial Exploit — Kernel Vulnerability

Attacker used CVE-2025-31201 (CoreMedia out-of-bounds write) to gain arbitrary kernel read/write. This zero-day targets iOS 17.x–18.x, bypassing KTRR and PAC protections to achieve a persistent kernel task port.

Kernel Patch — Disable Code Signing

With kernel access, the attacker patched AMFI (Apple Mobile File Integrity) to allow unsigned code execution. This lets the injected dylibs (libLocFake, libSSLBypass, libHookKit) load into any app process without a valid Apple signature.

Root Filesystem Remount

System partition remounted as read-write via mount -uw /. Attacker installed Substitute (code injection framework) and PreferenceLoader to hook into SpringBoard and all running applications.

Anti-Detection — "Shadow" Concealment Tweak

Installed Shadow v4.1 to hide jailbreak artifacts: removes Cydia/Sileo from the process list, spoofs stat() calls on /var/jb and /usr/bin/ssh, blocks sysctl() queries that reveal injected libraries, and hides environment variables like DYLD_INSERT_LIBRARIES from naive detection.

Payload Deployment — Location & SDK Hooks

Final stage: libLocFake.dylib hooks into CLLocationManager to feed spoofed GPS. libHookKit.dylib intercepts GeoComply SDK attestation calls and replaces real results with fabricated "clean" data. libSSLBypass.dylib strips certificate pinning for full MITM capability on Webull API traffic.

How GeoComply Detected It (Despite Concealment)

Kernel Integrity	KTRR violation — kernel text region modified
Sandbox Escape Test	App can read /var/jb — sandbox broken
Dyld Image List	3 unsigned images in process space
Syscall Timing Analysis	stat() on /usr/bin/ssh: 0.3ms (hooked) vs 0.01ms expected
Env Variable Leak	DYLD_INSERT_LIBRARIES present despite Shadow
Secure Enclave (SEP)	SEP attestation mismatch — device state altered post-boot
Code Page Hash	GeoComply SDK code hash ≠ signed build hash
Verdict	JAILBROKEN — Root access + active hooking confirmed

📍

Geohash Density Model — Fraud Cluster Detected

ML-powered location profiling by GeoComply

Critical

What GeoComply Found

GeoComply's ML density model divides geography into geohash grid cells and tracks the concentration of new account sign-ups and high-value transactions per cell. This transaction originates from a geohash cell showing abnormal density — 61 new accounts in the past 72 hours, a 14× spike over the baseline. This pattern is a strong indicator of a coordinated fraud ring operating from a single location using synthetic identities.

Density Heatmap — Geohash Region

Low

High User count per geohash

New accounts at this geohash cell in 72 hours — 14× above baseline

Geohash: u33dc0 (Bucharest, Romania)

58 of 61 accounts created with synthetic IDs

All 61 used Tor/VPN to mask true location

43 attempted ACH transfers within 1 hour of creation

Total attempted drain: $1.47M across 61 accounts

How The Density Model Works

GeoComply's ML model continuously monitors account creation and transaction patterns across geohash grid cells worldwide. When a cell exceeds its historical baseline density, it triggers a risk escalation. This catches coordinated fraud operations that IP geolocation alone misses — because the attackers use different VPN exit nodes and different synthetic identities, but their true physical location clusters in the same geohash cell. The model also powers deduplication logic to detect multi-accounting, promo abuse, and rapid account creation rings. Deliverable via GeoComply's RiskGuard reporting format.

🔑

Account Takeover — Credential Compromise Detected

Identity & device correlation by GeoComply

Critical

What Happened

A nefarious actor obtained legitimate login credentials for a real Webull customer (Marcus Thompson, WB-7741923) — likely through a credential stuffing attack or phishing campaign. The attacker successfully logged into the account using the correct email and password, and immediately attempted to initiate an ACH transfer of $14,750 to drain the linked bank account. Despite having valid credentials, GeoComply detected the takeover because the device, location, and behavioral profile are completely inconsistent with the real account holder.

Real Account Holder vs. Attacker — Side by Side

Account Owner	Marcus Thompson — member since 2020
Owner's Trusted Device	iPhone 15, iOS 18.2, device ID: d9a1...f821
Owner's Home Location	Denver, CO (39.74° N, 104.99° W)
Owner's Usual Network	Comcast Xfinity Home — seen 1,247 sessions
Attacker's Device	Samsung Galaxy A14 — NEVER seen on this account
Attacker's True Location	Lagos, Nigeria (6.52° N, 3.38° E) — 6,800 mi from Denver
Attacker's Network	NordVPN exit node (Dallas, TX) masking true IP
Login Method	Credentials valid — likely from data breach dump

How The Attacker Got In

The attacker used credentials sourced from a third-party data breach (Marcus reused his password across services). They logged in via a VPN to appear as if they were in the U.S. While the username and password were correct, everything else about the session is wrong — wrong device, wrong continent, wrong behavioral pattern. Traditional authentication (email + password) alone would have let this through. GeoComply's geolocation layer caught what passwords could not.

