The Anatomy of a Multi-Accounting Attack: Case Study on an iGaming Platform
One operator, 217 accounts, $84,000 in bonus abuse. How professional multi-accounting is actually built — and the 11 correlated signals that collapsed the whole cluster back into a single fraudster.
Multi-accounting in iGaming is not a bunch of people opening extra accounts. It's professional operations running hundreds of synthetic identities against a single platform, extracting welcome bonuses, cashback, and promotional payouts.
The economics work because the marginal cost of a new account is near zero — email, throwaway phone number, stolen or synthesized identity documents — and the marginal payout per account is real money. At $50–200 per account in extracted value, 200 accounts against one operator is a full-time income.
This is a breakdown of a real attack pattern seen against European iGaming operators in 2025. Names and specifics are anonymized. Techniques are current.
The setup: infrastructure the fraudster invests in
A serious multi-accounter operates a small infrastructure:
-
A residential proxy subscription — typically 911.re, IPRoyal, or Smartproxy — providing rotating IPs across dozens of countries. Cost: $50–200 per month.
-
An antidetect browser — Multilogin, Dolphin Anty, GoLogin, Kameleo, or AdsPower. Each of these tools runs isolated browser profiles with independently configured fingerprints. Cost: $50–150 per month.
-
A supply of aged identities — either purchased on forums (verified email + phone + document scan bundles) or generated. Cost: $5–30 per identity.
-
Payment infrastructure — prepaid cards, cryptocurrency wallets, or money mules to receive winnings without unified account trails.
Total monthly overhead: $200–500. At $84,000 in extracted value over 6 months, the ROI is 20–30x.
The lifecycle of a single fraudulent account
Every synthetic account follows a similar pattern:
1. Antidetect browser profile is spun up with fresh fingerprint (canvas, WebGL, timezone, language, screen resolution).
2. Residential proxy is assigned — typically from a country matching the identity documents.
3. Registration completed with an aged identity: email, phone verification via SMS-forwarding service, ID upload of a stolen or generated document.
4. KYC passes — because the identity documents are real (stolen) or professionally forged.
5. Small deposit made — often $10–30 — to activate the welcome bonus.
6. Bonus is played through under specific game selections that maximize expected value against the wagering requirement.
7. Winnings withdrawn to the payment method attached to the identity.
8. Account is abandoned or sold.
The whole cycle takes 2–7 days. A professional operator runs 20–40 accounts simultaneously in different states of this pipeline.
What the operator was seeing
The iGaming platform's fraud team noticed anomalies in Q2:
-
Bonus payout ratio on new accounts rose from 47% to 63% quarter-over-quarter.
-
Chargebacks stayed low — meaning it wasn't stolen cards. The fraud was structural, not transactional.
-
Support tickets from returning players who couldn't recognize their own account history increased.
The team suspected multi-accounting but didn't have the tooling to prove it at scale. Each account, viewed in isolation, looked legitimate. Different names, different IPs, different fingerprints, different documents.
What the signals actually showed
When device intelligence signals were retroactively applied to the account population, 217 accounts collapsed into a single operator. Here's what tied them together.
Signal 1. TLS fingerprint reuse
Despite different IPs and different browser fingerprints, 217 accounts shared just 3 unique JA4 hashes. TLS fingerprint is generated by the client library — and while the antidetect browser could spoof canvas and WebGL, it used a single underlying Chromium build for TLS handshakes. Three JA4 hashes corresponded to three versions of the antidetect browser the operator upgraded through.
Signal 2. Behavioral timing across sessions
The 217 accounts had registration times clustered in narrow windows: mostly 09:00–11:00 UTC on weekdays. Real players register across the full 24-hour cycle. Human working hours in a single timezone gave the operator away regardless of what timezone each fake profile claimed.
Signal 3. Bonus play patterns
The wagering strategy across the accounts was almost identical: same game selection (specific low-variance slots), same bet size relative to bonus, same session duration before withdrawal request. Real players have wildly varied preferences. Statistical uniformity across accounts is only possible with a script or a playbook.
Signal 4. Mouse movement micro-patterns
Antidetect browsers spoof visual fingerprints but don't spoof how a human moves through a session. The mouse traces across the 217 accounts had shared characteristics — Bezier curves with consistent acceleration profiles, specific patterns of returning to the same coordinates before clicks. All produced by the operator's automation.
Signal 5. Payment endpoint clustering
Despite different names on the accounts, withdrawals routed through 8 unique cryptocurrency wallets. Wallet reuse across unrelated accounts is one of the strongest signals available and doesn't require any device-level detection.
Signal 6. Font enumeration inconsistencies
The antidetect browser spoofs font lists, but only from a preset library. All 217 accounts reported font enumerations from a limited pool of 5 templates. Real users have unique combinations of installed fonts. The templates were caught because their diversity was too low.
Signal 7. WebGL renderer clustering
The antidetect browser rotates GPU strings, but from a fixed set — typically the 20–30 most common consumer GPUs. Across 217 accounts, GPU strings appeared with an implausible distribution: heavy overrepresentation of specific Intel and NVIDIA models, with no representation of AMD hardware. Real user populations have broader GPU distribution.
Signal 8. Screen resolution non-standardization
Antidetect browsers generate screen dimensions, but often with non-standard resolutions to appear unique. Real screens are 1366×768, 1920×1080, 2560×1440, 3840×2160, or a handful of laptop sizes. The 217 accounts included dimensions like 1892×1063 that no real display uses.
Signal 9. Cross-account session overlap
Two accounts logged in from the same IP within milliseconds of each other, but from different antidetect profiles. Session logs revealed that when one account logged out, another logged in within seconds — from a different IP but with detectable connection characteristics tying them together. The proxy pool was rotating but the operator's actions weren't.
Signal 10. Deposit source correlation
Cryptocurrency deposits to the accounts came from 12 source wallets. Blockchain analysis showed these 12 wallets received funding from a single upstream exchange account. Follow-the-money analysis linked the whole cluster.
Signal 11. Support ticket linguistic patterns
Some of the accounts opened support tickets over the 6 months. The language patterns — specific phrasings, grammatical quirks, misspellings of the same words — were shared across accounts registered to different countries and language settings.
Why single signals fail
Any one of these signals could be a coincidence. Two accounts with the same TLS fingerprint could be two users on the same version of Chrome. Two accounts with similar mouse traces could be two players who click similarly. Two withdrawals to the same wallet could be a shared family wallet.
The strength is in combination. When 217 accounts share TLS fingerprints, wallet endpoints, font templates, screen resolutions, mouse patterns, and behavioral timing — the probability of independence collapses to zero.
What the platform did
After the retroactive analysis, the platform implemented real-time scoring on account creation. Each new account received a similarity score against existing accounts based on the 11 signals plus 40 more. Above threshold, accounts were flagged for manual review before bonus eligibility. Below threshold, accounts proceeded normally.
Within 60 days, bonus abuse ratio returned to baseline. The operator either moved to another platform or invested significantly more in their infrastructure — either outcome was a win.
The pattern generalizes
The specific tooling changes. The signals evolve. But the underlying dynamic — professional fraud operators building infrastructure to extract value from generous acquisition programs — is stable across iGaming, crypto exchanges, promo-heavy fintech, and any platform that pays for user acquisition.
The only defense that works is signal correlation at the platform level. Perimeter defenses (IP blocks, device blocks, single-account rules) fail because the operators optimize around them. Signal correlation succeeds because operators cannot cheaply randomize everything — the cost of true independence per account exceeds the payout per account.
That gap is what makes multi-accounting detection economically feasible. It's also what makes it a game the defender can win.