Behaviour-driven iGaming fraud is outpacing traditional identity checks

At a glance

What this is: This is Sumsub's Defenders of Trust 2026 report on iGaming fraud, identity, and AML, and its key finding is that behaviour now matters more than document checks.

Why it matters: It matters because iGaming teams have to govern human identity, device signals, and abuse patterns as one trust problem, not as separate compliance tasks.

👉 Read Sumsub's Defenders of Trust 2026 report on iGaming fraud and identity

Context

iGaming fraud is no longer a document-only problem. Attackers and abuse networks now exploit behavioural patterns, device reuse, and transaction context, which means identity controls have to look beyond KYC checkpoints and into continuous signal-based verification.

In regulated betting and gaming environments, the practical question is how to decide whether an identity event is genuine, coerced, duplicated, or coordinated. Sumsub's report frames this as a move from compliance-led identity checks to ongoing trust assessment, which is typical for high-fraud, high-incentive markets.

Key questions

Q: How should iGaming operators detect fraud when identity checks are only a first step?

A: They should combine onboarding verification with continuous behavioural analysis. The best signal set includes device intelligence, payment telemetry, velocity patterns, and linked-account correlation. That combination helps teams detect collusion, bonus abuse, and reused identities after the initial check has passed, when most abuse becomes visible.

Q: Why do traditional KYC controls miss modern iGaming fraud?

A: Traditional KYC is designed to validate identity at a point in time, but modern fraud is adaptive and post-onboarding. Fraud farms, collusion networks, and recycled accounts can all pass the initial check while still behaving suspiciously later. The failure is not the absence of KYC, but its limited scope.

Q: What do security teams get wrong about bonus abuse and account farming?

A: They often treat bonus abuse as a promotions problem instead of an identity correlation problem. In practice, the same actor may reuse devices, payment methods, and behavioural patterns across many accounts. Without cross-account linkage, teams see isolated events instead of a coordinated abuse pattern.

Q: How can regulated gaming teams balance fraud prevention with conversion?

A: They should use continuous risk scoring to separate low-risk legitimate users from accounts that show shared infrastructure or repeated abuse. That approach reduces unnecessary friction for genuine players while tightening controls where the evidence suggests coordinated fraud. The goal is selective scrutiny, not blanket blocking.

Technical breakdown

Behaviour-driven fraud detection in iGaming

Behaviour-driven fraud detection looks at how a user acts across sessions, devices, and transactions rather than relying only on document submission. In iGaming, this matters because fraud farms and collusion networks can pass one-time verification while still exhibiting shared devices, scripted timing, or repeated payment patterns. Device intelligence, velocity signals, and transaction monitoring create a richer trust picture than static onboarding alone. The core architecture is continuous correlation, not a single pass or fail gate.

Practical implication: treat onboarding as the start of identity assurance and monitor for behavioural drift throughout the player lifecycle.

Reusable identity and bonus abuse signals

Reusable identity in this context means the same person, device, or credential pattern being recycled across multiple accounts to exploit promotions, evade controls, or launder access. Bonus abuse often depends on this reuse because the fraud pattern only becomes visible when multiple registrations, payment instruments, and devices are linked together. Identity matching, device fingerprints, and payment telemetry work together here. The control challenge is not just proving who a user is, but proving whether the same actor is returning under a different account wrapper.

Practical implication: correlate registration, device, and payment data to find repeated identity patterns before promotions are exhausted.

Why static KYC is not enough for regulated gaming

Static KYC checks answer a limited question at a limited point in time: did this person present acceptable evidence during onboarding? That model breaks down when fraud evolves after account creation, because document legitimacy does not prevent collusion, account farming, or synthetic behaviour. The report's emphasis on continuous, signal-driven identity reflects a wider shift in regulated markets toward dynamic risk assessment. In practice, the control boundary moves from verification to ongoing assurance.

Practical implication: pair KYC with continuous risk scoring, transaction monitoring, and device intelligence rather than treating verification as a one-time control.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Hugging Face Spaces breach — Hugging Face Spaces breach exposed API keys and authentication tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Behaviour is now the primary trust signal in iGaming. Static identity proof was built for onboarding, but the fraud problem has moved to the post-verification phase where collusion, scripted behaviour, and account reuse emerge. That means the industry is no longer managing a document problem, it is managing a trust inference problem. Practitioners should treat this as a shift in the unit of control from identity evidence to behavioural evidence.

