Stop Bonus Farming, Referral Fraud & Multi-Account Promo Abuse
Bonus abusers run antidetect browsers behind residential proxies to claim every deposit match, signup bonus, and referral reward you fund — dozens of accounts, one device. Sentinel links those accounts back to the hardware and returns a verdict invisibly, in under 40ms.
What you're up against
Deposit-match farming with antidetect browsers
One operator runs dozens of accounts through Kameleo or Dolphin Anty profiles, each claiming your new-depositor match, placing a hedge bet, and withdrawing. Every account passes KYC because every identity is real — only the device is shared.
Referral programs paying the same person twice
Fintech and marketplace referral rewards get farmed by self-referral: new email, new phone number, new residential IP, same laptop. Uniqueness checks watch the identity layer while the device layer goes completely unwatched.
Residential proxies beat IP velocity rules
Commercial residential proxy networks hand each signup a clean home IP in your target market, so IP-based limits and geo checks see nothing wrong. Blocklists can't keep up because the exits rotate faster than any list updates.
Every account survives manual review
In isolation each abusive account looks like a legitimate new customer, so flagged cases get cleared and the payout goes through. The pattern only exists across accounts — and nothing in your stack links them together.
What Sentinel does for you
- Link every new account to the physical device behind it — across browsers, antidetect profiles, and rotating residential IPs
- Flag antidetect browsers (Kameleo, GoLogin, Dolphin Anty) at signup and again at the bonus-claim endpoint
- Classify residential proxies and VPN exits that pass IP reputation and geo checks
- Gate referral payouts on device evidence instead of email or phone uniqueness
- Return a verdict in under 40ms — no CAPTCHA, no friction for genuine players
in bonus abuse stopped in 60 days by a licensed EU sportsbook facing a coordinated ring of antidetect browsers behind residential proxies
[ Read Full Case Study ]Where the check goes
The highest-leverage call site is the bonus-claim or promo-redemption endpoint — gate the credit itself, so an account that slipped through signup still can't get paid. Add the same check at signup and referral payout, and the device claiming reward after reward is linked before any money moves. The client snippet rides in your existing pages; the server asks Sentinel for a verdict before the credit is applied.
// Gate bonus claims before crediting the deposit match
const res = await fetch('https://sntlhq.com/v1/evaluate', {
method: 'POST',
headers: {
'Authorization': 'Bearer ' + process.env.SENTINEL_KEY,
'Content-Type': 'application/json'
},
body: JSON.stringify({ token: req.body.sentinel_token })
});
const risk = await res.json();
if (risk.decision === 'block') return res.status(403).json({ error: 'Request rejected' });
if (risk.decision === 'review') flagForReview(risk.reasons);The signals that matter here
One device, many verified identities. Bonus farmers pass KYC because every identity is genuine — the fraud only becomes visible when account after account traces back to the same hardware. Sentinel keys its "times seen" counter to a cross-browser device ID, so the tenth account from one laptop links to the first nine even through fresh antidetect profiles and rotating residential IPs, and the high_activity_device reason fires before the credit lands. That per-customer device graph is what makes bonus abuse detection hold up — not tighter promo terms.
Antidetect browsers leave fingerprints of their own. Kameleo, GoLogin, Dolphin Anty, and AdsPower spoof canvas, WebGL, and font enumeration — but the spoofing itself produces measurable inconsistencies. Sentinel surfaces them as the antidetect_browser reason code plus device.tampering_score, so a claim from an antidetect browser can route straight to review regardless of how clean the rest of the session looks.
Residential doesn't mean real. A clean German home IP can be a residential proxy exit rented by the hour. Sentinel classifies the network behind the address — network.residential, network.proxy, network.vpn — and returns proxy_detected or vpn_detected as explicit reason codes, so your promo path can treat anonymized traffic differently from a genuine home connection instead of trusting the surface IP.
Signals, not verdicts alone. Every response carries the decision (allow, review, or block), a 0–100 risk_score, and the raw reasons behind it. That enables asymmetric policy: lenient at login, where a VPN is often just privacy hygiene, and strict at the bonus-claim and referral-payout endpoints, where the same signal means promo budget is about to walk out the door.
Common questions
Make bonus farming unprofitable
Free tier: 1,000 requests/hour. No card, no expiry. Detects residential proxies, antidetect browsers, and AI bots.