Enterprise infrastructure with a public mandate

Edge-native fraud telemetry for Malaysia

Free triage tools for citizens fighting scams. Advisory mule-account intelligence for banks integrating with FMS. On-device extraction strips PII before transmission. STIX 2.1 feeds built for regulated environments.

The cost of digital fraud in Malaysia is accelerating

Malaysia lost an estimated RM2.97 billion to fraud in 2025, with cases doubling to over 66,000 nationally. The current response is fragmented and manual — victims report hours after the scam, mule accounts are drained within minutes, and raw evidence sharing across banks risks PDPA violations.

Today
0 min
Victim transfers
to mule account
5–30 min
Funds layered &
cashed out abroad
2+ hrs
Victim finally
calls NSRC
Too Late
Money is gone
Waspada
0 ms
Receipt parsed
on-device
<100 ms
Mule indicators
extracted & scrubbed
~2s
Durable-path FMS alert
reaches bank risk engine
Advisory
Memory path p99 64ms · durable ~2s

Intelligence starts on the device

The Waspada Edge SDK runs inside the host banking app or the public web triage sandbox. No receipt uploads to our cloud. Extraction is three-tier — Regex → NER → SLM — with platform on-device AI preferred when the SDK is embedded in a native partner app.

1. Parsing & OCR

WASM-based PDF.js and Tesseract.js extract text from receipts and screenshots entirely on-device. Handles multi-page, encrypted PDFs, and Malaysian banking formats.

2. Three-Tier Edge AI

Regex for hard fields (account, BIC). NER for aliases and URLs. SLM for normalisation and Bahasa draft assist. Apple/Android on-device AI when available; web SLM fallback.

3. PII Scrub & Crypto Sign

NRIC, phone, email stripped before transmission. Payload signed with RS256 JWT — non-repudiable, per-partner key isolation. Works offline (airplane mode).

Privacy by design: No receipt, PDF, or raw text leaves the device. Only PII-stripped indicators egress. Scammer aliases configurable (hash / include / omit).
NRIC: 900101-14-5555
PII DESTROYED
RS256 SIGNED
Intelligence Core
[Regex]✓ PASS
[NER Model]✓ PASS
[Local SLM]STANDBY
WASM / OCR
receipt.pdf

Trace the fraud telemetry pipeline

From a WhatsApp magic link to on-device three-tier AI (Regex → NER → SLM), then privacy-safe federation to bank SOCs — step by step. WhatsApp delivers the link; evidence never uploads to our servers.

Step 1 of 6

Citizen opens a WhatsApp magic link

A community responder or victim receives a short link in WhatsApp. It opens the public triage PWA/sandbox in their browser — WhatsApp is only the notification channel, not an evidence upload pipe.

Public channel
WhatsApp
Magic link only · roadmap
Link sent
Magic link
Private client zone
Edge SDK
Regex → NER → SLM · platform AI in-app
Inactive
Indicators
Stateless gateway
Orchestration API
JWT · PII re-check · RDAP
Inactive
FMS alert
Federated downstream
Bank SOC / SIEM
MONITOR · risk elevate
Inactive
PII-stripped: receipt stays on device, indicators stripped of NRIC/phone/email WhatsApp: link delivery, not media ingest (roadmap) SLM: in-app → Apple/Android AI; web → Waspada SLM

Built for enterprise security teams

Every design decision prioritises privacy compliance, extraction accuracy, and integration with existing bank infrastructure.

01

Zero-Trust PII Firewall

NRICs, phones, and emails blocked on-device and re-checked at the gateway. Scammer aliases configurable: include / hash / omit.

02

On-Device Edge Extraction

PDF.js + Tesseract.js WASM workers parse receipts locally. Measured accuracy on Malay receipt corpus. Evidence never uploaded.

03

Cryptographic Hardening

RS256 JWT with JTI replay protection, per-partner key rotation, and HMAC-SHA256 blinded evidence hashing.

04

Alert Streaming

SSE with short-lived stream tickets. Memory path p99 64ms, durable path p99 ~2s — measured design trade-off.

05

RDAP Domain Enrichment

Malicious URLs from scam messages enriched with WHOIS/RDAP registration data for attribution and takedown.

06

STIX 2.1 Interoperability

Export STIX 2.1 bundles from verified alerts for SIEM ingestion — Splunk, CrowdStrike, or bank SOC pipelines.

Regulatory alignment

RMiT Aligned
Paragraph-cited mapping across 10 BNM domains.
Alignment, not certification.
PDPA Aligned
PII stripped on-device before transmission.
Full DPIA pending.
STIX 2.1
OASIS-standard threat intelligence export
for SIEM integration.

Gateway Endpoints

All telemetry ingestion requires partner JWT authentication. Alert streaming uses analyst API keys exchanged for short-lived tickets.

GET
/health
Gateway health check and uptime status
POST
/api/v1/telemetry/ingest
Ingest anonymised fraud telemetry (JWT required)
POST
/api/v1/alerts/stream-ticket
Exchange API key for SSE stream ticket
GET
/api/v1/alerts/stream
Real-time threat alert feed (ticket required)

Engineered for regulated environments

We publish our own threat model, red-team audit residuals, and compliance mappings. Review the evidence, not the marketing.

Security Posture

// Verified controls (live)
RS256 JWT with payload_hash binding
JTI replay protection (atomic trySpend)
Edge PII strip (NRIC / phone / email)
Gateway PII re-check (422 on violation)
SSRF domain block + RDAP safeguards
Per-row DEK + AAD encryption (alerts)
SSE ticket auth (short-lived, single-use)
// Open (documented)
Independent VAPT letter — engagement brief ready
Staging durable soak — local Docker proven

CISO Resources

Executive Summary
Production hardening status, scores, and explicit non-claims
VAPT Engagement Brief
Scope, attack surface, and vulnerability categories for provider RFP
RMiT Mapping
Paragraph-cited alignment across 10 BNM domains (mapping ≠ certification)
Full Security Overview
Architecture, threat model, extraction metrics, and load-test results

Ready to discuss a pilot?

We're looking for forward-thinking banks, regulators, and anti-fraud teams who want to test Waspada with real-world receipt data.