supply chain blockchain consulting + web3 blockchain intelligence: Detecting Fraud with Onchain Signals

Who this is for

• Startup COOs and enterprise VPs focused on Supply Chain, Quality, Compliance, or Sustainability.
• Teams looking at blockchain not just because it’s trendy, but to really tackle counterfeiting, streamline audits, and get through regulatory checks with a leaner crew.

Let’s get straight to the point. Here’s a look at the specific patterns, data schemas, and signals we use at 7Block Labs to spot fraud in sectors like pharma, EV batteries, industrial components, and apparel.

---

Why this matters now: the 2025-2028 regulatory clock

• U.S. pharma (DSCSA): The FDA's "stabilization period" wrapped up on November 27, 2024. After that, they rolled out some targeted exemptions for those who had started their systems--manufacturers and repackagers have until May 27, 2025; wholesalers until August 27, 2025; and dispensers with 26 or more full-time employees (FTEs) until November 27, 2025. Smaller dispensers with 25 or fewer pharmacists/tech FTEs get a bit more time, extending to November 27, 2026. So, expect a closer look at compliance as we move forward. (fda.gov)
• EU Battery Regulation (2023/1542): Starting February 18, 2027, battery passports (think QR-accessible electronic records) will be a must for electric vehicle batteries, industrial batteries over 2kWh, and light metal technology (LMT) batteries. Check out Annex XIII for info on the different tiers of data access. (eur-lex.europa.eu)
• Ecodesign for Sustainable Products Regulation (ESPR) and Digital Product Passports (DPP): This regulation kicked in on July 18, 2024, with the first working plan set for 2025. We can expect product-specific delegated acts to start coming down the pipeline in 2026 and beyond, with the first requirements likely hitting us in 2027/28 for things like textiles, steel, and aluminum. It might be a good idea to start budgeting for data models and resolvers now. (consilium.europa.eu)
• Forced-labor enforcement (UFLPA): The Department of Homeland Security (DHS) is expanding the Entity List to include 144 entities by January 2025. Customs and Border Protection (CBP) has already reviewed over 16,700 shipments (worth around $3.7 billion) since 2022, and detentions are expected to rise into 2025. There's a particular spotlight on upstream metals and components, so be prepared for tougher standards when it comes to proving the provenance of your materials. (dhs.gov)

---

The play: marry supply chain standards + verifiable identity + light onchain anchoring

The biggest wins really happen when you mix together these three layers:

1. Supply chain events and identifiers your teams are already using

• GS1 EPCIS/CBV 2.0 for event streams (What, When, Where, Why, How) in JSON-LD, including sensor data; plus, GS1 Digital Link for resolving identifiers with 2D codes. (gs1.org)

2) Verifiable Identity and Attestations

• The W3C has officially rolled out Verifiable Credentials 2.0 as a Recommendation as of May 15, 2025. You'll want to use VCs for things like certificates (origin, PCF, GMP), role grants, and keeping track of audit trails. And don't forget about Bitstring Status Lists--they're super handy for revoking credentials on a large scale. Plus, with DIDs v1.0, you can have portable identifiers for organizations, locations, and devices. Check it out here: (w3.org)
• Hardware trust for IoT: The IETF RATS (RFC 9334) and EAT (RFC 9711) provide standard formats to verify a logger's firmware, keys, and measurement history before you can rely on its temperature readings. Check it out here.

1. Onchain intelligence--not just “everything onchain,” but the solid, immutable breadcrumbs you'll want during disputes

• We’re talking about hash-anchored EPCIS batches, revocation registries for VCs, and non-transferable identifiers to stop that pesky “double-spend of serials” (check out ERC‑5192 SBTs). Plus, there’s the option for physical-asset NFTs for items tied to devices (that’s ERC‑4519). (eips.ethereum.org)

---

Fraud you can actually see: the onchain signals that matter

Here are the top signal patterns we use. Each one combines an offchain data standard with a lightweight onchain footprint, allowing you to assess risk in just minutes.