🌍

True Location Unmasked — VPN Stripped by GeoComply Core™

IP intelligence & geolocation forensics

Critical

GeoComply Core™ Analysis

The attacker connected through NordVPN to mask their real IP address, presenting an exit node in Dallas, TX to appear domestic. GeoComply Core's database of 270M+ known masking IPs immediately flagged this address as a commercial VPN endpoint. With the VPN layer stripped, GeoComply's multi-signal triangulation revealed the true origin.

Location Layer Analysis

Presented IP	104.153.xx.xx — NordVPN Dallas exit
GeoComply Core™ Verdict	✕ Known VPN — NordVPN server #4218
True IP (unmasked)	102.89.xx.xx — MTN Nigeria, Lagos
GPS from Device	Disabled — attacker turned off location services
Wi-Fi Triangulation	APs match MTN cell towers in Victoria Island, Lagos
Cell Tower Data	Connected to MCC 621 / MNC 30 (MTN Nigeria)
Timezone / Locale	Device timezone: WAT (UTC+1), locale: en_NG
True Location	Lagos, Nigeria — 6,800 mi from account holder's home

Why This Matters

The attacker had the correct password, but GeoComply doesn't trust passwords — it trusts physics. The device's Wi-Fi scan returned access points geolocated to Lagos. The cell radio was connected to Nigerian carrier infrastructure. The system timezone and locale were set to West Africa. Even with GPS disabled and a VPN active, the true location was undeniable. Marcus Thompson's account has never been accessed from outside Colorado. A login from Lagos attempting a $14,750 ACH drain is an unambiguous account takeover.

👤

Device & Behavioral Profile — Total Mismatch

Behavioral biometrics & device intelligence

Critical

Device Intelligence

Marcus Thompson has exclusively used an iPhone 15 for all 1,247 prior sessions on Webull. This session originates from a Samsung Galaxy A14 — a device that has never been associated with this account. GeoComply maintains a device trust graph for every user; this device has zero history and zero trust score.

Behavioral Biometrics Comparison

Device Trust Score	0 / 100 — never seen on this account
Device Model Match	✕ Samsung Galaxy A14 ≠ iPhone 15
OS Platform	✕ Android 13 ≠ iOS 18.2
Screen Resolution	✕ 1080×2408 ≠ 1179×2556
Typing Cadence	0% match — completely different rhythm
Touch Pressure Profile	N/A — different biometric signature
Navigation Pattern	Attacker went straight to ACH transfer — skipped all usual screens
Session Duration Before ACH	47 seconds — Marcus averages 12 min before transfers
Time of Access	3:17 AM Denver time — Marcus never trades before 7 AM

Attack Timeline

03:17:04 AM — Login with Stolen Credentials

Attacker logs in with Marcus's email and password from an unrecognized Samsung device in Lagos, Nigeria. VPN masks IP to appear as Dallas, TX.

03:17:22 AM — Navigates Directly to ACH Transfer

Skips portfolio view, watchlist, and all typical screens. Goes straight to Transfers → Withdraw → ACH in 18 seconds — indicating pre-planned extraction.

03:17:51 AM — Initiates $14,750 ACH Withdrawal

Attempts to drain the full available cash balance to the linked Chase account. Total time from login to transfer attempt: 47 seconds.

03:17:51 AM — GeoComply SDK Fires

GeoComply runs full geolocation check at transaction time. Detects: unknown device, VPN masking, true location Lagos, behavioral mismatch, anomalous timing. Decision: DENY

03:17:52 AM — Transaction Blocked, Account Frozen

ACH transfer denied. Webull's fraud team notified. Account temporarily frozen pending owner verification. Marcus receives push notification on his real iPhone in Denver.

📍

Geohash Density Model — ATO Cluster Identified

ML-powered location profiling by GeoComply

Critical

What GeoComply Found

After unmasking the attacker's true location as Lagos, Nigeria, GeoComply's density model flagged this geohash cell as a known ATO hotspot. In the past 30 days, 47 account takeover attempts have originated from this same geohash — all following the same pattern: stolen U.S. credentials, VPN masking, immediate ACH drain attempts. This is not an isolated incident — it is a coordinated fraud operation.

