They break the assumption that one account equals one economic actor. When attackers can create several accounts with shared devices, payments or behavioural patterns, acquisition metrics become distorted and fraud losses hide inside growth data. That is why multi-accounting is not just a detection issue. It is an identity governance failure that affects revenue reporting and customer trust.
Why This Matters for Security Teams
Multi-accounting and bonus abuse are governance problems because they undermine the basic control assumption that a registered player account maps to a distinct economic actor. Once that assumption fails, fraud teams lose signal quality, acquisition teams inherit distorted conversion data, and risk decisions are made against polluted identity records. NHI Management Group’s Top 10 NHI Issues highlights how identity sprawl creates blind spots when entities can be created faster than they can be governed.
This is not only a detection challenge. It is a lifecycle and assurance problem that spans account creation, device intelligence, payment linkage, behavioural correlation, and payout controls. The broader governance lesson aligns with the NIST Cybersecurity Framework 2.0, which treats identity, monitoring, and resilience as connected outcomes rather than isolated tools. In iGaming, weak linkage logic lets abusive actors recycle devices, payment methods, and referral incentives across many accounts while appearing like normal growth.
Security teams often see the impact only after welcome offers are drained, chargebacks rise, or affiliate performance becomes impossible to trust, rather than through intentional identity governance design.
How It Works in Practice
In iGaming, multi-accounting typically uses small variations that evade simple duplicate checks: new email addresses, disposable phone numbers, shared IP ranges, recycled devices, or overlapping payment instruments. Bonus abuse then exploits promotional logic by creating many accounts that each qualify for the same incentive. The governance issue is that each account may look valid in isolation, while the aggregate pattern reveals one actor extracting repeated value.
Practitioners usually need layered controls rather than a single block rule. The most effective programs combine identity proofing, device fingerprinting, behavioural analytics, payment graph analysis, and policy-based approval workflows. NHI lifecycle thinking from Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because the same principle applies: creation, use, change, suspension, and retirement all need governed states.
- Require risk-based account opening checks when a device, payout method, or referral source has prior abuse history.
- Link accounts through shared identifiers, but keep false-positive thresholds tuned to avoid penalising legitimate households or shared networks.
- Apply bonus eligibility rules at the household, device, and payment-graph level, not only at the single-account level.
- Review payout timing, withdrawal velocity, and bonus conversion patterns for coordinated behaviour.
For governance teams, the important question is not whether a single account is “real,” but whether the cluster of accounts represents one or many economically distinct users. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is relevant because auditability matters: operators should be able to explain why an account was linked, restricted, or rewarded. These controls tend to break down when fast onboarding, aggressive promotions, and fragmented data stacks prevent reliable cross-account correlation.
Common Variations and Edge Cases
Tighter bonus and account-linking controls often reduce fraud, but they also increase friction for legitimate customers, so operators must balance abuse prevention against conversion and retention. Best practice is evolving here, and there is no universal standard for how aggressively to treat shared attributes like devices, networks, or payment providers.
Some edge cases deserve special handling. Families, roommates, esports teams, internet cafés, and mobile networks can create genuine overlap without malicious intent. Similarly, affiliate traffic can look clustered even when the source is legitimate. That is why current guidance suggests using risk scoring and human review for borderline cases instead of hard-blocking every shared signal. The strongest programs document why a cluster was flagged and preserve evidence for disputes and regulator review.
The NIST Cybersecurity Framework 2.0 is helpful as a governance model because it reinforces measured risk treatment, not just automated denial. In practice, operators that rely only on static rules struggle when fraud rings adapt their enrolment patterns faster than the control logic can be updated.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Multi-accounting exploits weak identity lifecycle and duplicate identity controls. |
| NIST CSF 2.0 | PR.AC-4 | Access and identity governance must support risk-based account eligibility decisions. |
| CSA MAESTRO | GOV-02 | Governance is needed for cluster-based abuse detection and dispute-ready audit trails. |
Enforce unique identity linkage and govern account lifecycle states to stop duplicate economic actors.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