1. Duplicate-serial reuse among partners

• How: Issue a non-transferable ERC‑721 for each serialized unit using ERC‑5192. Only mint it when the EPCIS ObjectEvent with commissioning is received and verified. Set up alerts for any attempts to mint a second token for the same GTIN+serial. Also, keep an eye out for when a “locked=false” state shows up in a contract that should definitely be locked for good. (eips.ethereum.org)

2) Teleportation and Time-Inconsistency in Event Logs

• How: For every EPCIS ID, we need to check the travel-time limitations between the readPoints. If the haversine distance suggests a speed of over 1,000 km/h for a refrigerated pallet, or if the eventTime is earlier than the previous eventTime, we’ll flag those issues. Additionally, to stop any "time travel" edits down the line, let's anchor the daily Merkle roots of the EPCIS stream to L2. You can read more about this at gs1.org.

3) “Phantom inventory” inflation

• How: Check the on-chain supply of your item-tokens against the most recent EPCIS aggregation hierarchies (think case → pallet → container). If you see a spike in supply that doesn’t match up with any AggregationEvent/DisaggregationEvent proofs in the anchored batch, it's a good idea to pause fulfillment. Use PoR-style circuit breakers for token minting if the reserve proofs (anchored EPCIS counts) don’t check out. You can find more about this on gs1.org.

4) Revoked or Expired Credentials at the Edge

• How: Make it a point to use VC 2.0 for things like lab test results, site certifications, and PCF. Before you accept an EPCIS capture, be sure to check the proofs and status lists. If something's missing, expired, or revoked, you should get an alert from the bitstring status list. You can learn more about this here.

5) UFLPA Entity Exposure in Upstream Attestations

• How: Start by mapping supplier DIDs in VCs to their respective legal entities. Then, run an automatic check against the UFLPA Entity List. If you find any entity or facility in a bill of materials that’s listed (or connected through addresses/DUNS to a listed entity), put that lot on hold and gather some rebuttal evidence. For more details, check out the DHS website.

1. Battery Passport Inconsistencies

• How: When it comes to EV batteries, make sure the battery passport payloads cover the Annex XIII fields, and double-check that the PCF/ESG claims match up with the GBA rulebooks. Don't forget to cross-check the QR-resolved passports with a Catena-X compliant endpoint to confirm that role-based views and provenance VCs are in place. If you spot any missing field groups or discrepancies in recycled content claims, raise the alarm! (eur-lex.europa.eu)

7) eBL Fraud and Title Conflicts

• How: As carriers gear up for 100% eBL by 2030, and with interoperability now a reality across different platforms, it's super important to confirm the current custody of a bill. You can do this through the DCSA control registry or TradeTrust verification. If you find that two platforms are laying claim to the same title hash, don’t hesitate to raise a dispute. (dcsa.org)

1. “Sensor says yes, device says no”

• How: When it comes to temperature or tilt sensors, you need an EAT-signed VC from the device's trust anchor. If the EPCIS has sensor readings but lacks a corresponding device attestation chain (RATS/EAT), lower the confidence level or label it as unverifiable. (ietf.org)

9) Resolver Mismatch on DPP/QR Scans

• How: GS1 Digital Link 1.6.0 lays out the rules for how resolvers should act. If you scan a code and it points to a domain that the brand owner doesn't control--or it's not from a trusted resolver--or if the link types don’t line up with your policy (like if “gs1:traceability” is absent), you should flag that as a possible spoofing attempt. Check out more details on this at gs1.org.

10) Package-level DSCSA gaps

• How: For pharmaceutical companies in the U.S., it's crucial to enforce package-level identifiers and ensure you can exchange data seamlessly. If one of your trading partners is operating under an exemption, make sure to document that clearly and ramp up your investigations for any suspect or illegitimate products, especially in cases where their electronic link is either missing or lagging behind. You can find more details on this here.

