Fraud & Risk Investigator · P2P Payments

Lincoln Jairran

I turn scattered fraud signals into rules, playbooks and product fixes.

3+ years investigating social-engineering scams and payment fraud across LATAM and global P2P marketplaces at Binance. I specialize in finding the pattern hiding inside cases that look isolated on their own — then turning it into something a team can act on.

Bogotá, Colombia · Open to remote & relocation

01

About

I started in customer support at Binance, handling account issues and P2P trade disputes — the kind of frontline work where you see fraud land on real people in real time before anyone calls it fraud. That vantage point is where I learned to read a case for what it actually was, not just what the ticket said.

In 2022 I moved into a small taskforce dedicated to deep-dive scam investigations: cases too ambiguous or too well-disguised for a standard dispute review. Since then I've split my time between individual casework (link analysis, on-chain tracing, KYC verification) and self-initiated projects — mapping an organized scam ring across LATAM, flagging a payment-method vulnerability being actively exploited, and feeding a steady stream of process and tooling fixes back to Risk and Product.

What I'm good at: staying composed with someone mid-scam on the other end of a chat, spotting the one detail that reframes a whole case, and writing up findings so that someone who wasn't there can still act on them.

02

Impact, in numbers

First half of 2023, taskforce casework only

~3,000

Fraud cases reviewed in 6 months

~85%

Conclusively resolved (confirmed scam or confirmed legitimate)

5

Cross-functional teams partnered with (Risk, Security, Compliance/KYC, Earn, Product)

2

Internal training sessions designed and delivered on scam typologies

03

Experience

  1. Apr 2024 — Present

    P2P Dispute Analyst

    Binance

  2. Sep 2022 — Mar 2024

    Scam Analytics — P2P Investigator (Taskforce)

    Binance

  3. May 2022 — Aug 2022

    Customer Support — P2P Dispute Analyst

    Binance

  4. Nov 2021 — Apr 2022

    Customer Support — Account Function

    Binance

  5. Mar 2021 — Jul 2021

    Floor Support

    CINCH Home Services (Accedo SAS)

  6. Sep 2020 — Feb 2021

    Customer Service Agent

    CINCH Home Services (Accedo SAS)

04

Case Studies

Selected investigations and projects, described at a level that protects case-level and company-confidential detail.

Details below are generalized on purpose: user IDs, order IDs, bank accounts, wallet addresses, internal tool names and colleagues' names have been removed or replaced with descriptions of the pattern. Nothing here reveals exploitable technical detail about any live system.

Self-initiated investigation · Network analysis · Policy proposal

Mapping an organized "Man-in-the-Middle" scam ring in P2P markets

Traced a repeat-offender network hiding behind isolated-looking cases, then proposed the risk rules to shut the pattern down.

Read full investigation

Context

Frontline teams kept seeing sellers lose funds on peer-to-peer trades, but enforcement was rare: each case looked like an isolated user mistake rather than organized fraud, and the evidence on any single order was thin.

My role

I opened a self-directed investigation to find the pattern buried in the noise, working from raw order and dispute data rather than waiting for a case to be escalated to me.

What I did

  • Tracked every confirmed or suspected case in a working file and tagged accounts that recurred across more than one incident.
  • Flagged accounts that reused the same destination bank account across multiple, seemingly unrelated orders — including after a prior dispute had already been raised on one of them.
  • Cross-referenced shared devices to link accounts that looked unrelated on the surface.
  • Partnered with risk leads to validate each finding and get enforcement sign-off before any account action, to avoid penalizing genuine victims caught in the middle.
  • Reviewed messaging with a sample of affected sellers to validate the social-engineering script end-to-end — first contact, the pitch, and the justification used for the fraudulent payment details.

Findings

A recurring group of accounts was responsible for a disproportionate share of confirmed cases. Several had already adapted their behavior after a first warning — spacing out their activity and varying their approach specifically to stay under the threshold that would trigger a suspension. I documented the full attacker playbook end-to-end, from first outside contact to the final dispute.

Proposed risk rules

  • Restrict accounts from paying into third-party bank accounts flagged mid-trade; repeat offenses trigger a graduated suspension of trading privileges (temporary, escalating to extended).
  • Real-time in-chat detection for messages containing long numeric strings that resemble bank account numbers, prompting both parties with a warning and a direct escalation path before payment — rather than letting the trade proceed silently.
  • Require accounts to pre-register and verify any third-party account they intend to use, closing the loophole that let the ring rotate through "clean" accounts.

