By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: SiftPublished July 10, 2026

TL;DR: Multi-accounting fraud on marketplaces and iGaming platforms evades rules-based detection by using multiple identities, device farms, residential proxies, and behavioral reuse to claim bonuses, bypass enforcement, and manipulate platform economics, according to Sift. Network-level analysis is now the practical divide between suppressing abuse and repeatedly paying for it.


At a glance

What this is: Multi-accounting fraud uses multiple accounts, shared infrastructure, and behavioural reuse to exploit bonuses, evade enforcement, and distort platform economics.

Why it matters: It matters to identity and fraud practitioners because single-account controls miss coordinated abuse patterns that only appear when accounts, devices, and behaviours are analysed together.

By the numbers:

👉 Read Sift's analysis of multi-accounting fraud in marketplaces and iGaming


Context

Multi-accounting fraud is the deliberate use of several accounts by one person or a coordinated ring to extract promotional value or bypass platform controls. The governance gap is that many fraud programmes still treat each account as an isolated identity, even though the abuse pattern is relational and networked.

For marketplaces and iGaming platforms, the identity problem is not simply whether an account looks real at registration. It is whether the same person, device cluster, payment pattern, or behavioural fingerprint keeps reappearing under different profiles. That makes this a trust and identity verification issue as much as a fraud detection problem.


Key questions

Q: What breaks when multi-accounting fraud is evaluated one account at a time?

A: Single-account evaluation misses the relationship pattern that defines multi-accounting. A fraudster can vary emails, phone numbers, payment methods, and timing so each profile looks plausible on its own. The failure is not in the account record, but in the absence of linkage analysis across devices, behaviours, and infrastructure.

Q: Why do multi-accounting rings bypass many registration controls?

A: They exploit the fact that registration controls often verify attributes rather than relationships. Separate contact details, proxy networks, and device variation can satisfy the front door while the same operator remains behind the scenes. That is why fraud programmes need continuous correlation, not just onboarding checks.

Q: How do teams know if multi-accounting detection is actually working?

A: Look for fewer successful bonus claims from newly created clusters, faster linking of suspicious accounts, and higher investigator confidence in clustered cases. If alerts remain tied to single accounts with no network context, detection is probably still too shallow to catch coordinated abuse.

Q: Who is accountable when multi-accounting bypasses responsible gambling or seller enforcement?

A: Accountability sits with the platform owner because the platform chose the identity and enforcement model. In regulated iGaming, failure to enforce exclusions can create compliance exposure; in marketplaces, weak re-entry controls undermine trust and seller governance. The control gap is usually persistence, not policy wording.


Technical breakdown

How fraudsters make multiple accounts look independent

Multi-accounting works because attackers invest in making each registration look discrete. Separate email addresses, phone numbers, and payment methods reduce simple duplicate checks, while residential proxies and timing variation defeat IP-based rules. Device farms and emulators further obscure repetition by changing the apparent device context. The result is a set of accounts that look unrelated if the detector only inspects one record at a time. The real technical challenge is that independence is simulated at the surface while correlation remains underneath.

Practical implication: build detection that correlates devices, payment instruments, and timing patterns across accounts rather than validating each registration in isolation.

Why graph analysis outperforms per-account scoring

Graph analysis treats accounts as nodes connected by shared signals such as IP infrastructure, payment metadata, device fingerprints, and sequence similarity. That matters because the fraud ring’s identity is distributed across many profiles, not concentrated in one obvious bad actor. Per-account scoring can miss weak signals that become decisive once linked, while graph methods expose clusters that would otherwise remain hidden. In practice, the strongest evidence often comes from repeated edges between accounts rather than a single high-risk indicator.

Practical implication: score relationship clusters and connected behaviours, not just individual account risk, before triggering enforcement or bonus denial.

How behavioural biometrics reveal coordinated account reuse

Behavioural biometrics look for stable human patterns such as typing cadence, navigation rhythm, session pacing, and first-session flows. Even when fraudsters change profile details, the way they interact with the platform often remains consistent across accounts. That consistency becomes more visible when analysts compare behaviour across many accounts rather than within one session. This is especially useful for spotting rapid bonus activation, coordinated referral abuse, and repeated seller re-entry after enforcement action. Behavioural signals do not replace identity proofing, but they add a powerful relational layer.

Practical implication: combine behavioural biometrics with identity and device linkage to surface repeated operator behaviour across supposedly separate accounts.


Threat narrative

Attacker objective: The attacker wants to monetise platform incentives or bypass enforcement while appearing like many independent users.

  1. Entry begins when a fraudster creates multiple accounts using fabricated identities, separate contact details, and proxy-backed sessions to avoid basic duplicate checks.
  2. Escalation occurs when those accounts reuse the same devices, payment methods, or behavioural patterns, allowing the ring to accumulate bonus value or evade platform enforcement.
  3. Impact follows when promotions are drained, seller trust is manipulated, or responsible gambling controls are bypassed at scale.

NHI Mgmt Group analysis

Multi-accounting is a trust graph problem, not a registration problem. The article shows that the decisive evidence emerges only when teams connect devices, payment methods, and behaviour across accounts. That shifts the governance model from single-identity screening to relational identity assurance, which is closer to how coordinated fraud actually operates. Practitioners should design controls around linked identities, not isolated sign-ups.