---

Concrete architecture: a minimal, standards-first stack

• Identity and Credentials
  • We're kicking things off with DIDs for organizations, facilities, and devices, starting with did:web and planning to upgrade down the line.
  • We’re using W3C VC 2.0 for all sorts of things like supplier onboarding, GMP/ISO certifications, lab results, PCF, and framework agreements (think Catena‑X). Check it out here: (w3.org)
• Supply chain events
  • We’re looking at EPCIS 2.0 JSON-LD along with CBV 2.0; using OpenEPCIS examples is a great way to kickstart our event formats.
  • Don’t forget to add sensorElement for both temperature and shock; plus, make sure to link GS1 Digital Link URIs to items and locations. (gs1.org)
• IoT Attestation
  • Send out devices that generate EATs; check them against RATS; if you want device-led signing, link the device address to an ERC‑4519 token. (ietf.org)
• Onchain anchors and registries
  • Every day, the Merkle root for batches of EPCIS events gets sent to an EVM Layer 2. Plus, we’ll publish a VC Status List and a timeline for certificate revocation right on the chain.
  • We’ll use ERC‑5192 for non-transferable item tokens to stop serial double-spending in its tracks, while keeping ERC‑4519 reserved for assets connected to devices. (eips.ethereum.org)
• Interoperable trade docs
  • We’re on board with eBLs that can be checked through DCSA interoperability or TradeTrust receipts, all while following MLETR and UK ETDA standards. (dcsa.org)
• Oracles and Risk Guardrails
  • When you're tokenizing physical lots, it’s smart to implement PoR-like checks. This way, if the anchored reserves or EPCIS counts don’t line up, you can pause minting. Chainlink’s PoR capabilities, along with its SOC2 and ISO certifications, really make it a solid choice for enterprise GRC reviews. Check it out here: (chain.link)

---

Three domain examples with step-by-step signals

1) Pharma DSCSA: stopping reintroduced saleable returns

• Data capture: The manufacturer kicks off the process by commissioning units. This involves creating an EPCIS ObjectEvent, which includes the eventID and a list of SGTINs.
• Identity: The manufacturer then issues a VC 2.0 that asserts the GTIN-serial ranges for the lot and also puts out a revocation list. You can check out more details on this over at gs1.org.
• Onchain: The Merkle root of that day’s EPCIS events is anchored to Layer 2, and ERC‑5192 tokens are minted for each serial number. For the techies out there, you can read more about this at eips.ethereum.org.
• Signal: If a wholesale return pops up with an eventTime that’s older than the latest DisaggregationEvent, or if there’s a token transfer attempt for something that shouldn’t be transferred (which is a big no-no), it’s time to raise the flags. You'll want to open a 582(g) investigation workflow. And if your partner is working under an FDA exemption window, you’ll need them to provide some extra doc proof of ownership. More info on this can be found at fda.gov.

Result: The time it takes to detect issues has dropped to just minutes. Plus, your team has the cryptographic roots for the lot history, so if state or federal inspectors or manufacturers need trace data, you’re all set.

2) EV batteries: passport truth vs. marketing claims

• Data capture: The battery passport showcases the Product Carbon Footprint (PCF), recycled materials, and where the materials come from. Plus, there’s a QR code linked to the pack’s unique ID. (eur-lex.europa.eu)
• Identity: The smelter, cathode manufacturer, and pack plant all issue Verifiable Credentials 2.0. Meanwhile, device test stands provide measurements backed by EAT, focusing on capacity and impedance. (w3.org)
• Interop: You can validate everything through a Catena-X-compliant Digital Product Passport (DPP) app and EDC, with role-based data filtering in place for added security. (github.com)
• Signals:
  • Looks like the passport is missing some key Annex XIII fields.
  • The PCF claims don't quite match up with the GBA Greenhouse Gas rulebook's methodology.
  • If any upstream entity shows up on the UFLPA Entity List, the pack needs to be quarantined until everything checks out. (eur-lex.europa.eu)

Outcome: You dodge any regulatory headaches before your product hits the market; QR scans seamlessly link to an authorized resolver that you have control over. (gs1.org)