Density Heatmap — Lagos Region

Low

High ATO attempts per geohash

ATO attempts from this geohash cell in 30 days — known fraud cluster

Geohash: s1z0gs (Victoria Island, Lagos, NG)

47 ATO attempts targeting U.S. brokerage accounts

All used NordVPN/ExpressVPN with U.S. exit nodes

Credentials sourced from 3 different breach databases

GeoComply blocked 100% — $3.2M in losses prevented

Why Geohashing Catches What IP Cannot

Each of the 47 ATO attempts used a different VPN exit node — IPs in Dallas, Chicago, Miami, Atlanta, and Seattle. To an IP-only system, these look like 47 unrelated sessions from 47 different U.S. cities. But GeoComply strips the VPN layer and resolves the true physical location, revealing that all 47 cluster in the same geohash cell in Lagos. The density model connects the dots, turning 47 "isolated incidents" into a single coordinated operation — enabling Webull to block the entire ring, not just one attempt at a time.

GeoComply Signal Value for Webull

Async latency, signal differentiation beyond IP, and historical backbook validation

⚡

1. Signal Latency & Async Integration

GeoComply's SDK fires asynchronously the instant the user taps "Checkout" — collecting device, location, and network signals in parallel while the payment sheet renders. By the time the ACH confirmation screen appears, GeoComply has already returned a decision. Zero added latency to the user experience.

User Taps Checkout

—

Button click event

GeoComply SDK (Async)

—

Device + Location + Network

Payment Sheet Renders

—

UI loads in parallel

GeoComply Returns

—

Decision ready

ACH Confirmed

—

Transfer proceeds

🔬

2. Signal Differentiation — Beyond IP

IP geolocation provides a single data point. GeoComply delivers 12+ orthogonal signal layers that catch fraud IP alone misses entirely — device manipulation, bot behavior, and high-risk geographies where IP data is unreliable or easily spoofed.

Signal Layer

IP Geolocation Only

GeoComply

IP Address Location

✓

VPN / Proxy / Tor Detection

~ Partial

✓ 270M+ IPs

GPS Coordinate Validation

✓

Wi-Fi Triangulation & AP Verification

✓

Device Jailbreak / Root Detection

✓

Emulator / Cloned App Detection

✓

Bot / Automation Identification

✓ Behavioral

Location Spoofing (GPS Injection)

✓

Cell Tower / MCC-MNC Verification

✓

Device Fingerprint Trust Graph

✓

Behavioral Biometrics (Typing, Touch)

✓

High-Risk Geography Coverage Key Gap

✕ Unreliable

✓ Multi-signal

Why this matters for Webull: In regions like West Africa, Southeast Asia, and Eastern Europe, IP geolocation databases are notoriously inaccurate — IPs frequently geolocate to the wrong country entirely. GeoComply's multi-signal approach (cell towers + Wi-Fi + GPS + device integrity) provides reliable location verification even where IP data is unreliable, closing the exact gap exploited in account takeover and synthetic identity fraud.

📊

3. Backbook Sweep — Historical Data Validation

Run GeoComply signals against Webull's historical ACH transaction data to validate signal quality and correlation with known fraud. This simulation processes 90 days of anonymized transactions to show what GeoComply would have caught.

—

Transactions Scanned

—

Newly Flagged as Fraud

—

Correlation with Known Fraud

—

Est. Losses Preventable

Integration Architecture: Where GeoComply Hooks Into Webull

GeoComply operates as an invisible layer — the user never sees it, but every ACH transaction passes through it

🏗️

End-to-End ACH Transfer Flow with GeoComply

1User

User Opens Webull App & Navigates to Transfer

User logs into Webull, navigates to Transfers → Deposit → ACH. Selects linked bank account and enters amount. GeoComply SDK is already loaded in the background from app launch.

Webull App

T+0s

2GeoC

User Taps "Confirm Deposit" → GeoComply SDK Fires (Async)

The instant the user taps Confirm, the GeoComply SDK fires asynchronously — collecting device fingerprint, GPS, Wi-Fi scan, cell tower data, VPN/proxy detection, and behavioral biometrics. This happens in parallel with the payment sheet rendering. Zero user-facing latency added.

GeoComply SDKAsync~120ms

T+0ms
parallel

3Plaid

Plaid Verifies Bank Account & Initiates ACH

Plaid authenticates the linked bank account, verifies sufficient funds, and prepares the ACH instruction. This is the standard bank-linking flow that already exists — GeoComply does not replace Plaid, it layers on top.

Plaid APIBank Auth

T+200ms

4GeoC

GeoComply Returns Decision: Allow / Challenge / Deny

GeoComply's server-side engine processes all collected signals and returns one of three decisions before Plaid completes. Allow → ACH proceeds silently. Challenge → Webull triggers step-up KYC (selfie, extra ID). Deny → transaction blocked, compliance team notified.

GeoComply Core™Risk EngineDecision API

T+180ms
decision
ready

5Gate

Webull Backend: Gate ACH Based on GeoComply Decision

Webull's backend receives both the Plaid ACH instruction and the GeoComply decision. If Allow → submit ACH to NACHA. If Challenge → hold and prompt user for step-up verification. If Deny → reject transaction, log evidence report, optionally freeze account and file SAR.

