Why adversarial robustness in financial AI is not an engineering problem — it is a geometric property.
In February 2024, an employee at the engineering firm Arup joined what appeared to be a routine video call with the company’s CFO and several colleagues. Every face was familiar. Every voice was correct. The employee executed fifteen bank transfers totalling HK$200 million — roughly USD 25 million — before discovering that none of the people on the call existed. All of them were AI-generated deepfakes of real Arup staff, produced with off-the-shelf tools tuned against public video content. Hong Kong Police confirmed the loss. Arup confirmed its identity as the victim three months later.
The Arup case made headlines because the attack vector was dramatic. The less visible adversarial techniques — those targeted at the statistical ML models that now underpin credit decisions, anomaly detection, fraud screening, and algorithmic execution — represent a more structural risk. Researchers have repeatedly demonstrated that production-grade financial ML models can be induced to reverse their output by perturbing input features at the fourth decimal place, with full model confidence on the manipulated outcome and no anomaly detector firing.
This is what an adversarial attack looks like in finance. It does not break the model. It convinces the model to agree with the attacker — quietly, confidently, within the bounds of what the model was trained to recognize.
As asset managers deploy machine learning for regime detection, anomaly screening, and risk classification, a question that was once academic is becoming operational: can your risk model be manipulated, and if so, would you know?
The honest answer for most production ML systems is: yes, and no.
There is, however, a class of models where the answer changes.
What attackers actually do
Adversarial attacks on ML systems fall into three families, each well-documented in the literature and increasingly observed in production.
Evasion attacks. The attacker crafts an input designed to be misclassified at inference time. The canonical method, the Fast Gradient Sign Method (FGSM, Goodfellow et al. 2014), computes the gradient of the model’s loss with respect to the input and perturbs the input in the direction that maximizes the loss by an amount small enough to remain imperceptible. The iterative refinement — Projected Gradient Descent (PGD, Madry et al. 2017) — is today the reference benchmark for robustness. In a financial context, an evasion attack means a regime classifier trained to output “stable” when presented with manipulated correlation data, even when the underlying market structure has already deteriorated. The attacker does not need to move prices. A handful of basis points on a covariance matrix is sufficient.
Data poisoning. The attacker corrupts the training data to implant a backdoor. At deployment, a specific trigger pattern causes the model to misbehave in a targeted way. In finance: inject a specific combination of alternative-data features into public feeds, wait for them to appear in training sets, exploit the implanted behavior months later.
Model extraction. The attacker queries the model repeatedly to reconstruct an approximation of its internals — enough to then craft adversarial inputs offline against the surrogate. For APIs exposing ML-driven signals, this is a commercial threat, not a theoretical one.
Each of these vectors has a growing catalogue of defensive countermeasures: adversarial training, certified robustness, randomized smoothing, differential privacy. None of them closes the attack surface. They raise the cost. They do not eliminate it.
The reason is structural — and understanding it is the prerequisite to seeing why geometry changes the game.
What this has already cost the industry
Public disclosures in financial services remain rare — institutions do not advertise AI-enabled incidents that reach their systems — but the combination of confirmed cases, regulatory filings, and industry projections gives a shape to the exposure.
Confirmed incidents.
- Arup, February 2024 — USD 25 million. Fifteen transfers executed across a single deepfake video conference. Confirmed by Hong Kong Police and by Arup’s own disclosure in May 2024.
- UK energy sector, 2019 — USD 243 000. Voice-clone phone call imitating the parent-company CEO triggered a fraudulent transfer. The first widely documented AI voice-fraud case in corporate finance.
- Synthetic-identity account fraud, United States, 2023–2026. The Federal Reserve, FinCEN, and industry trackers have repeatedly flagged generative-AI-assisted synthetic identities as the leading growth vector in account-opening fraud. A March 2026 industry review classifies it as the fastest-growing category of financial fraud in 2026 (Fintech Global, Synthetic Identity Fraud — The Growing Threat in 2026). Individual institutions have disclosed remediation costs in the tens of millions; aggregate industry exposure is estimated in the low tens of billions per year.
Industry projections.
The FBI’s Internet Crime Complaint Center reported approximately USD 12.5 billion in cyber-enabled financial losses in 2023 — a figure that captures only incidents formally reported in the United States. Deloitte’s Center for Financial Services (Deepfake Banking Fraud Risk on the Rise, 2024) projects generative-AI-enabled fraud losses in banking and payments reaching USD 40 billion by 2027. The Bank for International Settlements’ Financial Stability Institute, in its Occasional Paper 24 (2024) on managing AI explainability, reframes adversarial manipulation of ML-based credit, trading, and compliance systems as a systemic concern rather than a tail risk — and argues that explainability alone is insufficient without demonstrable resilience to manipulation.
