Creator platforms are prime targets for "carding" — the process where fraudsters test thousands of stolen credit card numbers using low-dollar transactions.
Before Sentinel, this platform faced a massive spike in $1 bot pledges. These pledges inflated creator follower numbers temporarily, only to result in thousands of chargebacks weeks later, penalizing both the creators and the platform with Stripe risk flags.
The Integration
The platform integrated Sentinel's API natively into their checkout flow in a single afternoon. By evaluating the encrypted Sentinel Edge token alongside the payment intent, Sentinel successfully identified automated carding scripts disguised as legitimate fan accounts.
Results
Within 48 hours of deployment, fraudulent pledge rates dropped by 94%. More importantly, the platform disabled their legacy friction measures, resulting in a 12% increase in legitimate, successful creator pledges.
The Attack Pattern in Detail
The fraudster operation worked in three stages. First, harvest stolen card numbers from underground markets — typically $0.30-$2 per card depending on freshness. Second, automate $1 pledges across dozens of creators to test which cards still authorize. Third, on validated cards, run larger transactions elsewhere on the web. The creator platform was effectively a free card-validation service for the attackers.
The platform's existing fraud stack — Stripe Radar plus a basic IP reputation check — caught maybe 20% of these. The other 80% looked like ordinary low-dollar fan engagement. Stripe doesn't flag $1 charges aggressively because legitimate creator pledges are often that low.
The Integration: One Afternoon, 47 Lines of Code
The platform added the Sentinel SDK to their checkout page (one script tag) and added a single backend call to /v1/evaluate alongside the existing Stripe payment intent creation. They returned a 402 with a "verify your email first" message when Sentinel's risk score exceeded 0.85.
No CAPTCHA was added. No new step appeared for legitimate users — only flagged sessions saw the extra verification. The total deployment from PR-open to production was 4 hours including their CI gate.
The Cluster Detection That Made the Difference
What broke the attack wasn't IP-based blocking — the attackers used a residential proxy pool with thousands of clean IPs. It was Sentinel's device-cluster signature: across the "thousands of distinct fan accounts," the underlying GPU renderer strings, audio context fingerprints, and TLS JA4 hashes collapsed into 7 distinct device signatures. Seven physical machines were running the entire fraud operation. Once those clusters were tagged, every subsequent attempt from any of them was rejected without needing per-IP rules.
Numbers
- Fraud pledges per day pre-Sentinel: 3,400 average
- Fraud pledges per day post-Sentinel (week 2): 184 (94% reduction)
- Legitimate pledges per day pre-Sentinel: 12,200 (with friction step at $5+)
- Legitimate pledges per day post-Sentinel (friction removed): 13,664 (12% lift)
- Stripe risk-flag status pre-Sentinel: elevated, payout delays applied
- Stripe risk-flag status post-Sentinel (45 days): cleared