supply chain blockchain consulting + web3 blockchain intelligence: Detecting Fraud with Onchain Signals

Short description: Decision-makers are under pressure from DSCSA, EU Battery Regulation, and incoming Digital Product Passports. This guide shows exactly how to wire GS1 EPCIS 2.0, W3C Verifiable Credentials 2.0, and selective onchain anchoring to surface fraud signals you can act on in days—not quarters. (fda.gov)

Who this is for

• Startup COOs and enterprise VPs of Supply Chain, Quality, Compliance, or Sustainability.
• Teams evaluating blockchain not for hype, but to reduce counterfeits, speed audits, and pass regulatory checks with fewer people.

We’ll cut the fluff. Below are concrete patterns, data schemas, and signals we deploy at 7Block Labs to detect fraud across pharma, EV batteries, industrial components, and apparel.

---

Why this matters now: the 2025–2028 regulatory clock

• U.S. pharma (DSCSA): FDA’s “stabilization period” ended November 27, 2024; FDA then issued targeted exemptions for those who had initiated systems—manufacturers/repackagers until May 27, 2025; wholesalers until August 27, 2025; dispensers with ≥26 FTEs until November 27, 2025; “small dispensers” (≤25 pharmacist/tech FTEs) until November 27, 2026. Expect scrutiny to ramp. (fda.gov)
• EU Battery Regulation (2023/1542): Battery passports (QR-accessible electronic records) mandatory from February 18, 2027 for EV, industrial >2kWh, and LMT batteries. Annex XIII defines tiered data access. (eur-lex.europa.eu)
• Ecodesign for Sustainable Products Regulation (ESPR) and Digital Product Passports (DPP): Regulation entered into force July 18, 2024; first working plan in 2025; product-specific delegated acts land 2026+, with first requirements likely 2027/28 (textiles, steel, aluminum, etc.). Budget now for data models and resolvers. (consilium.europa.eu)
• Forced-labor enforcement (UFLPA): DHS expanded the Entity List to 144 entities by Jan 2025; CBP has reviewed 16,700+ shipments (~$3.7B) since 2022, with detentions rising through 2025, spotlighting upstream metals and components. Expect higher evidentiary standards on provenance. (dhs.gov)

---

The play: marry supply chain standards + verifiable identity + light onchain anchoring

The biggest wins come from combining three layers:

1. Supply chain events and identifiers that your teams already use

• GS1 EPCIS/CBV 2.0 for event streams (What, When, Where, Why, How) in JSON-LD, including sensor data; GS1 Digital Link to resolve identifiers via 2D codes. (gs1.org)

1. Verifiable identity and attestations

• W3C Verifiable Credentials 2.0 is now a W3C Recommendation (May 15, 2025). Use VCs for certs (origin, PCF, GMP), role grants, and audit trails; use Bitstring Status Lists to revoke at scale. DIDs v1.0 gives portable identifiers for orgs, locations, and devices. (w3.org)

• Hardware trust for IoT: IETF RATS (RFC 9334) and EAT (RFC 9711) give standard formats to attest a logger’s firmware, keys, and measurement provenance before you trust its temperature trace. (ietf.org)

1. Onchain intelligence—not “everything onchain,” just the immutable breadcrumbs you’ll need during disputes

• Hash-anchored EPCIS batches; revocation registries for VCs; non-transferable identifiers to prevent “double-spend of serials” (ERC‑5192 SBTs) and optional physical-asset NFTs for device-bound items (ERC‑4519). (eips.ethereum.org)

---

Fraud you can actually see: the onchain signals that matter

Below are the highest-signal patterns we deploy. Each pairs an offchain data standard with a minimal onchain footprint so you can query risk in minutes.