Reusable identity is the named concept that explains modern bonus abuse. The same person, device, or payment pattern can be recycled across multiple accounts until the programme sees the relationship, not just the registration. That is why device intelligence and transaction monitoring matter together. The lesson for regulated gaming teams is that account uniqueness is a weak guarantee unless it is continuously tested against cross-session signals.

Fraud farms and collusion networks expose the limits of compliance-only thinking. Compliance confirms that minimum checks were performed, but it does not reveal whether the actor is coordinated, adaptive, or operating at scale. In iGaming, the governance question is not whether verification happened, but whether the risk model can detect shared infrastructure and repeat behaviour. Practitioners should reframe identity assurance as an operational defence, not a filing obligation.

Trust as a product is becoming a market differentiator in regulated digital commerce. When fraud pressure is high, operators compete on how much false activity they can suppress without breaking legitimate conversion. That pushes identity, fraud, and AML closer together as one control plane. The implication for practitioners is that identity governance must be designed for revenue protection as well as compliance.

Continuous signal analysis is the only durable response to behaviour-led fraud. Reports and one-time checks can support decision-making, but they cannot keep pace with adaptive abuse patterns that change faster than review cycles. The industry is moving toward ongoing trust scoring because fraud now evolves in motion. Practitioners should expect identity programmes to become more event-driven and less checkpoint-driven.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly trust models fail when identity telemetry is incomplete.
• For a broader baseline on service accounts, keys, and lifecycle control, see Top 10 NHI Issues.

What this signals

Reusable identity: iGaming teams should treat device and account reuse as the central abuse pattern, because repeated infrastructure often reveals fraud before a policy threshold does. That makes correlation between identity, device, and payment data more valuable than isolated verification outcomes.

With 79% of organisations reporting secrets leaks and 77% of those incidents causing tangible damage, per the Ultimate Guide to NHIs, identity assurance cannot rely on a single checkpoint. For regulated gaming, continuous trust scoring is becoming the default operating model rather than an advanced option.

For practitioners

• Extend identity checks beyond onboarding Link KYC results to device intelligence, transaction monitoring, and session-level risk signals so account legitimacy can be re-evaluated after creation. This is the only way to catch collusion, account farming, and repeated abuse that static review misses.
• Correlate registration and payment telemetry Compare repeated devices, payment instruments, IP patterns, and account creation bursts to identify reusable identity patterns. Alert when the same behavioural fingerprint appears across multiple accounts, especially around promotions and bonus claims.
• Treat bonus abuse as an identity signal problem Use promotion workflows to expose coordinated abuse by measuring abnormal velocity, shared infrastructure, and linked account clusters. If the same actor can cheaply recycle identity context, the promotion design is too easy to exploit.
• Separate compliance evidence from trust evidence Keep regulatory KYC records, but do not confuse them with ongoing trust assessment. Build operational review paths that can act on behavioural risk without waiting for a compliance threshold to be crossed.

Key takeaways

• iGaming fraud now lives in behaviour, not just documents, so identity controls have to move beyond onboarding checks.
• The practical scale problem is reusable identity, where one actor can recycle devices, payments, and patterns across many accounts.
• Operators that correlate identity and transaction signals continuously will be better placed to reduce abuse without over-frictioning legitimate players.

Key terms

• Behaviour-driven fraud: Fraud that is detected through patterns of use rather than only through document checks. It looks at how accounts, devices, payments, and sessions behave over time, which is essential in high-incentive environments where one-time identity proofing is easy to bypass or reuse.
• Reusable identity: A repeated identity pattern that can be used across multiple accounts, devices, or payment methods to evade controls. In practice, this is the signal that the same actor is cycling through new wrappers while keeping enough shared context to remain linkable.
• Continuous trust assessment: An operating model that evaluates trust throughout the customer lifecycle rather than at onboarding alone. It combines identity, device, and transaction signals so teams can respond to changing risk as activity unfolds, not after abuse has already completed.

Deepen your knowledge

Behaviour-driven fraud detection and continuous identity assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a trust model for a regulated, high-fraud environment, it is worth exploring.

This post draws on content published by SumSub: Defenders of Trust 2026 report on iGaming fraud, identity, and AML. Read the original.