HomeAPI DocsBlogContact
Log InGet Started

These are illustrative scenarios — company names, figures, and outcomes are fictional examples of what Sentinel can enable.

Home / Case Studies / iGaming Bonus Abuse
Back to Case Studies
iGaming · Illustrative scenario
Illustrative scenario. The figures and quotes on this page are a representative composite based on attack patterns Sentinel detects in production, not a single named customer engagement. Real named customer references are available on request — contact us.

€1.8M in Bonus Abuse Stopped in 60 Days

A licensed EU sportsbook was hemorrhaging bonus credits to a coordinated ring of bonus abusers using antidetect browsers and residential proxies. Every account looked like a legitimate new depositor. Sentinel changed that in a weekend.

€1.8M
Bonus credits fraudulently claimed per quarter before Sentinel
97%
Drop in multi-accounting abuse after integration
<200ms
API response latency in production
48h
Time from API key to full production deployment

The Problem

The sportsbook was running a standard new-depositor promotion: a 100% deposit match up to €200 for first-time accounts. On paper, it was a customer acquisition play. In practice, a coordinated ring had turned it into a systematic extraction operation.

The pattern was straightforward but hard to see: hundreds of accounts per day were being created using antidetect browsers and residential proxies, each depositing between €10 and €50, claiming the matched bonus, placing a low-risk hedge bet, then withdrawing. Each account appeared to be a legitimate new European bettor — different IPs, different browser fingerprints, different devices, different deposit amounts.

Within a single quarter, the ring had claimed over €1.8M in bonus credits. The sportsbook's risk team suspected coordinated abuse but couldn't prove it, and every manual flag they raised led to a legitimate-looking account history that passed review.

Why Standard Defenses Failed

The operator had invested heavily in standard compliance infrastructure. None of it touched this attack vector.

  • UKGC-compliant KYC verified government-issued IDs — but document verification says nothing about whether a device or IP is shared across dozens of identities
  • IP blocklists were ineffective against residential proxy networks from Bright Data and Oxylabs — every request came from a different clean residential IP in Germany, Netherlands, or France
  • CAPTCHA was in place but was solved by third-party CAPTCHA farms at less than $1 per thousand solves — negligible cost against a €200 bonus per account
  • The fraud team's velocity rules flagged accounts that registered within minutes of each other, but the ring spaced registrations to stay under threshold

The fundamental problem: all existing defenses operated at the identity layer (KYC) or the network surface (IP blocklists). Neither layer could see the device and environment signals that exposed the coordinated nature of the attack.

What Sentinel Detected

Sentinel's evaluation runs at the device and network environment layer — the signals that exist below KYC and above raw IP reputation. For this ring, several compound signals converged:

  • Antidetect browser fingerprints — Dolphin Anty and Kameleo both leave detectable artifacts in canvas rendering, WebGL behaviour, and font enumeration that persist even when their spoofing features are active
  • Residential proxy routing — ASN-level classification identified Bright Data and Oxylabs exit nodes even when the surface IP appeared clean and residential
  • Burst timing patterns — account creation events clustered heavily between 02:00 and 04:00 UTC, consistent with automated tooling operating on a schedule rather than organic user behaviour
  • Device fingerprint clustering — despite different surface fingerprints across accounts, underlying hardware characteristics grouped dozens of accounts to the same physical machines running antidetect profiles

No single signal was sufficient to block an account. Together, they created a compound risk score that separated this ring from genuine new depositors with high precision.

The Integration

The sportsbook's backend ran on Node.js. Integration was a 3-line server-side check inserted before the bonus claim endpoint — the monocle client token, collected at page load via the Sentinel JavaScript snippet, was evaluated against the full signal stack before a bonus was activated.

Their routing logic after integration:

  • Score 0–49: Bonus activated immediately — no friction added for genuine bettors
  • Score 50–74: Bonus held pending a manual risk review with 24-hour SLA
  • Score 75+: Bonus request silently rejected; account flagged for investigation
// Bonus claim endpoint — Node.js / Express app.post('/api/bonus/claim', async (req, res) => { const response = await fetch('https://api.sntlhq.com/v1/evaluate', { method: 'POST', headers: { 'Authorization': 'Bearer sk_live_...', 'Content-Type': 'application/json' }, body: JSON.stringify({ token: req.body.monocleToken }) }); const { score, proxied, vpn, datacenter, anon, antidetect } = await response.json(); if (score >= 75 || antidetect) { // Silently reject — do not reveal detection to the abuser return res.status(200).json({ status: 'pending', message: 'Bonus under review' }); } if (score >= 50 || proxied) { await flagForManualReview(req.user.id, { score, proxied, vpn }); return res.status(200).json({ status: 'pending', message: 'Bonus under review' }); } // Legitimate bettor — activate immediately await activateBonus(req.user.id); res.json({ status: 'active' }); });

The antidetect flag in the response is a boolean that fires specifically when Dolphin Anty, Kameleo, Multilogin, or similar antidetect browser environments are detected. The sportsbook configured this flag as an automatic hold trigger regardless of the numeric risk score — since no genuine bettor has a reason to run an antidetect browser.

"We'd seen bonus abuse before, but nothing like this. Sentinel flagged the antidetect browsers our own KYC team had manually approved. The fingerprinting layer caught what document verification can't."

— Head of Risk, EU Sportsbook

Results — 60 Days Post-Deployment

€1.8M
In bonus abuse blocked in 60 days
97%
Reduction in multi-account signups reaching bonus activation
0.02%
False positive rate — legitimate players unaffected
48 hrs
From API key to full production deployment

Why KYC Alone Cannot Stop Bonus Abuse

KYC is designed to verify that a person is who they claim to be. It was never designed to detect that the same person — or the same device — is operating fifty accounts with fifty verified identities. The identity verification layer and the device/environment layer are orthogonal problems, and conflating them is what leaves iGaming operators exposed.

Antidetect browsers specifically exist to defeat device-layer detection. They're commercially available, actively maintained, and marketed openly to multi-accounting communities. A €200 signup bonus more than covers a monthly Dolphin Anty subscription. Until an operator deploys detection that works at the environment layer — not the identity layer — bonus abuse economics remain in the attacker's favour.

Sentinel closes that gap. The detection doesn't rely on knowing who someone is. It relies on detecting how their browser and network environment behaves — signals that no antidetect browser can fully suppress without also suppressing the normal behaviour that makes a browser usable.

Stop bonus abuse on your sportsbook

Detect antidetect browsers and residential proxies before they reach your bonus endpoints. No CAPTCHA required.

[ Get Free API Key ] View Documentation
Time to value Live in under 48 hours

Stop bonus abuse on your iGaming platform.

Detect residential proxies, antidetect browsers, and multi-accounting in real time. Free to start.

[ Get Started Free ]
More Case Studies
E-Commerce
$340K
E-Commerce Brand Stopped $340K in Chargebacks
Read case study →
Fintech
97%
Fintech Startup Cut Fake Account Fraud by 97%
Read case study →
SaaS
$2.1M
B2B SaaS Recovered $2.1M Blocking Trial Abuse
Read case study →