Identity verification alone does not stop economically motivated fraud rings. Fraudsters can satisfy individual registration checks and still operate as a coordinated network. The real failure mode is assuming that a verified account is a trustworthy actor for the rest of its lifecycle. Practitioners need ongoing verification and linkage controls, not just onboarding checks.

Multi-accounting exposes the boundary between fraud operations and identity governance. In marketplace and iGaming environments, the same signals that support fraud detection also inform trust frameworks, access policy, and account lifecycle governance. When enforcement actions are not tied to persistent identity relationships, banned actors simply re-enter through new profiles. Practitioners should treat repeat identity formation as a governance event, not just a fraud alert.

Behavioural reuse is the named concept that matters here. The article makes clear that recurring typing rhythms, navigation sequences, and session pacing create a durable signature even when profile attributes change. That is a better mental model than device-only or IP-only detection, because it captures the operator behind the accounts rather than the accounts themselves. Practitioners should use behavioural reuse as a control concept in their fraud architecture.

Responsible gambling and marketplace enforcement both depend on durable identity linkage. Where platforms must enforce exclusions, seller bans, or promotional limits, multi-accounting defeats policy if the underlying actor can reconstitute identity cheaply. This is a governance failure as much as a detection failure. Practitioners should align identity proofing, ongoing monitoring, and enforcement persistence so the same actor cannot repeatedly reset their risk state.

What this signals

Behavioural reuse is becoming a core fraud signal because the actor is more stable than the account. As fraudsters rotate surface identifiers, programmes that depend on static registration checks will keep missing the same operator in different clothing. Teams should expect graph linkage and behavioural comparison to become the primary differentiators in marketplace and iGaming fraud operations.

The governance lesson is that identity proofing has to extend into account lifecycle enforcement, not stop at onboarding. Where the platform allows repeated identity formation, bans and exclusions lose force, and the fraud model becomes self-defeating.

For identity-led fraud programmes, the priority is to connect trust decisions to durable entity relationships. That is where platform policy, verification assurance, and ongoing risk monitoring intersect most directly.


For practitioners

  • Correlate accounts into identity clusters Link registrations by device fingerprint, payment metadata, subnet history, and behavioural cadence so the fraud team investigates clusters instead of isolated accounts.
  • Use graph-based review queues Prioritise clusters with shared infrastructure or repeated behavioural edges, then route them into investigation workflows that can explain why the accounts are connected.
  • Add behavioural reuse signals to enforcement logic Track typing cadence, navigation sequence, and first-session flow similarity so repeated operator behaviour is visible even when identifiers change.
  • Tie exclusions to persistent identity relationships When a seller is banned or a player is excluded, record durable linkage evidence so re-entry attempts trigger higher assurance instead of a clean slate.
  • Apply selective friction to suspicious sign-ups Use risk-based verification only on clustered or high-velocity registrations to limit abuse without degrading the experience for low-risk users.

Key takeaways

  • Multi-accounting fraud is fundamentally relational, which makes single-account rules too narrow to stop it reliably.
  • The article shows that shared devices, payment methods, and behaviour can reveal the same operator even when each account looks separate.
  • Fraud teams need clustered identity review, persistent enforcement, and selective friction to reduce abuse without penalising legitimate users.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AAccount proofing is central to fake and duplicate registration abuse.
NIST CSF 2.0PR.AC-1Access and identity management must account for repeated actor re-entry.
GDPRArt.5Fraud programmes often process personal data and must limit misuse and over-collection.
ISO/IEC 27001:2022A.5.15Access control policy should cover account creation, exclusion, and re-entry governance.

Strengthen identity proofing and re-proofing for high-risk registrations and repeat identity formation.


Key terms

  • Multi-accounting: Multi-accounting is the practice of one actor creating or controlling multiple identities to evade limits, gain incentives, or hide coordinated behaviour. In betting and fraud environments, it matters because the platform may see each account as separate unless identity signals are correlated across devices, payments, and sessions.
  • Graph-Based Link Analysis: Graph-based link analysis is a method for finding hidden relationships between accounts by modelling them as connected nodes. It helps fraud teams identify shared devices, infrastructure, payment methods, and behavioural patterns that are invisible when each account is scored in isolation.
  • Behavioral Biometrics: Behavioral biometrics uses patterns such as typing rhythm, swipe style, device handling, and session timing to infer whether the same user is still present. In practice, it supports continuous verification, but it also demands careful tuning because legitimate behavior can change with context.
  • Selective Friction: Selective friction is a control strategy that adds verification or delay only where risk signals justify it. In returns, it preserves a smooth experience for low-risk customers while using tighter checks, evidence demands, or manual review for claims with stronger abuse indicators.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • How Sift models thousands of signals across registration, login, and transaction journeys
  • How dynamic friction is applied selectively to high-risk registrations and sessions
  • How workflow rules can be tuned without engineering involvement as fraud patterns change
  • How cross-platform network intelligence helps flag known abuse infrastructure

👉 The full Sift article covers detection signals, platform economics, and enforcement detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It gives security practitioners a practical foundation for connecting identity controls to real-world abuse patterns across programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org