Case StudiesDocsBlogContact
Log InGet started
Stop Bonus Abuse

Stop Bonus Farming, Referral Fraud & Multi-Account Promo Abuse

Bonus abusers run antidetect browsers behind residential proxies to claim every deposit match, signup bonus, and referral reward you fund — dozens of accounts, one device. Sentinel links those accounts back to the hardware and returns a verdict invisibly, in under 40ms.

< 40msResponse time globally
Free1,000 requests/hour — no card, no expiry
0CAPTCHAs required
400+Device signals per session

What you're up against

Deposit-match farming with antidetect browsers

One operator runs dozens of accounts through Kameleo or Dolphin Anty profiles, each claiming your new-depositor match, placing a hedge bet, and withdrawing. Every account passes KYC because every identity is real — only the device is shared.

Referral programs paying the same person twice

Fintech and marketplace referral rewards get farmed by self-referral: new email, new phone number, new residential IP, same laptop. Uniqueness checks watch the identity layer while the device layer goes completely unwatched.

Residential proxies beat IP velocity rules

Commercial residential proxy networks hand each signup a clean home IP in your target market, so IP-based limits and geo checks see nothing wrong. Blocklists can't keep up because the exits rotate faster than any list updates.

Every account survives manual review

In isolation each abusive account looks like a legitimate new customer, so flagged cases get cleared and the payout goes through. The pattern only exists across accounts — and nothing in your stack links them together.

What Sentinel does for you

  • Link every new account to the physical device behind it — across browsers, antidetect profiles, and rotating residential IPs
  • Flag antidetect browsers (Kameleo, GoLogin, Dolphin Anty) at signup and again at the bonus-claim endpoint
  • Classify residential proxies and VPN exits that pass IP reputation and geo checks
  • Gate referral payouts on device evidence instead of email or phone uniqueness
  • Return a verdict in under 40ms — no CAPTCHA, no friction for genuine players
€87K

in bonus abuse stopped in 60 days by a licensed EU sportsbook facing a coordinated ring of antidetect browsers behind residential proxies

[ Read Full Case Study ]

Where the check goes

The highest-leverage call site is the bonus-claim or promo-redemption endpoint — gate the credit itself, so an account that slipped through signup still can't get paid. Add the same check at signup and referral payout, and the device claiming reward after reward is linked before any money moves. The client snippet rides in your existing pages; the server asks Sentinel for a verdict before the credit is applied.

// Gate bonus claims before crediting the deposit match
const res = await fetch('https://sntlhq.com/v1/evaluate', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer ' + process.env.SENTINEL_KEY,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ token: req.body.sentinel_token })
});
const risk = await res.json();
if (risk.decision === 'block') return res.status(403).json({ error: 'Request rejected' });
if (risk.decision === 'review') flagForReview(risk.reasons);

The signals that matter here

One device, many verified identities. Bonus farmers pass KYC because every identity is genuine — the fraud only becomes visible when account after account traces back to the same hardware. Sentinel keys its "times seen" counter to a cross-browser device ID, so the tenth account from one laptop links to the first nine even through fresh antidetect profiles and rotating residential IPs, and the high_activity_device reason fires before the credit lands. That per-customer device graph is what makes bonus abuse detection hold up — not tighter promo terms.

Antidetect browsers leave fingerprints of their own. Kameleo, GoLogin, Dolphin Anty, and AdsPower spoof canvas, WebGL, and font enumeration — but the spoofing itself produces measurable inconsistencies. Sentinel surfaces them as the antidetect_browser reason code plus device.tampering_score, so a claim from an antidetect browser can route straight to review regardless of how clean the rest of the session looks.

Residential doesn't mean real. A clean German home IP can be a residential proxy exit rented by the hour. Sentinel classifies the network behind the address — network.residential, network.proxy, network.vpn — and returns proxy_detected or vpn_detected as explicit reason codes, so your promo path can treat anonymized traffic differently from a genuine home connection instead of trusting the surface IP.

Signals, not verdicts alone. Every response carries the decision (allow, review, or block), a 0–100 risk_score, and the raw reasons behind it. That enables asymmetric policy: lenient at login, where a VPN is often just privacy hygiene, and strict at the bonus-claim and referral-payout endpoints, where the same signal means promo budget is about to walk out the door.

Common questions

How does Sentinel link bonus-farming accounts that all use different IPs and emails?
Every evaluation returns a cross-browser device identifier and a "times seen" counter for that hardware across your accounts. When account twelve arrives from a fresh browser profile and a new residential IP but the same physical machine, the counter says so. Linking is per-customer and hash-based — devices are never correlated across Sentinel customers.
Can it detect antidetect browsers like Dolphin Anty, Kameleo, or GoLogin?
Yes. Spoofing canvas, WebGL, and font surfaces leaves measurable artifacts of its own, which Sentinel reports as the antidetect_browser reason code alongside a device tampering score. No detector catches every configuration of every tool, which is why the verdict combines device, network, and behavioral signals rather than relying on any single flag.
Will genuine players who use a VPN get blocked?
Only if you choose to block them. Sentinel returns the decision plus the raw signals behind it (vpn_detected, network.residential, and so on), so most operators allow VPN-only traffic at login and tighten policy at the bonus-claim endpoint, where anonymized networks correlate much more strongly with abuse.
Does this apply to referral rewards and marketplace coupons, not just casino bonuses?
Yes — the mechanics are identical. Whether the incentive is a deposit match, a referral payout, or a first-order coupon, the abuse pattern is one device operating many accounts, and the same device-linking check gates all of them. Only the endpoint you protect changes.
Is Sentinel ready for a regulated iGaming operator?
Sentinel is in open beta, so evaluate it against your own traffic rather than our claims: the free tier is 1,000 requests per hour with no credit card, which covers a realistic shadow-mode trial on your promo endpoints. We recommend integrating fail-open — if the API is unreachable, your flow proceeds — so the check can never take your bonus pipeline down.

Make bonus farming unprofitable

Free tier: 1,000 requests/hour. No card, no expiry. Detects residential proxies, antidetect browsers, and AI bots.

Fraud BriefOnce a month · no spam · unsubscribe anytime
Get the new VPN, proxy & bot patterns we see each month
Short, technical breakdowns of what fraudsters changed last month — written for engineers, not marketers.
Stop fraud before it hides — try Sentinel free. Free tier: 1,000 requests/hour. No card, no expiry.