3) Apparel DPP under ESPR: real-time counterfeit interdiction

• Context: The textiles sector is just starting to get some attention in the early ESPR working plan, with the first delegated acts likely rolling out around 2027/28. Check out more about it here.
• Data Capture: We’re looking at EPCIS 2.0 for cut/make/trim events, plus GS1 Digital Link 2D codes on hangtags to keep things organized. You can dive into the details here.
• Signals:
  • If you spot store scans that resolve to a domain not on your GS1-conformant resolver allowlist, that’s a red flag.
  • If you see a serial number minted twice (this is where SBT comes to the rescue), or if EPCIS shows a lightning-fast journey from Shenzhen to Rotterdam in just 9 hours, that’s suspicious.
• Enforcement: Let’s streamline things by auto-generating a VC 2.0 “authentication failed” presentation for any confiscated items and sending it over to marketplaces and logistics providers to speed up those takedowns.

---

Implementation blueprint: 90 days to “fraud radar”

Phase 0: Scope and Controls (2 weeks)

• Choose a product family and a lane (like US pharma saleable returns or EU-bound EV packs).
• Gather your inventory identifiers: GTIN, SSCC, GLN; check serialization coverage; identify where EPCIS 2.0 is currently doable.
• Figure out your DID method (let's kick things off with did:web) and pick your VC issuers (think QA, Compliance, and 3rd-party labs). (w3.org)

Phase 1: Data and Identity (3-4 weeks)

• Set up EPCIS 2.0 for capturing data and handling queries via REST; and get on board with CBV 2.0 vocabularies.
• Roll out the first VCs for supplier onboarding, site certifications, and framework agreements--think Catena‑X style.
• Develop a VC Status List endpoint along with some governance around it (including a revocation policy). Check it out here: gs1.org

Phase 2: Anchoring and Tokens (2 weeks)

• Each day, we'll batch EPCIS events, hash them to create a Merkle root, and then anchor everything to an L2.
• Mint ERC‑5192 item SBTs for serialized products. (We could also consider ERC‑4519 for devices if we want.) Check it out here: (eips.ethereum.org)

Phase 3: Signals and SOC Runbooks (2 Weeks)

• Get those 10 signals running as queries on the EPCIS store, VC registry, UFLPA screen, and on-chain anchors.
• Connect alerting to your current SIEM and draft some SOPs for handling DSCSA suspect products, EU passport gaps, and UFLPA escalations. Check out the details on the FDA website.

Phase 4: Interoperable Trade Docs (Parallel)

• Accept and verify eBLs and LCs using DCSA/TradeTrust flows; keep evidence bundles ready for audits. (dcsa.org)

---

Data model specifics you can copy

• EPCIS JSON-LD Context: Check out the EPCIS context. You'll want to use ObjectEvent, AggregationEvent, and sensorElement along with uom, as suggested by UNECE Rec 20. For more details, visit openepcis.io.
• GS1 Digital Link: Make sure to adopt version 1.6.0. Set up a GS1-compliant resolver so that when users scan a QR code, they get the right links based on their role--whether they're a consumer, verifier, or recycler. For more info, head over to gs1.org.
• Verifiable Credentials 2.0: You should utilize Data Integrity or JOSE/COSE proofs. It's also a good idea to manage status through the Bitstring Status List 1.0. For more on this, check out w3.org.
• IoT Trust: Make sure your devices output EAT (CBOR/COSE) including the boot state, firmware hash, and references to key materials. Verify this info using RATS. For more details, see the ietf.org.

