97% reduction in fake account fraud

The Company

An EU-based fintech offering instant IBAN account opening — regulated under PSD2 and operating in 12 countries. Fast-growing, with a strong consumer acquisition strategy built around referral bonuses and promotional campaigns.

The Problem

During a growth campaign offering a €20 signup bonus for new account creation, the platform was hit immediately. Within 72 hours of campaign launch, 4,200 suspicious signups had been created — representing €84,000 in bonus exposure that would need to be paid out or clawed back.

What made this attack sophisticated was the technique. Fraudsters were using:

• VPN networks to simulate account openings from bonus-eligible countries
• Antidetect browsers (Kameleo, GoLogin) to generate unique device fingerprints per registration
• Disposable email addresses with realistic names and formatting
• Scripted signups that passed standard email verification steps

The attack was invisible to their existing tooling because each signup had a unique IP, unique device fingerprint, and a real-looking email address. Traditional bot detection had no signal to act on.

The Solution

Sentinel was deployed at the registration form — evaluated before email verification was even sent. Every signup is assessed against VPN and proxy use, antidetect browser signatures, headless browser indicators, and datacenter IP origin.

The risk routing logic was straightforward:

• Score >70: Rejected at form submission with a generic error
• Score 50–70: Allowed through, but silently escalated to enhanced KYC review
• Score <50: Normal signup flow — no friction added

Legitimate users from VPN-using countries — often privacy-conscious users, not fraudsters — are given the option to request a manual review flag rather than being outright rejected. This preserved conversion for genuine cross-border signups.

Results

Why Antidetect Browsers Are the New Threat

Antidetect browsers like Kameleo, GoLogin, and Multilogin are commercially available tools designed to spoof browser fingerprints. They randomize or mask the signals that device fingerprinting tools use to identify returning users — canvas fingerprint, WebGL, fonts, screen resolution, and dozens of other attributes.

For fintech platforms that rely on device fingerprinting to detect multiple accounts from the same device, antidetect browsers represent a serious blind spot. Sentinel identifies these tools through behavioral and environmental signals that persist even when standard fingerprint attributes are spoofed.

This detection layer — combined with VPN and residential proxy identification — creates a compound signal that is extremely difficult to evade without legitimate user behavior patterns.

Regulatory Context

For a PSD2-regulated fintech, fake account creation isn't just a financial loss — it's a compliance risk. Regulators flagged unusual account velocity during the attack window. Post-Sentinel deployment, account creation velocity normalized within the patterns the platform had filed in their AML monitoring procedures, and no further regulatory escalations occurred.