1. Duplicate-serial reuse across partners

• How: Issue a non-transferable ERC‑721 per serialized unit using ERC‑5192; mint only when EPCIS ObjectEvent with commissioning is received and verified. Raise alerts on any attempt to mint a second token for the same GTIN+serial or when a “locked=false” state appears in a contract that should be permanently locked. (eips.ethereum.org)

1. Teleportation and time-inconsistency in event logs

• How: For each EPCIS ID, compute travel-time constraints between successive readPoints; flag if haversine distance implies >1,000 km/h for a refrigerated pallet, or if eventTime < previous eventTime. Anchor daily Merkle roots of the EPCIS stream to L2 to prevent later “time travel” edits. (gs1.org)

1. “Phantom inventory” inflation

• How: Compare onchain supply of item-tokens to the last-good EPCIS aggregation hierarchies (case→pallet→container). If supply jumps without a corresponding AggregationEvent/DisaggregationEvent proof in the anchored batch, hold fulfillment. Use PoR-style circuit breakers on token mint if reserve proofs (anchored EPCIS counts) fail. (gs1.org)

1. Revoked or expired credentials at the edge

• How: Require VC 2.0 for lab test results, site certifications, and PCF; evaluate proofs and status lists before accepting an EPCIS capture. Alert if an attestation is missing, expired, or revoked in a bitstring status list. (w3.org)

1. UFLPA entity exposure in upstream attestations

• How: Map supplier DIDs in VCs to legal entities; automatically screen against the UFLPA Entity List. If any entity or facility in a bill of materials is listed (or linked via addresses/DUNS to a listed entity), quarantine the lot and prepare rebuttal evidence. (dhs.gov)

1. Battery passport inconsistencies

• How: For EV batteries, verify that battery passport payloads include Annex XIII fields and that PCF/ESG claims line up with GBA rulebooks. Cross-check QR-resolved passports against a Catena‑X compliant endpoint to ensure role-based views and provenance VCs exist. Alert on missing field groups or mismatch in recycled content claims. (eur-lex.europa.eu)

1. eBL fraud and title conflicts

• How: As carriers move to 100% eBL by 2030 and interoperability is now proven across platforms, validate a bill’s current custody via the DCSA control registry or TradeTrust verification. Raise a dispute if two platforms claim control over the same title hash. (dcsa.org)

1. “Sensor says yes, device says no”

• How: For temperature/tilt sensors, require an EAT-signed VC from the device trust anchor. If EPCIS includes sensor readings without a matching device attestation chain (RATS/EAT), downgrade confidence or mark as unverifiable. (ietf.org)

1. Resolver mismatch on DPP/QR scans

• How: GS1 Digital Link 1.6.0 formalizes resolver behavior. If a scanned code resolves to a domain not controlled by the brand owner or a conformant resolver, or if link types don’t match your policy (e.g., “gs1:traceability” missing), treat as potential spoofing. (gs1.org)

1. Package-level DSCSA gaps

• How: For U.S. pharma, enforce package-level identifiers and interoperable exchange. If your trading partner falls under an exemption window, log that reliance explicitly and tighten suspect/illegitimate product investigations where their electronic link is missing or delayed. (fda.gov)

---

Concrete architecture: a minimal, standards-first stack

• Identity and credentials

  • DIDs for organizations, facilities, and devices (did:web to start; upgrade later).
  • W3C VC 2.0 for: supplier onboarding, GMP/ISO certs, lab results, PCF, framework agreements (as in Catena‑X). (w3.org)

• Supply chain events

  • EPCIS 2.0 JSON-LD + CBV 2.0; use OpenEPCIS examples to bootstrap event formats.
  • Include sensorElement for temperature and shock; link GS1 Digital Link URIs to items/locations. (gs1.org)

• IoT attestation

  • Ship devices that produce EATs; verify per RATS; bind device address to an ERC‑4519 token if you need device-led signing. (ietf.org)

• Onchain anchors and registries

  • Daily Merkle root of EPCIS event batches to an EVM L2; publish a VC Status List and certificate revocation timeline onchain.
  • Use ERC‑5192 for non-transferable item tokens to prevent serial double-spend; reserve ERC‑4519 for device-tethered assets. (eips.ethereum.org)

• Interoperable trade docs

  • Accept eBLs that can be verified via DCSA interoperability or TradeTrust receipts (compliant with MLETR, UK ETDA). (dcsa.org)

• Oracles and risk guardrails

  • Where tokenization represents physical lots, use PoR-like checks to pause minting if anchored reserves or EPCIS counts don’t match. Chainlink’s PoR capability and SOC2/ISO certs make it acceptable in enterprise GRC reviews. (chain.link)

