How Platforms Detect Linked Accounts

How Platforms Detect Linked Accounts

Modern Detection Methods

Today multiaccounting is considered one of the biggest challenges for platforms where users can gain an 🔝 unfair advantage by creating multiple accounts, including advertising platforms, marketplaces, crypto exchanges, sportsbooks, online casinos, social networks and many others.

There are many reasons why people create multiple accounts. They may use them to bypass bans, claim bonuses multiple times, run advertising campaigns, manipulate ratings and reviews or perform other activities. That said, multiaccounting is not always prohibited. Some platforms, such as Reddit, allow users to have multiple accounts as long as they are not used to vote on posts or comments.

Reddit Rules Dolphin Anty

However, in most cases, it is abuse that drives the rapid development of antifraud systems. The scale of the commercial antifraud market itself shows just how seriously businesses take this issue. According to various estimates, the market is already worth tens of billions of dollars, while analysts at Grand View Research forecast 📈 continued steady growth.

Antifraud market Dolphin Anty
Forecast by Grand View Research, one of the leading market research firms.

At the same time, Meta, Google and other platforms reveal very little about how their detection systems work. And for good reason: disclosing these internal mechanisms would make it much easier for bad actors to find ways around them.

As a result, it is impossible to know with certainty which specific signals are used when deciding whether to suspend a particular account or how much weight each one carries. Everything we know today about modern detection systems comes from publicly available research, patents, technical documentation, real-world observations by industry experts and materials published by companies developing commercial antifraud solutions.

For the purposes of this article the last source is the most relevant. Today, an entire industry exists to help banks, fintech companies, marketplaces, advertising platforms and iGaming businesses 🔎 detect multiaccounting and other types of fraud.

For example, SEON analyzes not only browser fingerprints but also user behavior patterns, payment data, cookies, IP addresses and activity history to identify linked accounts. Sumsub also evaluates behavioral patterns and offers its own risk scoring system. SHIELD focuses on behavioral biometrics, continuous session monitoring and device cluster analysis, while CrossClassify links devices and accounts using graph analysis and machine learning models.

Despite differences in implementation, all of these solutions share ☝️ one core principle: modern detection has long moved beyond checking Canvas, WebGL or other individual fingerprint parameters. Instead, it relies on comprehensive analysis to estimate the likelihood that multiple accounts are being operated by the same user. 

What “Linked Accounts” Actually Mean

Before discussing detection methods, it’s important to understand what modern antifraud systems are actually looking for. Imagine two accounts registered on the same platform. The system is not trying to answer questions like, “Do they have the same Canvas fingerprint or User-Agent?” What really matters to antifraud systems is this:

🤔 How likely is it that these two accounts are operated by the same person?

To answer that question, the system gradually collects what may seem like unrelated data. Is the same device being used? Are the accounts connected through the same network? Do their browser characteristics match? Do they interact with the interface in similar ways? Are the same payment details being used? Do the registration, login and activity patterns follow the same sequence? Are their activity times closely aligned? Are there indirect signals suggesting that different accounts are part of the same overall pattern?

A single matching signal is rarely enough to trigger a suspension on its own. But when several of these signals start to overlap, the likelihood that the accounts are linked increases significantly.

This is why the idea that an account’s safety depends solely on the quality of its browser fingerprint no longer reflects reality. While browser fingerprinting remains an important part of modern antifraud systems, it is only one of several layers used in risk assessment.

In this article we’ll discover 🤓 the modern methods used to detect linked accounts and group them into four distinct layers. This will help you better understand how today’s antfraud systems work and why getting a green result in a fingerprint checker doesn’t necessarily mean your profile won’t raise suspicion.

Layer 1: Static Fingerprint

The detection of multiaccounting begins with the 👣 browser digital fingerprint, which has long been considered the primary method of device identification. It is built from the parameters that the browser and operating system automatically expose to websites:

  • Canvas;
  • WebGL;
  • AudioContext;
  • User-Agent;
  • Installed fonts;
  • Screen resolution;
  • Language and time zone;
  • Hardware specifications;
  • Browser and operating system settings.

The combination of these characteristics and, more importantly, their consistency with one another, allows platforms to build a fairly unique user profile and detect attempts to spoof the entire fingerprint.