---

KPIs our clients track

• The percentage of serialized units with EPCIS 2.0 + VC coverage that are anchored onchain, aiming for over 95%. (gs1.org)
• Average time it takes to spot a counterfeit attempt (goal is less than 10 minutes from the first suspicious scan).
• Response time for DSCSA requests regarding TI/TS at the package level (we’re shooting for under 1 hour during audits). (fda.gov)
• Completeness score for the EV battery passport (in line with Annex XIII coverage) along with the conformance rate for the PCF methodology. (eur-lex.europa.eu)
• UFLPA “clean” clearance rate (no holds) and the cycle time to get a rebuttal package (target is under 72 hours). (dhs.gov)

---

Emerging practices we recommend

• Anchor less, prove more: Instead of spreading your EPCIS days across multiple anchors, why not hash them all into one Merkle root? This keeps your gas costs down while still ensuring everything’s auditable.
• Separate “title” from “trace”: It’s best to use eBL or TradeTrust for document titles while relying on EPCIS + VC for provenance. This way, you’re not putting too much pressure on one system to handle everything. (dcsa.org)
• Treat resolvers as security controls: Keep in mind that GS1 Digital Link resolvers are now part of your security landscape, so make sure to keep an eye out for any sketchy domains. (gs1.org)
• Use PoR-like circuit breakers in tokenized real-world asset flows: If you notice that your reserves (like EPCIS counts or weighbridge totals) start to drift from your set policies, hit pause on minting/redemptions. It’s a smart move to keep things in check. (chain.link)
• Prefer standards with fresh governance: Go for the latest versions of standards like VC 2.0 (2025 Rec), EPCIS 2.0, and resolver specs. These are living standards, so it's always a good idea to build on what’s current. (w3.org)

---

What “good” looks like in 2026

• Your DSCSA package-level TI/TS is good to go--interoperable, whether you're connected or fully compliant--no need to get lost in a mountain of paperwork. (fda.gov)
• EV battery passports are all about ease: they’re QR-resolved, role-based, and come with verifiable VCs. Plus, plant leads are ready to tackle those Annex XIII questions right on the shop floor. (eur-lex.europa.eu)
• DPP pilots for textiles and furniture are up and running, with resolvers locked in ahead of upcoming delegated acts. (hsfkramer.com)
• Forget those old-school PDFs for forced-labor screening! It's now woven into credential checks, so you can stop risky lots from leaving the dock before they even get a chance. (dhs.gov)

---

How 7Block Labs helps

• 4-8 week accelerator: We're diving into EPCIS 2.0 capture, setting up VC 2.0 issuers and verifiers, rolling out the DID registry, and getting the GS1-resolver up and running. Plus, we’re including on-chain anchoring with some handy prebuilt “top-10 fraud signals.”
• Domain kits: Check out our packages for DSCSA at the package level, a Battery Passport that's all set for Catena‑X compatibility, and a starter kit for ESPR/DPP textiles. You can find the details here.
• Interop: We’re all about that TradeTrust eBL verification, doing our DCSA eBL interop checks, and wiring UFLPA entity screening straight into your SOC. Find out more here.

If you're interested in a dry run, we can take a week’s worth of your EPCIS or shipment CSVs, generate some mock VCs, and show you the signals that come alive within 48 hours.

---

Appendix: real-world momentum (for your board slide)

• Volvo is making waves with the launch of their production battery passport for the EX90, which features blockchain-based traceability. It’s pretty cost-effective too--around $10 per car to keep things running smoothly--way ahead of the EU's 2027 deadline. (reuters.com)
• In May 2025, DCSA hit a significant milestone by completing its first standards-based interoperable electronic Bill of Lading (eBL) transaction. The goal is for carriers to fully adopt eBL by 2030. (dcsa.org)
• GS1 has introduced EPCIS 2.0 (June 2022) and the Implementation Guideline (March 2023), which add support for sensors and JSON-LD. Plus, with GS1 Digital Link 1.6.0 set to roll out in April 2025, they’re working on stabilizing resolver behavior. (gs1.org)
• W3C’s Verifiable Credentials (VC) 2.0 received the green light as a W3C Recommendation in May 2025, while DID Core has been recognized as a recommendation since 2022. (w3.org)

The tech and the rules are finally on the same page. The next counterfeit you miss could very well be the final one your auditors will brush off as just “process gaps.”