Webull BackendEvidence ReportNACHA

T+300ms

6User

User Sees Confirmation (or Challenge / Denial)

For legitimate users: "Your deposit of $2,500 is on its way!" — no friction, no delay, no awareness of GeoComply. For flagged users: step-up verification or a denial message. The entire flow from button tap to confirmation takes under 500ms.

UI Response

T+450ms
user sees
result

Key Integration Points: GeoComply hooks in at two moments — Step 2 (SDK fires on user action, async) and Step 4 (decision returned to backend). The SDK is a lightweight mobile/web library that Webull integrates once. The decision API is a single REST endpoint. No changes to Plaid, no changes to the NACHA submission pipeline. GeoComply sits alongside the existing stack as a transparent fraud layer.

🔌

Integration Touchpoints

📱

Mobile SDK

iOS & Android native SDK. ~200KB. Initializes at app launch. Fires on transaction events. Collects 12+ signal layers.

⚡

Decision API

Single REST endpoint. Returns Allow/Challenge/Deny + risk score + evidence payload in <200ms. Drop-in for Webull backend.

📋

Evidence Reports

Dispute-ready evidence linking device + GPS + timestamp to each transaction. Increases chargeback win rate. Webhook or batch delivery.

ACH Fraud Protection: Without vs. With GeoComply

Side-by-side comparison of a brokerage ACH flow — what gets through, and what gets caught

🚫

Without GeoComply

VPN / Proxy Users Are Invisible

Attackers use VPNs to appear domestic. IP geolocation shows "Dallas, TX" when the real location is Lagos, Nigeria. No way to strip the masking layer.

Device Manipulation Goes Undetected

Jailbroken phones, emulators, and cloned apps pass through unchecked. No SDK on-device to verify integrity or detect injected hooking frameworks.

Account Takeover Succeeds with Valid Credentials

If the attacker has the right email and password, they're in. No device trust graph, no behavioral biometrics, no location anomaly detection.

GPS Spoofing Not Detected

Fake GPS apps inject false coordinates. Without Wi-Fi triangulation and cell tower cross-referencing, there is no way to verify the reported location is real.

Chargebacks Are Hard to Fight

When users dispute ACH transfers ("I never authorized this"), the platform has no evidence tying the specific device and GPS coordinates to the transaction. Banks side with the customer.

Fraud Rings Operate Undetected

Coordinated attacks from the same physical location using different VPN exits look like unrelated sessions. No geohash density model to connect the dots.

🛡️

With GeoComply

✓

VPN / Proxy / Tor Stripped in Real Time

GeoComply Core's database of 270M+ known masking IPs identifies and strips VPN/proxy/Tor layers, revealing the true location. The attacker's real country is exposed.

✓

Device Integrity Verified On-Device

GeoComply SDK performs binary self-attestation, detects jailbreaks/root, identifies emulators and cloned apps, and catches injected hooking frameworks — all before the transaction fires.

✓

Account Takeover Blocked by True Location

Even with valid credentials, GeoComply detects the wrong device, wrong continent, wrong behavioral pattern, and wrong time-of-day profile. Passwords alone don't grant access — physics does.

✓

Multi-Layer Location Verification

GPS, Wi-Fi triangulation, cell tower data (MCC/MNC), IP geolocation, and device timezone are all cross-referenced. Spoofing one layer doesn't work when five layers must agree.

✓

Dispute-Ready Evidence Reports

Every transaction generates a compelling evidence report linking device fingerprint, GPS coordinates, and timestamp. Chargeback win rates increase significantly — the bank sees undeniable proof.

✓

Fraud Rings Exposed by Geohash Density

GeoComply's ML density model clusters true locations across geohash cells, connecting "unrelated" sessions into coordinated operations. Entire fraud rings are identified and blocked, not just individual attempts.

$4.8M

Estimated Annual ACH Fraud Losses (Without GeoComply)

Based on industry averages for mid-size brokerages: ATO drain, synthetic identity kiting, friendly fraud chargebacks, and coordinated fraud ring operations.

93%

Estimated Fraud Prevention Rate (With GeoComply)

Multi-signal geolocation catches fraud that IP-only systems miss. Remaining 7% addressed by step-up KYC challenges and manual review queue.

The Core Difference:
Without GeoComply, a valid password = access. With GeoComply, a valid password + wrong device + wrong location + wrong behavior = denied.
GeoComply doesn't replace existing security — it adds the physics layer that passwords, 2FA, and IP geolocation cannot provide.

GeoComply ACH Fraud Prevention — Demonstration Environment — Not Connected to Live Systems