Platforms also verify whether the reported device characteristics match its actual capabilities. For example, a browser may claim that the user has a modern graphics card, while Canvas or WebGL rendering performance is more consistent with an integrated GPU.

Such inconsistencies can result from the use of virtual machines, emulators, fingerprint spoofing tools or improperly configured browsers. For this reason, modern antifraud systems evaluate not only the device characteristics being reported but also whether they align with the device’s actual behavior. 

It is also still common to hear that if a checker such as BrowserLeaks or BrowserScan shows a good result, the profile is completely safe. In reality that is far from the case.

BrowserScan Dolphin Anty
10% of the score was deducted due to a time zone mismatch.

A good example at this layer is the Chrome M134 update. In 2025 the browser began automatically adding four new HTTP headers to requests sent to Google services: X-Browser-Channel, X-Browser-Year, X-Browser-Copyright and X-Browser-Validation.

The first three contain information about the browser’s release channel and build version. The most interesting one, however, is 💡 X-Browser-Validation. It is a cryptographic signature generated internally by Chrome using a built-in API key and the User-Agent string. Different keys are used for Windows, macOS and Linux.

X-Browser-Validation Header Dolphin Anty

Some time ago it was often enough to spoof the User-Agent and pretend to be Chrome running on Windows. That is no longer the case. If a browser claims to be running in one environment but its signature does not match that of a genuine Chrome installation on that platform, Google’s servers can immediately detect the inconsistency. In effect, the company has introduced another way to verify whether the client is actually Chrome or simply trying to impersonate it.

This mechanism is not designed to detect multiaccounting on its own. Its purpose is to verify that the client is not spoofing its environment. However, checks like this are exactly what contribute to the overall user profile.

But even if a browser successfully passes these checks, it does not mean the profile is safe. The static fingerprint is only the first layer of analysis. After that, the platform begins evaluating much more complex signals, including user behavior, device history, account relationships, network reputation and more.

Layer 2: User Behavior Analysis

Even a perfectly consistent browser fingerprint does not guarantee that an account will appear legitimate to the platform. Once the initial device verification is complete, modern antifraud systems move on to analyzing how the user interacts with the website or application.

This approach is known as behavioral fingerprinting. Instead of relying on static device characteristics, the system evaluates how a person actually uses the platform. These behavioral patterns are extremely difficult to fake.

Mouse Movements and Interface Interaction

Human behavior is rarely predictable. Users move the cursor at varying speeds, make small adjustments to its path, pause over interface elements, occasionally miss buttons or scroll through pages in irregular bursts.

⚙️ Automation tools, on the other hand, often behave too perfectly. The cursor moves in straight lines, clicks occur at precisely defined coordinates and page scrolling follows identical increments every time. Statistically, these actions differ significantly from the behavior of real users.

Mouse movement Dolphin Anty
When creating automation scripts in modern antidetect browsers, mouse movement paths can be customized by specifying different coordinates, making each cursor trajectory appear unique.

For this reason, modern antifraud systems analyze not individual clicks but the entire 🖼 interaction pattern. They evaluate not only the sequence of actions but also how those actions are performed and whether they appear natural.

Timing Between Actions

🕓 The time intervals between user actions also play an important role in behavioral analysis. Real users do not fill out forms at a perfectly consistent speed, open pages at fixed intervals or click buttons with millisecond precision. Their behavior is influenced by reading speed, personal habits, distractions and even random pauses.

With automation the intervals between actions are often too short or suspiciously consistent. That is why modern detection systems analyze not only the events themselves but also their timing patterns.

Modern antidetect browsers also allow these timing characteristics to be customized.

Even if each individual action appears legitimate on its own, timing patterns can still reveal the use of scripts, bots or other automation tools.

Activity History

A behavioral profile is built over time from every interaction with the platform. It may take into account when a user typically logs in, how consistently they use the service, how long their sessions usually last and how their activity changes over time.

For example, if an account has been used from the same country every evening for several months and then suddenly starts operating around the clock with short ten-minute sessions, this represents a significant change in behavior. While such a change does not necessarily indicate fraud on its own, it may draw additional scrutiny from the platform.

