The problem
A top-10 EU iGaming operator approached Serixo in Q4 2025 with a crisis: their bonus programme was haemorrhaging €180,000 every month to coordinated multi-account abuse. Traditional rules — IP deduplication, device fingerprint matching, payment method checks — were catching perhaps 15% of the ring. The rest slipped through because the attackers had industrialised their operation: rotating residential proxies, purpose-built Android farms, and a shared pool of aged payment accounts sourced from underground markets.
"We knew it was organised. The same bonus sequences, the same withdrawal timing, the same device resets — but every account looked clean in isolation."— Head of Fraud, EU iGaming Operator
The fundamental limitation of point-in-time checks is that they evaluate each account in isolation. A sophisticated ring is designed specifically to defeat this: every individual account passes every individual check. The signal only becomes visible when you look at relationships across accounts over time.
How it works
Identity Graph builds a continuously updated relational model of every entity — accounts, devices, payment methods, IPs, behavioural sessions — and the weighted edges between them. Edges are created by shared attributes (same device ID, overlapping IP subnet, identical canvas fingerprint) and reinforced by behavioural proximity (login times within seconds of each other, identical bet sequences, correlated withdrawal requests).
When a new account registers or transacts, the graph engine computes its first- and second-degree neighbourhood and surfaces any clusters that exhibit ring-like topology: high internal edge density, external isolation, and behavioural synchrony. Clusters above a configurable suspicion threshold are flagged for review or automatic action.
Results
Within 48 hours of ingesting 90 days of historical event data, Identity Graph had mapped 847 accounts into 7 distinct clusters. The largest cluster contained 312 accounts spanning four countries, sharing 14 payment method prefixes and exhibiting near-identical 72-hour bonus conversion sequences. None of these accounts had ever triggered a point-in-time alert.
All 847 accounts were suspended within 72 hours of the initial mapping. Bonus leakage dropped from €180K/month to under €6K/month — a 97% reduction — within the first billing period. Total recovered exposure, accounting for bonuses already paid and pending withdrawal holds, was calculated at €2.3M.
Integration
Identity Graph ingests events via the standard Serixo event stream — no separate integration required. The graph engine processes events asynchronously, with cluster scores updated in near-real-time (median lag: 340ms from event ingestion to score update). For platforms requiring synchronous graph lookups at transaction time, a low-latency edge API is available:
// Query graph neighbourhood at transaction time
const graphScore = await serixo.identityGraph.score({
accountId: 'usr_8f3k2m',
signals: {
deviceId: req.deviceId,
ipAddress: req.ip,
paymentMethodHash: req.pmHash,
},
depth: 2, // first + second degree neighbours
threshold: 0.75, // return clusters above this score
});
if (graphScore.clusterSuspicion > 0.82) {
return { action: 'review', reason: 'graph-cluster' };
}Takeaways
- Multi-account rings are designed to defeat point-in-time checks — graph analysis is the only reliable countermeasure.
- Identity Graph mapped 847 accounts into 7 clusters in under 48 hours from historical data ingestion.
- Bonus leakage dropped 97%, from €180K/month to under €6K/month, within the first billing period.
- No additional integration is required — the graph engine runs on your existing Serixo event stream.
- Synchronous graph scoring at transaction time adds a median 12ms to evaluation latency.
Хотите такие же результаты?
Получите бесплатный аудит рисков за 48 часов. Интеграция не требуется.