New blockchain-AI framework targets surging OTP fraud with real-time location checks

In response to the global surge in mobile identity fraud and One-Time Password (OTP) interception attacks, researchers have developed a new cybersecurity framework that blends blockchain identity management, artificial intelligence, and geolocation-based controls. The work appears in the study “Blockchain–AI–Geolocation Integrated Architecture for Mobile Identity and OTP Verification,” published in Future Internet.

Modern OTP ecosystems, despite being the backbone of financial and digital service authentication, remain structurally weak due to their continued dependence on SMS, email, and other centralized delivery channels. These traditional channels expose users to SIM swap fraud, phishing-led OTP extraction, network spoofing, and malware interception. The paper frames these security gaps as both a technical and socio-economic problem, noting the billions of dollars in losses linked to authentication-related cybercrime each year.

The proposed solution introduces a multi-layered architecture designed to validate identity, device integrity, and user location through a decentralized framework that does not reveal personal data during verification. It integrates a permissioned blockchain based on Hyperledger Fabric, an AI-driven anomaly detection system for SIM-swap and contextual fraud identification, a geolocation-based OTP policy enforcing consistency between user behavior and request patterns, and a Zero-Knowledge Proof engine that hides sensitive identity details during compliance checks.

Structural weaknesses in OTP systems create expanding attack surface

The study details why OTP systems have become one of the most targeted components of digital security. The authors explain that core OTP protocols, including the industry’s HMAC-based and time-based standards, were designed for a less complex threat environment. Their reliance on SMS and email has turned into a liability because these channels offer no binding between the identity request and the endpoint receiving the OTP. Central servers and SMS gateways introduce single points of failure and can be overwhelmed during attacks or outages, delaying or misrouting OTPs.

A major attack vector examined in the paper is SIM swap fraud. Attackers manipulate mobile network operator procedures to reassign a victim’s phone number to an illegitimate SIM card. This gives the attacker full control over OTP delivery and related authentication messages. The authors also point to OTP phishing platforms that automate real-time interception during login attempts, and malware that collects verification codes directly from compromised devices.

The lack of contextual awareness is another critical flaw. Traditional OTP systems do not check whether a login attempt aligns with the user’s typical location, device identity, or network behavior. The research underscores that this blind spot is one reason account-takeover incidents are increasing across banking, fintech, and e-commerce sectors.

The paper’s literature review shows that while past solutions have attempted to improve OTP security using biometrics, enhanced token generators, or stronger cryptographic schemes, they still rely on centralized identity management and do not incorporate real-time fraud intelligence. They also fail to address the privacy and scalability challenges essential for telecom-grade deployment across borders and operators.

Blockchain identity layer and AI fraud engine form the core of the new architecture

The authors present a full-stack authentication framework that replaces the conventional OTP pipeline with a decentralized, verifiable, and context-aware model. The backbone of the system is a private Hyperledger Fabric blockchain responsible for storing tamper-evident mobile identity anchors. Only hashed references of subscriber data are stored, keeping sensitive attributes off-chain. Fabric’s permissioned model allows participating mobile network operators to maintain distributed governance without exposing personal information.

The blockchain layer organizes data using hashed mobile numbers, profile references, and operator identifiers. Smart contracts support user registration, identity updates, device revocation, and fraud remediation workflows. The design emphasizes minimal on-chain data, frequent salt rotation, and strict access controls to avoid correlation attacks and unauthorized identity mapping across networks.

Alongside the blockchain ledger, the system includes a machine learning-based SIM-swap and anomaly detection engine. This risk module analyzes behavioral and network features such as SIM lifecycle events, device changes, location patterns, and access anomalies. During evaluation, Gradient Boosted Trees achieved an F1-score of 0.88, significantly outperforming the rule-based baseline. The AI model demonstrated strong precision and recall while maintaining negligible latency, ensuring that fraud detection does not delay OTP issuance.

The geographical component uses GeoHash-based contextual scoring to verify whether an OTP request originates from a legitimate or expected user region. The system compares a device’s location with known behavior profiles and applies tolerance thresholds to reduce false positives. If a request violates location expectations, the policy engine blocks or escalates it.

Another innovation is the integration of Zero-Knowledge Proofs (zk-SNARKs). This cryptographic layer allows the system to prove identity consistency, location validity, and acceptable fraud-risk scores without revealing any underlying personal data. The proof bundle is verified by blockchain chaincode, producing an auditable result stored as a hash. This ensures privacy compliance while delivering a verifiable, tamper-resistant record of the authentication decision.

The full process is delivered through a microservices architecture using modular components for risk scoring, identity lookup, location verification, proof generation, and blockchain recording. Northbound APIs are used by banks and fintech platforms, while southbound integrations link to mobile network operators’ identity systems. All communication is encrypted and authenticated using mTLS, OAuth2, and HSM-backed key management.

Real-time performance, global scalability, and privacy protection drive deployment readiness

The authors conducted a multi-layer evaluation covering blockchain throughput, authentication latency, and anomaly detection accuracy. The combined system achieved total verification latency under 0.5 seconds, even with ZKP overhead. This meets the performance requirements of telecom providers, financial institutions, and digital platforms that depend on near-instant transactions.

Under an optimized endorsement policy, Hyperledger Fabric processed roughly 850 transactions per second, with around 220 ms commit latency. A stricter endorsement model reduced throughput, illustrating the trade-off between consensus strength and speed, but the system remained within acceptable performance limits. Off-chain storage for large data and a focus on minimal on-chain records helped reduce blockchain state growth and speed up validation.

The introduction of ZKPs added approximately 160–190 ms of overhead, but the researchers emphasize that the added privacy protection justifies this cost. The proofs successfully hide KYC attributes, device details, risk feature vectors, and location information, leaving only the verification results visible to the relying party. The authors describe this feature as essential for compliance with modern privacy regulations.

Security analysis shows that the framework meets critical objectives, including binding each OTP to a verified identity and device, detecting SIM and network anomalies ahead of OTP issuance, ensuring tamper-resistant auditability, and enforcing strict data minimization. The layered architecture also provides resilience against spoofing, replay attacks, session manipulation, contextual misrepresentation, insider misuse, and log tampering.

The model offers a standardized, interoperable approach for identity verification across borders while reducing centralized vulnerabilities. The authors highlight that the framework supports cross-operator identity discovery, number portability compliance, and consortium governance.

Future work, as the authors note, will explore transparent proof systems, post-quantum ZKPs, and evaluation across distributed multi-region network environments to confirm performance under real-world telecom conditions. Despite the need for further refinement, the authors argue that the unified approach provides a viable path for building secure, scalable, and privacy-preserving authentication systems capable of meeting next-generation security demands.