What remains invisible.
The academic literature on adversarial ML in production financial systems is dominated by theoretical demonstrations and controlled red-team exercises (Fursov et al. 2021 on transaction-record models; a growing body of 2022–2025 work on limit-order-book robustness). Confirmed production incidents are rarely disclosed — not because they do not happen, but because disclosure conflicts with regulatory, reputational, and legal interests.
The observed data is the lower bound of the exposure, not its measure.
The question for institutional investors is not whether their ML systems will face adversarial pressure. It is whether, when pressure is applied, the system will report it.
Why statistical models are structurally vulnerable
Adversarial examples are not a bug in specific ML architectures. They are a generic consequence of learning decision boundaries in high-dimensional flat spaces.
A neural network partitions its input space — which is, for all practical financial applications, ℝⁿ with n large — into regions labeled by its output classes. In high dimensions, this partition has a counter-intuitive property: almost any input sits close to a decision boundary. A perturbation of magnitude ε in the right direction is enough to cross from one class to another.
The intuition is that in d dimensions, the volume of a thin shell near the surface of a sphere dominates the total volume as d grows. Nearly every point is “near the edge” of something. The adversary’s task is to find the right direction and push.
Goodfellow’s 2014 paper framed this structurally: adversarial examples arise from the linear behavior of neural networks in high-dimensional spaces. A decade of follow-up research has produced many defenses and none of them close the gap, because the gap is not in the model. It is in the space.
ℝⁿ is permissive: any point can be moved in any direction, by any amount, for free. The space imposes no constraint on the attacker.
This is where geometry changes the game.
Geometry is not permissive
URF-4 does not operate on raw price vectors in ℝⁿ. It operates on correlation matrices — mathematically, symmetric positive definite matrices, elements of a set denoted SPD(n).
SPD(n) is not a flat space. It is a Riemannian manifold: a curved geometric object with its own intrinsic notion of distance, tangent vectors, and geodesics. The natural distance on SPD(n) — what URF-4 uses under the name Papadopoulos Distance (Dp) — is not Euclidean. It is the length of the shortest path between two points that stays on the manifold.
This one change of setting has two consequences for adversarial robustness.
1. Not every perturbation is admissible
If an attacker wants to move a correlation matrix to change URF-4’s output, the perturbation must preserve symmetry and positive-definiteness. Most directions in the ambient space ℝⁿ² fail this test and do not correspond to valid correlation matrices. The attacker cannot act in a flat feature space — any valid perturbation must lie in the tangent space of SPD(n) at the current point, a constrained subspace governed by the manifold’s geometry.
This is not a matter of defensive engineering. The space itself refuses most perturbations.
2. Geodesic distance is globally aware
Euclidean distance between two points ignores what lies between them. Geodesic distance on SPD(n) is determined by the entire path — and paths on curved manifolds bend. A small ambient perturbation can correspond to a large geodesic perturbation. An adversary attempting to move the correlation matrix by an imperceptible Euclidean ε may produce a Dp signal that is anything but imperceptible.
The statistical intuition of “small perturbation implies small change” is a property of flat space. It does not survive contact with curvature.
Ricci curvature as a differential invariant
URF-4’s second geometric signal is Ricci curvature — a pointwise measure of how the manifold warps around a given configuration. Ricci curvature is a second-order differential invariant: it depends on the second derivatives of the metric tensor.
The consequence for robustness is nearly absolute.
Local noise — the kind an adversarial attack introduces by design — averages out of second-derivative estimates. To move the Ricci signal, an attacker must introduce a coherent, large-scale deformation of the covariance structure. But coherent large-scale deformation of a market’s correlation manifold is precisely what URF-4 is designed to detect as a regime change.
Put differently: to fool URF-4’s Ricci signal, the attacker must simulate a crisis. At which point, the system correctly reports a crisis.
The detector cannot be defeated without triggering itself.
This is the sense in which URF-4’s adversarial robustness is not engineered. It is a consequence of where the system lives. The mathematics does the security work, and it does it passively, without tuning, without patching.
What this means for asset managers and regulators
The distinction between statistical and structural robustness is rapidly moving from academic discourse to regulatory reality.