---

Three domain examples with step-by-step signals

1) Pharma DSCSA: stopping reintroduced saleable returns

• Data capture: Manufacturer commissions units (EPCIS ObjectEvent; eventID + SGTIN list).
• Identity: Manufacturer issues a VC 2.0 asserting GTIN-serial ranges for the lot; publishes revocation list. (gs1.org)
• Onchain: Merkle root of the day’s EPCIS events anchored to L2; ERC‑5192 tokens minted per serial. (eips.ethereum.org)
• Signal: A wholesale return appears with an eventTime older than the latest DisaggregationEvent; or a token transfer attempt is seen for a non-transferable item (should never happen). Flag as suspect and open a 582(g) investigation workflow; if the partner is operating under an FDA exemption window, require additional documentary proof-of-ownership. (fda.gov)

Result: Days to detection shrinks to minutes; your team has cryptographic roots for the lot history if state/federal inspectors or manufacturers request trace data.

2) EV batteries: passport truth vs. marketing claims

• Data capture: Battery passport includes PCF, recycled content, material origins; QR is tied to the pack’s unique ID. (eur-lex.europa.eu)
• Identity: Smelter, cathode maker, and pack plant each issue VC 2.0; device test stands produce EAT-backed measurements for capacity/impedance. (w3.org)
• Interop: Validate via Catena‑X-compliant DPP app and EDC; role-based data filtering enforced. (github.com)
• Signals:
  • Passport missing mandatory Annex XIII fields.
  • PCF claims not aligned with the GBA Greenhouse Gas rulebook methodology.
  • Any upstream entity matches UFLPA Entity List—quarantine the pack pending remediation. (eur-lex.europa.eu)

Outcome: You avert regulatory exposure before product launch; QR scans resolve to an authorized, conformant resolver under your control. (gs1.org)

3) Apparel DPP under ESPR: real-time counterfeit interdiction

• Context: Textiles are in the early ESPR working plan; first delegated acts expected to bite 2027/28. (hsfkramer.com)
• Data capture: EPCIS 2.0 for cut/make/trim events; GS1 Digital Link 2D codes on hangtags. (gs1.org)
• Signals:
  • Store scans resolving to a domain not on your GS1-conformant resolver allowlist.
  • Serial minted twice (SBT prevents this); or EPCIS says Shenzhen→Rotterdam in 9 hours.
• Enforcement: Auto-generate a VC 2.0 “authentication failed” presentation for the confiscated item and forward to marketplaces/logistics providers to accelerate takedowns.

---

Implementation blueprint: 90 days to “fraud radar”

Phase 0: Scope and controls (2 weeks)

• Pick a product family and a lane (e.g., US pharma saleable returns; EU-bound EV packs).
• Inventory identifiers: GTIN/SSCC/GLN; serialization coverage; where EPCIS 2.0 is feasible now.
• Decide DID method (did:web to start) and VC issuers (QA, Compliance, 3rd-party labs). (w3.org)

Phase 1: Data and identity (3–4 weeks)

• Stand up EPCIS 2.0 capture/queries (REST); adopt CBV 2.0 vocabularies.
• Issue first VCs: supplier onboarding, site certs, and framework agreements (Catena‑X style).
• Create a VC Status List endpoint and governance (revocation policy). (gs1.org)

Phase 2: Anchoring and tokens (2 weeks)

• Batch EPCIS events daily, hash to a Merkle root, anchor to an L2.
• Mint ERC‑5192 item SBTs for serialized products (optional ERC‑4519 for devices). (eips.ethereum.org)

Phase 3: Signals and SOC runbooks (2 weeks)

• Implement the 10 signals above as queries across: EPCIS store, VC registry, UFLPA screen, and onchain anchors.
• Wire alerting to your existing SIEM; write SOPs for DSCSA suspect product, EU passport gaps, and UFLPA escalations. (fda.gov)

Phase 4: Interoperable trade docs (parallel)

• Accept/verify eBLs and LCs via DCSA/TradeTrust flows; maintain evidence bundles for audits. (dcsa.org)

