iGaming fraud is reshaping growth, regulation and due diligence

At a glance

What this is: This is a SumSub-hosted discussion on how iGaming fraud is changing operator strategy, regulatory posture and investor scrutiny.

Why it matters: It matters because identity teams supporting gaming, payments and platform access need to govern fraud risk across players, partners and machine-driven abuse patterns, not just traditional account security.

👉 Read SumSub's discussion of iGaming fraud, regulation and AI-driven threats

Context

iGaming fraud has become a growth constraint, not just a compliance issue. When player acquisition, bonus abuse, multi-accounting and unlicensed operators all sit in the same risk surface, identity controls have to do more than verify a login or approve a payout. They have to support trust decisions across the full customer and partner lifecycle, while keeping pace with regulatory expectations in fast-moving markets.

The panel discussion also points to a broader governance shift. Fraud risk is increasingly part of financial due diligence and investment decisions, which means identity and access controls now influence not only incident rates but market confidence. For operators, the question is no longer whether fraud exists. It is how much operational friction, regulatory exposure and revenue leakage the current identity model can absorb before it starts constraining scale.

Key questions

Q: How should iGaming operators balance player acquisition with fraud prevention?

A: Operators should treat acquisition and fraud prevention as two separate trust decisions, not one onboarding step. Fast registration can support conversion, but bonus eligibility, payment release and account recovery should carry stronger checks. The goal is to reduce friction where it is low risk and add review where identity reuse, bonus abuse or payment fraud is most likely to surface.

Q: Why do multi-accounting and bonus abuse create such a governance problem in iGaming?

A: They break the assumption that one account equals one economic actor. When attackers can create several accounts with shared devices, payments or behavioural patterns, acquisition metrics become distorted and fraud losses hide inside growth data. That is why multi-accounting is not just a detection issue. It is an identity governance failure that affects revenue reporting and customer trust.

Q: When should operators prioritise stronger verification over lower onboarding friction?

A: Operators should prioritise stronger verification when the next action creates financial exposure, such as bonus release, high-value deposits or withdrawals. At those points, the cost of friction is usually lower than the cost of fraudulent scale. If the business cannot distinguish a legitimate player from repeated abuse at those stages, onboarding speed is being overvalued.

Q: What should compliance and security teams do when fraud risk affects investor due diligence?

A: They should report fraud as a business assurance metric, not only a loss-prevention metric. That means linking identity controls to bonus abuse, payout integrity, market exposure and control coverage by jurisdiction. Investors will read the quality of those controls as evidence of operational discipline, so the reporting model has to show more than incident counts.

Technical breakdown

Player acquisition versus fraud prevention

In iGaming, acquisition controls and fraud controls often compete for the same user journey. Lightweight onboarding supports conversion, but it also reduces the friction that can expose bonus abuse, multi-accounting and synthetic identities. The technical challenge is not simply authentication. It is balancing identity proofing, device signals, payment behaviour and account-linking logic so that trust decisions happen early enough to matter without making legitimate users abandon the flow. In practice, this is a risk-scoring and orchestration problem, not a single control choice.

Practical implication: map where onboarding friction is acceptable and where step-up review must trigger before bonuses, withdrawals or account linking.

Unlicensed operators and regulatory fragmentation

Unlicensed operators exploit gaps between jurisdictions, which makes identity governance harder than a single-market compliance programme. If one regulator expects stronger verification, transaction monitoring or payout controls, while another market is still evolving, operators need policies that can be tuned by jurisdiction without fragmenting core assurance. The governance issue is not only legal presence. It is whether the operator can prove consistent identity, transaction and entitlement controls across markets that do not mature at the same pace.

Practical implication: segment identity and fraud controls by jurisdiction so that weaker local rules do not become the enterprise baseline.

AI-driven fraud and bonus abuse automation

AI-driven fraud raises the speed and scale of abuse patterns in iGaming, especially when attackers automate account creation, adapt to detection thresholds and coordinate multi-account behaviour. That changes the control model from static rule enforcement to continuous behavioural detection, because the attacker can learn faster than periodic manual review. In this environment, fraud prevention and identity security converge around signal quality, correlation and response timing. The hardest problem is not just spotting one bad account, but recognising that many accounts may be acting as a coordinated fraud fabric.

Practical implication: use behavioural correlation and velocity controls that can detect coordinated abuse across accounts, devices and payment instruments.

Threat narrative

Attacker objective: The objective is to turn trust loopholes and onboarding friction into repeatable revenue extraction while reducing the chance of detection.

1. Entry begins with low-friction player onboarding, bonus offers or market-specific gaps that make it easy to create accounts at scale.
2. Escalation follows when fraudsters exploit multi-accounting, bonus abuse or AI-assisted automation to blend malicious activity into normal user behaviour.
3. Impact arrives as revenue leakage, distorted acquisition economics, weaker due diligence signals and greater regulatory pressure on operators.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Fraud in iGaming is now an identity governance problem, not a narrow abuse problem. The panel makes clear that player trust, payment integrity and regulatory compliance now move together. When operators treat fraud as only a detection issue, they miss the lifecycle question: who is allowed to create value, extract value and repeat that pattern at scale? The practitioner conclusion is that fraud controls now belong in the same governance conversation as access, onboarding and account lifecycle management.