The EU AI Act (Regulation 2024/1689), the SEC’s 2024 guidance on predictive data analytics, MiFID II’s validation requirements, and Solvency II’s internal-model approval framework are all converging on a single operational question: can you demonstrate, under scrutiny, that your AI-driven risk model cannot be manipulated in ways you cannot detect?
For a statistical ML model, the answer is structurally negative. You can raise the cost of attack, monitor for known attack signatures, retrain on hardened data. You cannot prove the absence of a successful adversarial example, because the attack surface — flat high-dimensional space — does not close.
For a geometric model, the answer is different. The auditable trail is the manifold itself. Every signal corresponds to an identifiable geodesic deformation. Every deformation must respect the manifold’s structural constraints. There is no “silent” adversarial input — inputs that violate the manifold fail at the boundary, and inputs that respect it produce signals that are, by construction, faithful to genuine structural change.
For a chief risk officer, this translates into three operational properties:
- Auditability — every URF-4 signal decomposes into a geodesic deformation with a known geometric provenance.
- Non-repudiation — the model cannot produce a signal inconsistent with the observed manifold state.
- Detectability of manipulation — any coherent attempt to bias the signals registers as a regime change, which is already the system’s job.
These are not properties one achieves through defensive engineering. They are properties one inherits by choosing the correct mathematical setting.
A note on humility
This article does not claim that URF-4 is unconditionally secure, nor that geometric methods are immune to all forms of attack. Targeted adversarial attacks on SPD(n) and its associated distance metrics are an active research frontier. New attack vectors — possibly specific to Riemannian models — may emerge.
The claim is narrower and defensible: the attack surface of statistical ML in high-dimensional flat space is structurally open, and a decade of mitigation research has not closed it. The attack surface of geometric models on constrained manifolds is structurally narrower, and what narrowness remains is mathematically characterizable rather than empirically estimated.
In risk management, that distinction is not cosmetic. It is the difference between monitoring for unknowns and bounding them.
The Econosysmograph position
URF-4 was not designed as a cyber-defense system. It was designed to read the causal geometry of market risk— to detect structural instability in correlation manifolds before it appears in prices. SPD(n), the Papadopoulos Distance, and Ricci curvature are mathematical choices made to capture how markets change their state, not how to resist adversarial inputs.
The adversarial robustness emerged as a downstream consequence. Models that operate on constrained geometric objects inherit constraints on what can be done to them. In a world of increasingly adversarial AI, this inheritance is turning from a mathematical curiosity into an operational asset.
Validation across four major crises — the dot-com bubble (2000), the global financial crisis (2008), the COVID shock (2020), the 2026 trade-war regime — shows an average lead time of 332 days, zero false positives over 26 years of out-of-sample testing, and full geometric traceability of every signal. These numbers describe the system’s primary function. The cyber-robustness is the quiet benefit beneath them.
You don’t need to defend against adversaries in a space they must first deform to enter.
References and further reading
Academic — adversarial ML foundations
- Goodfellow, I., Shlens, J., Szegedy, C. (2014). Explaining and Harnessing Adversarial Examples. arXiv:1412.6572
- Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A. (2017). Towards Deep Learning Models Resistant to Adversarial Attacks. arXiv:1706.06083
- Carlini, N., Wagner, D. (2017). Towards Evaluating the Robustness of Neural Networks. IEEE Symposium on Security and Privacy.
- Fursov, I. et al. (2021). Adversarial Attacks on Deep Models for Financial Transaction Records. KDD 2021.
Industry & regulatory
- FBI Internet Crime Complaint Center (2024). 2023 Internet Crime Report.
- Deloitte Center for Financial Services (2024). Deepfake Banking Fraud Risk on the Rise.deloitte.com
- Fintech Global (2026). Synthetic Identity Fraud — The Growing Threat in 2026*, March 2026. fintech.global
- Bank for International Settlements — Financial Stability Institute (2024). *Occasional Paper No 24 — Managing explanations: how regulators can address AI explainability. bis.org/fsi/fsipapers24.pdf
- European Union (2024). Artificial Intelligence Act, Regulation 2024/1689.
- U.S. Securities and Exchange Commission (2024). Predictive Data Analytics — Proposed Rule.
URF-4 methodology
- Papadopoulos, E. (2024–2026). Universe Risk Framework — Papers 1–4. SSRN.
For the full URF-4 methodology and backtesting protocols, see our Research page. or the author’s SSRN listings.
For institutional access or POC discussion: contact@econosysmographe.eu
Econosysmographe™ · SmartGreenInvest Ltd · Reg. England & Wales No. 14636473 · Confidential.
Educational purpose only. Not financial advice.