Layer 3: Device Graph and Account Linking

At the first two layers, the system collects information about each account and user individually. At the third layer it begins ⚖️ comparing this data across all registered accounts to identify signals suggesting that some of them are controlled by the same person.

To do this, platforms build a Device Graph – a network of relationships between devices, accounts and users. It can be thought of as a map where each account, device, IP address or payment method becomes a node, while detected connections between them become links. The more of these connections the system identifies, the higher the probability that multiple accounts are being operated by the same user.

Graph Dolphin Anty

If two accounts use the same IP address, that alone does not mean they belong to the same user. Likewise, sharing the same User-Agent or time zone proves nothing by itself.

However, when multiple signals begin to match simultaneously and not just at the fingerprint level, the probability of a coincidence drops dramatically.

For example, two accounts may:

  • Regularly log in from the same IP range;
  • Use similar devices and browsers;
  • Share the same cookies or local storage identifiers;
  • Use the same payment details;
  • Follow identical registration and login patterns;
  • Exhibit similar behavioral patterns.

As a result, a Device Graph may include:

  • Devices and their browser fingerprints;
  • User accounts;
  • IP addresses, ASNs and proxies;
  • Cookies and browser-local identifiers;
  • Payment methods and bank cards;
  • Email addresses and phone numbers;
  • Sequences of actions performed on the platform;
  • Login history and user activity.

All of this data is then 🔗 linked together, allowing the antifraud system to evaluate an account’s position within the overall network of relationships.

It is also important to note that using different devices does not necessarily prevent accounts from being linked. If they operate through the same network, regularly connect at similar times, use the same browsers, follow similar behavioral patterns and interact with the same services, the antifraud system may gradually begin treating them as part of the same behavioral model.

Another technique commonly used alongside a Device Graph is known as 🚀 velocity rules. It helps answer the question: “How quickly are actions being performed across different accounts?”

For example, the system may flag situations where:

  • A large number of accounts are created from the same device within a short period;
  • The same browser fingerprint is repeatedly used for registrations;
  • Multiple accounts perform identical actions almost simultaneously;
  • The same bank card appears across several newly created accounts;
  • Dozens of registrations originate from the same IP range within just a few minutes.

Ultimately, antifraud systems are not only interested in the device but also in the user behind it. If multiple independent signals point to multiaccounting, the platform may link accounts even when they are operated from different devices.

Layer 4: Network Scoring and Reputation

The final layer of detection focuses on the network infrastructure through which an account connects to the platform. Many people assume that finding an IP address considered “clean” by various checkers (and not listed on any blacklist) is enough. In reality, modern antifraud systems evaluate far more than the IP address itself. They also consider its history, surrounding network environment and the overall reputation of the network from which the traffic originates.

This is why 💯 Network Scoring has become an increasingly important concept today — a comprehensive assessment of the trustworthiness of a user’s network environment.

Fraud score Dolphin Anty
One of the free IP fraud checkers. Most professional solutions are paid.

Every IP address builds its own history over time. A platform may consider how long it has been in use, how many accounts have operated through it, whether any of those accounts were suspended, how frequently the IP changes and whether it has been associated with suspicious activity.

Even if a particular IP address is not listed in public blacklists, that does not mean the platform lacks its own historical data about its previous use.

In addition to the IP address itself, platforms also analyze the ASN (Autonomous System Number) — the network operator or internet service provider through which the user connects to the internet. For example, an account that consistently connects from a residential network appears more natural than one that constantly relies on datacenter proxies, VPN services or cloud infrastructure. As a result, network reputation is evaluated at multiple levels: the individual IP address, the subnet and the ASN.

Platforms also assess whether the network environment is consistent with the rest of the profile. For example, a mobile device would normally connect through a mobile carrier or a residential internet connection. If that same profile consistently operates through a datacenter IP, it creates an obvious mismatch between the claimed device and its actual network environment.

A similar situation occurs when:

  • A residential computer regularly connects from different countries;
  • The same profile appears under different ASNs within a short period;
  • The connection type does not match the device’s typical usage pattern.

Each of these inconsistencies increases the overall risk score.

