The Feature-Space Illusion: Exposing Practical Vulnerabilities in Blockchain GNN Fraud Detection

Graph Neural Networks form the backbone of modern blockchain fraud detection, yet their robustness against economically-motivated adversaries operating under real-world constraints remains entirely unexamined. We identify a fundamental gap: existing adversarial machine learning assumes arbitrary feature manipulation, while blockchain adversaries face an inverse feature-mapping problem—they must synthesize costly, cryptographically-valid transactions that produce desired perturbations through deterministic feature extraction. We present the first adversarial framework tailored to blockchain's problem-space constraints, leveraging GNN gradients to guide transaction synthesis while introducing a probability-weighted objective for multi-account fraud rings that naturally prioritizes evasion bottlenecks. Comprehensive evaluation across seven architectures on ETHFRAUD-30K—a new dataset of 633,244 real Ethereum transactions among 30,231 addresses—reveals critical vulnerabilities. Attention mechanisms fail catastrophically: GATv2 suffers 78.4% attack success rate with merely 2–3 transactions costing negligible amounts relative to fraud proceeds. Remarkably, GraphSAGE achieves Pareto optimality, combining superior detection (F1=0.905) with strong robustness (85.2% resistance), suggesting sampling-based aggregation produces inherently more stable decision boundaries than adaptive attention. Investigation of defenses reveals that adversarial training benefits architectures with learnable aggregation (up to 53.6% improvement) but degrades sampling-based models, while limited cross-architecture transferability suggests ensemble defenses as a promising direction. As GNN-based detection becomes critical DeFi infrastructure, our work underscores the urgent need for adversarially-resilient architectures; we release our framework to enable rigorous security evaluation of deployed systems.