Multi-accounting is the named concept that best captures this risk shift. It is not just repeated sign-up behaviour, but the deliberate reuse of identity, device and payment signals to create artificial legitimacy. That makes it a governance failure, because normal customer acquisition processes assume each account maps to one economic actor. The practitioner conclusion is that account uniqueness has to be proven continuously, not assumed at registration.

Unlicensed operator activity exposes a wider assurance gap than market compliance alone. Once jurisdictions differ in how identity proofing, payments and payout controls are enforced, operators face a fractured baseline for trust. This is where regulatory fragmentation becomes an identity problem, because the weakest market can become the easiest route for abuse. The practitioner conclusion is that governance needs jurisdiction-aware control design, not one global minimum.

AI-driven fraud compresses the response window and raises the value of correlation over static rules. When abuse can be generated, adapted and re-tried faster than manual review cycles, traditional case handling starts to lag behind attacker behaviour. That changes the market expectation for fraud tooling and identity operations. The practitioner conclusion is that operators need detection logic that can follow coordinated behaviour across identities, devices and transactions.

Bonus abuse economics is a better way to frame the problem than isolated fraud events. Each fraudulent account may look small, but the aggregate effect distorts acquisition metrics, weakens investment decisions and skews growth reporting. That makes fraud a board-level data quality issue as much as a security one. The practitioner conclusion is that fraud loss, CAC distortion and due diligence exposure should be measured together.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot see their non-human estate clearly.
• That visibility gap is why the NHI Lifecycle Management Guide matters for teams trying to connect entitlement sprawl, review cadence and offboarding discipline.

What this signals

Multi-accounting is a useful signal concept for practitioners. It captures the way repeated identity creation, device reuse and payment reuse combine into one abuse pattern. For operators, that means fraud tooling and identity governance should be tuned to recognise account families, not just single suspicious events, especially where acquisition incentives are strongest.

As iGaming matures, fraud controls will increasingly be judged by their effect on business quality rather than their alert volume. That shifts the programme conversation toward trust calibration, jurisdiction-specific enforcement and account-level correlation. Teams that can show consistent control coverage will be better positioned to support both regulator scrutiny and investor due diligence.

The most useful external reference point here is the NIST Cybersecurity Framework 2.0, because it reinforces that governance, detection and response should be connected rather than isolated. For iGaming teams, the practical test is whether identity signals can support a decision before value leaves the platform.

For practitioners

• Separate acquisition trust from payout trust Treat sign-up, bonus eligibility and withdrawal approval as distinct assurance moments. A user who can register quickly should not automatically inherit the ability to extract value without additional checks.
• Add jurisdiction-aware policy layers Apply market-specific rules for identity proofing, transaction review and payouts so local regulatory gaps do not define the enterprise control baseline.
• Correlate identity and transaction signals Link device, payment, velocity and behavioural signals across accounts to identify multi-accounting and coordinated abuse that single-event alerts will miss.
• Track fraud as a growth KPI Report fraud loss, bonus abuse rate and due diligence exposure alongside acquisition and retention metrics so leadership sees how trust failures affect scale.

Key takeaways

• iGaming fraud now affects growth, compliance and capital allocation at the same time, which makes it a governance issue rather than a narrow abuse problem.
• Multi-accounting, bonus abuse and AI-assisted fraud show that account trust cannot stop at registration, because the real risk appears when value is released.
• Operators need jurisdiction-aware controls, cross-signal correlation and lifecycle thinking if they want fraud reporting to support both regulator scrutiny and investor confidence.

Key terms

• Multi-Accounting: Multi-accounting is the creation or control of multiple accounts by the same actor to bypass rules, amplify bonuses or hide abusive behaviour. In iGaming, it becomes an identity integrity problem because one economic actor can appear as many legitimate users across devices, payment methods and sessions.
• Bonus Abuse: Bonus abuse is the exploitation of promotional incentives through repeated sign-ups, account farming or coordinated behaviour that drains value from the platform. It is not a single tactic but a pattern of identity misuse that distorts acquisition economics and weakens the trust model behind customer growth.
• Jurisdiction-Aware Controls: Jurisdiction-aware controls are identity and fraud policies that change based on the regulatory environment in which a user, payment or payout is processed. They matter in iGaming because the same trust threshold will not fit every market, and a weak local baseline can become an enterprise-wide loophole.

Deepen your knowledge

iGaming fraud governance, account trust and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for high-volume, high-friction identity environments, it is worth exploring.

This post draws on content published by SumSub: a live discussion on fraud in iGaming and the widening global fraud landscape. Read the original.