I built an LLM-maintained wiki for fraud

Why and how I built a living, LLM-maintained knowledge base for the fraud landscape — with a Telegram approval loop and a strict mechanism-over-buzz quality bar.

The fraud landscape moves faster than anyone can actually read. Every week brings a new deepfake KYC bypass, a new pig-butchering variant, a new regulator action, and a new vendor claiming to detect all of it. I’d been drowning in tabs, half-finished notes, and a Notion that had quietly become a graveyard.

I didn’t want better notes. What I wanted was a self-updating, actually-useful knowledge base — current modus operandi on one side, the controls and regulations chasing them on the other, both refreshing as the world changed, both queryable the moment I sat down to write or design solutions.

So I built one. The LLM does most of the maintenance. I design the system.

The shape of it

The architecture is borrowed from a Karpathy sketch: an LLM-wiki has three layers.

Raw — immutable source documents. Articles, papers, regulator filings. The LLM reads them; it never edits them.
Wiki — the synthesis layer. Pages the LLM owns, written from the raw sources, cross-linked into a graph. This is the layer I actually read.
Schema — one config file plus page templates. This is the part that, in practice, decides whether the wiki holds together. Without it, the system tends to drift into a transcript of whatever was ingested last.

What lives in the wiki

The wiki is MO-centric. There are two page types:

Modus operandi — one comprehensive page per fraud scheme. What it is, how it works, recent variants (newest at top, append-only), notable cases, and links out to prevention.
Prevention — reusable building blocks: methods, tools, repos, regulations, papers. Each one links back to the MOs it addresses.

Every MO is tagged with a risk domain. The current set: identity onboarding, impersonation/social, account takeover, payment systems, laundering, and autonomous AI. The list grows whenever a new attack pattern doesn’t fit any of them.

The result is a graph — rendered in Obsidian via wikilinks between pages. Open the deepfake KYC bypass page and you see the prevention controls that target it. Open behavioral telemetry and you see every MO it helps catch.

The pipeline that feeds it

Here’s where it gets challenging.

A discovery agent runs three mornings a week at 07:30 SGT. It searches a curated list of queries, scores each result against a rubric, deduplicates against what’s already in the wiki, and sends each surviving item to my Telegram with two buttons: ✅ Approve / ❌ Skip.

I tap buttons on my phone over coffee. On approve, the bot fetches the full article, saves it to the raw layer, and triggers an ingest — the LLM decides whether the source is a new MO, a variant of an existing one, a notable case, or a new prevention building block. It writes the pages, cross-links them, and updates the index.

The hard part: knowledge vs. buzz

The most important rule in the schema is the content-quality bar:

Stats and incidents cap at score 5. Commentary caps at 3. Only mechanism, tooling, and regulation get the full score.

In other words: a breathless “AI fraud losses hit $X billion this year” article doesn’t belong in the wiki. A writeup that explains how a particular synthetic-identity ring beat liveness detection does. The wiki is for knowledge, not news.

What I actually get out of it

Three things, in roughly the order I lean on them:

A current map. When someone asks me what’s happening in APP fraud or autonomous AI agents, I open the MO page and read what the wiki has stitched together from the last several months of sources. It’s been more reliable than my memory and faster than searching from scratch.
A drafting substrate. The wiki feeds my content — so far that’s this post, with a newsletter and longer essays still to come. I don’t write from a blank page; I write from a graph that’s already done the cross-linking. The LLM helps me draft.
A queryable second brain. “What prevention controls have we seen for biometric session hijack?” “What detection techniques actually work against deepfakes?”

Where it goes next

The wiki is around 15 MOs and 38 prevention pages, and it’s been growing roughly weekly. The two next outputs I’m thinking about: a newsletter that turns each week’s ingests into something readable, and deep-dive research pieces that pull across risk domains — for example, “everything we know about email fraud,” stitched from BEC, phishing-training prevention, the LLM-vs-humans paper, and the rest.