For antifraud systems the overall consistency and credibility of the user’s network environment matters most. IP history, ASN reputation, connection type, connection geography and how well these factors align with the device are all evaluated together to determine the account’s overall trust score.

What This Looks Like in Practice

🛠 Antifraud systems evaluate all of these layers simultaneously. To illustrate, imagine a media buyer creating two advertising accounts. Each account uses a separate antidetect browser profile, a different proxy and a different browser fingerprint. Every popular fingerprint checker reports that both profiles appear legitimate.

At first glance, there seems to be no connection between the accounts.

ParameterAccount AAccount B
Browser fingerprintDifferentDifferent
IP addressDifferentDifferent
Antidetect browser profileSeparateSeparate
First login time09:0209:04
Working hours09:00–18:0009:00–18:00
Connected to the same home Wi-Fi the previous dayYesYes
Bank card BINSameSame
Business ManagerLinkedLinked
Advertising domainSameSame
CreativesSame imagesSame images
UTM parametersMatchMatch
Ad copyNearly identicalNearly identical
Sequence of actionsIdenticalIdentical

Individually none of these factors proves that the accounts are controlled by the same person. The same bank card BIN may be shared by customers of the same bank. A single domain can be used across multiple advertising campaigns. Even matching working hours cannot be considered evidence of abuse.

What modern antifraud systems evaluate instead is the likelihood that all of these similarities occurred by chance. As the number of independent matching signals reaches a critical threshold, the probability of coincidence drops and the system no longer sees two independent accounts — it sees two entities following the same behavioral pattern.

This is why a profile can appear flawless from a browser fingerprint perspective while still receive a high risk score due to the combination of other signals. That is also why creating a good browser fingerprint alone is not enough as it must also be used correctly.

Practical Takeaways

Modern antifraud systems evaluate a combination of independent signals rather than individual browser parameters. As a result, there is no universal way to completely eliminate the risk of accounts being linked. The only effective approach is comprehensive protection.

Safe multiaccount management starts with proper profile isolation. Each profile should have its own browser fingerprint, independent storage, separate cookies and a unique yet internally consistent and realistic fingerprint configuration. This is exactly what antidetect browsers are designed to provide.

For example, 📌 Dolphin Anty allows you to create an unlimited number of profiles with consistent browser fingerprints, individual proxies (which automatically adjust language, geolocation and time zone) and even the correct X-Browser-Validation header.

Interface Dolphin Anty

However, protection does not end there. Even a perfectly configured browser fingerprint will not help if every account follows the same behavioral pattern.

To make profile behavior more diverse, Dolphin Anty includes a built-in 📹 Scenario Builder that allows users to automate actions while simulating more natural interaction patterns across accounts.

Dolphin Anty’s Scenario Builder is designed as an interactive workflow map.

Each scenario block represents a configurable step in an automation sequence. For example, you can define custom coordinates for mouse movements or adjust the scrolling speed. More advanced users can also work with CSS selectors.

However, it’s important to understand that even the most advanced automation tools cannot fully replicate human behavior. If account activity remains predictable and repetitive, those accounts are likely to be linked sooner or later.

Conclusion

Just a few years ago multiaccount detection was largely based on browser fingerprints when Canvas, WebGL, User-Agent time zone and other parameters could be verified using various fingerprint checkers. Today that is no longer enough.

Modern antifraud systems analyze users across multiple layers, including device characteristics, behavioral patterns, account relationships, network environment, IP reputation and many other signals. Individually, these factors rarely result in an account suspension. But when evaluated together, they allow platforms to determine with a high degree of confidence whether multiple accounts are being operated by the same person.

As a result, modern platforms are no longer trying to identify the device as they are trying to identify the person behind multiple accounts. And solving that challenge is exactly where they invest billions of dollars.

Make the most of your browser's anti-detection capabilities

Sign up and get 5 profiles for free

Get free profiles

Мы используем файлы cookie для сбора информации об аутентификации, вашем устройстве, действиях при просмотре и шаблонах.
Чтобы узнать больше, ознакомьтесь с нашей Политикой конфиденциальности и Условия использования .
Нажимая «Я принимаю» или используя наш веб-сайт, вы соглашаетесь на использование нами файлов cookie.

Accept