How to detect multi account farms using user_id linkage and IP graph heuristics
How to detect multi account farms with user_id linkage and IP graph heuristics
Multi account farms drive promotion abuse, bonus abuse, and payout fraud. Rule based checks on single events miss networked behavior. Graph linkage adds the missing view.
Graph design
- Nodes: user_id, IP, ASN, device fingerprint, payment token.
- Edges: observed relations in time windows.
- Weights: recency, frequency, risk quality, action criticality.
High value heuristics
- One IP linked to many new accounts in short time.
- Repeated ASN switches across connected accounts.
- Shared payment instrument with rotating geo footprint.
- Synchronized behavioral sequences across multiple accounts.
SQL seed heuristic
SELECT ip, COUNT(DISTINCT user_id) AS users
FROM events
WHERE created_at > NOW() - INTERVAL 1 DAY
GROUP BY ip
HAVING users > 20;Case study: bonus abuse campaign
A gaming platform found clusters of accounts that shared ASN + device overlap and exhibited identical action order after signup. Graph score exceeded threshold and promotions were throttled. Abuse dropped with limited impact on legitimate users.
Response playbook
- Tag suspicious cluster and restrict high risk actions first.
- Escalate from soft friction to hard block based on repeated evidence.
- Feed review outcomes into edge weighting model.
SEO and buyer intent
Queries like multi account fraud detection, IP graph heuristics, and user linkage antifraud are common in commercial abuse prevention research.
Use GeoIP.space for graph enrichment
GeoIP.space adds reliable geo and ASN signals to every event, improving graph precision and investigation speed. Create account and test on one week of logs.