---

Data model specifics you can copy

• EPCIS JSON-LD context: https://ref.gs1.org/standards/epcis/2.0.0/epcis-context.jsonld; use ObjectEvent, AggregationEvent, and sensorElement with uom per UNECE Rec 20. (openepcis.io)
• GS1 Digital Link: adopt 1.6.0; configure a GS1-conformant resolver so QR scans return role-appropriate links (consumer vs. verifier vs. recycler). (gs1.org)
• Verifiable Credentials 2.0: use Data Integrity or JOSE/COSE proofs; plan status via Bitstring Status List 1.0. (w3.org)
• IoT trust: have devices emit EAT (CBOR/COSE) with boot state, firmware hash, and key material references; verify via RATS. (ietf.org)

---

KPIs our clients track

• Percent of serialized units with EPCIS 2.0 + VC coverage, anchored onchain (target >95%). (gs1.org)
• Mean time to detect counterfeit attempt (target <10 minutes from first suspicious scan).
• DSCSA request response time for TI/TS at package-level (target <1 hour during audits). (fda.gov)
• EV battery passport completeness score (Annex XIII coverage) and PCF methodology conformance rate. (eur-lex.europa.eu)
• UFLPA “clean” clearance rate (no holds) and cycle time to rebuttal package (target <72 hours). (dhs.gov)

---

Emerging practices we recommend

• Anchor less, prove more: Hash entire EPCIS days into a single Merkle root to keep gas costs low while preserving auditability.
• Separate “title” from “trace”: Use eBL or TradeTrust for document title; use EPCIS + VC for provenance. Don’t overload one system to do both. (dcsa.org)
• Treat resolvers as security controls: GS1 Digital Link resolvers are now part of your threat surface; monitor for rogue domains. (gs1.org)
• Use PoR-like circuit breakers in tokenized real-world asset flows: pause minting/redemptions if reserves (EPCIS counts, weighbridge totals) drift from policy. (chain.link)
• Prefer standards with fresh governance: VC 2.0 (2025 Rec), EPCIS 2.0, and resolver specs are living standards—build to current versions. (w3.org)

---

What “good” looks like in 2026

• Your DSCSA package-level TI/TS is interoperable, with initiated connections or full compliance—no paperwork snipe hunts. (fda.gov)
• EV battery passports are QR-resolved, role-based, and backed by verifiable VCs; plant leads can answer Annex XIII questions on the shop floor. (eur-lex.europa.eu)
• DPP pilots for textiles/furniture are live and resolvers hardened ahead of delegated acts. (hsfkramer.com)
• Forced-labor screening isn’t just a PDF—it’s embedded in credential checks, blocking risky lots before they leave the dock. (dhs.gov)

---

How 7Block Labs helps

• 4–8 week accelerator: EPCIS 2.0 capture, VC 2.0 issuers/verifiers, DID registry, GS1-resolver setup, and onchain anchoring with prebuilt “top-10 fraud signals.”
• Domain kits: DSCSA package-level, Battery Passport (Catena‑X compatible), and ESPR/DPP textile starter. (github.com)
• Interop: TradeTrust eBL verification, DCSA eBL interop checks, and UFLPA entity screening wired into your SOC. (dcsa.org)

If you want a dry run, we’ll ingest a week of your EPCIS or shipment CSVs, issue mock VCs, and show you which signals light up within 48 hours.

---

Appendix: real-world momentum (for your board slide)

• Volvo launched a production battery passport (EX90) with blockchain-based traceability—about $10/car to operate—well ahead of the EU’s 2027 mandate. (reuters.com)
• DCSA completed the first standards-based interoperable eBL transaction in May 2025; carriers aim for 100% eBL by 2030. (dcsa.org)
• GS1 EPCIS 2.0 (June 2022) and Implementation Guideline (Mar 2023) formalize sensor and JSON‑LD support; GS1 Digital Link 1.6.0 (Apr 2025) stabilizes resolver behavior. (gs1.org)
• W3C VC 2.0 became a W3C Recommendation in May 2025; DID Core has been a W3C Recommendation since 2022. (w3.org)

The tech and the rules are finally aligned. The next counterfeit you don’t detect will be the last one your auditors are willing to chalk up to “process gaps.”