Outcome

Findings and proposed rules were shared with Risk and Product leadership; several accounts were suspended on the strength of the evidence trail, and the in-chat detection proposal directly informed a Risk-team initiative to flag bank-account-like strings during a live trade. I also authored the internal training material later used to onboard teammates on the scheme.

Vulnerability discovery · Fraud pattern detection · Escalation

Catching a live exploit in a regional instant-payment method

Spotted a payment-settlement anomaly being actively abused, escalated it past its playbook classification, and got the method pulled for remediation.

Read full investigation

Context

While reviewing unrelated disputes tied to a regional instant bank-transfer payment method, I noticed a recurring anomaly: a single proof of payment appeared to settle several separate trades against the same counterpart — same payment method, same amount, same parties — rather than one payment matching one trade.

My role

I isolated the pattern to confirm it wasn't a one-off input error, built a small evidence set across independent orders to show it was reproducible, and escalated it as a system-level issue rather than logging it as routine disputes.

What I did

  • Compared timestamps, amounts and counterparties across the affected orders to rule out coincidence or user error.
  • Packaged the evidence — affected order pairs, payment method, and the settlement pattern — for engineering and risk to reproduce independently.
  • Argued for classifying the exploiting accounts as confirmed fraud rather than merely "suspicious," since the behavior pattern (repeated exploitation, funds withdrawn to the same destination) met the bar on its merits even though the scenario wasn't explicitly named in the existing playbook.
  • Followed up over several weeks with the responsible team until the payment method was temporarily disabled pending a fix.

Outcome

The payment method was suspended for remediation while engineering investigated the root cause, the exploiting accounts were escalated for enforcement, and the case fed into a broader conversation about judging edge-case fraud on behavior rather than strict precedent.

The exact settlement mechanics are intentionally omitted here — this is described at the level needed to show the detection and escalation process, not to document a reproducible exploit.

Process improvement · Product feedback · Ops efficiency

Turning recurring support friction into scoped product requests

Kept a running log of tooling and process gaps hit during casework and packaged them as concrete, scoped requests instead of just working around them.

Read full investigation

Context

Alongside individual casework, I tracked friction that cost time or created inconsistent outcomes without adding any real safety — and wrote each one up as a specific, actionable request rather than a general complaint.

My role

Self-initiated reporting, usually raised directly with team leads and, where relevant, escalated to Product/Engineering.

What I did

  • Payment-method configuration gap: flagged that a widely-used instant payment method was being set up under the wrong transfer type by users, creating confusion and false dispute flags — proposed either listing it as its own method or issuing clear setup guidance.
  • Bulk-action bug: reported that a bulk "close all listings" action silently failed to close every listing, forcing manual, repeated clean-up — requested a reliable bulk action and a fix for the underlying failure.
  • Support tooling gap: proposed a way to re-enable a single restricted function (e.g. chat access) for an account without lifting every other restriction, so agents aren't forced to choose between a full unblock and no fix at all.
  • Completion-rate transparency: when traders disputed a drop in their trade completion rate, agents had no way to trace which specific past order caused it — proposed a lookup tool to identify the order and give the trader a direct path to appeal it.

Outcome

Several of these were validated and escalated by team leads, and some were later incorporated into tooling updates; others are still pending prioritization. Not every idea has shipped — but surfacing friction as a specific, scoped fix rather than absorbing it quietly is a habit I've kept consistently.

05

Skills

Fraud & risk

  • P2P & social-engineering scam typologies (man-in-the-middle, triangulation, third-party payment abuse)
  • Link / network analysis across accounts, devices and destination accounts
  • On-chain transaction tracing & source-of-funds review
  • Dispute and appeal adjudication under policy & SOP

Operations & collaboration

  • Cross-functional partnering with Risk, Security, Compliance/KYC and Product/Engineering
  • Investigation write-ups & internal training design
  • Mentoring and onboarding new investigators
  • Process and tooling gap analysis, written up as product feedback

Professional

  • Assertive, clear communication under pressure
  • Attention to detail and pattern recognition
  • Structured problem solving
  • Spreadsheet-based data analysis and case correlation

06

Let's talk

Open to fraud, risk, trust & safety, and technical support/solutions roles — especially where investigation meets product.