How BastionPlay Shut Down an €89K Bonus Fraud Ring in 25 Minutes
BastionPlay is an MGA-licensed multi-vertical operator headquartered in Malta, running casino, sportsbook, and poker products for roughly twenty-five thousand monthly active players across European and UK markets. The platform generates approximately €8 million per week in gross gaming revenue, priced in EUR and GBP, and operates under the scrutiny that comes with a full MGA licence — meaning every compliance failure carries regulatory weight, not just a financial cost.
Products used: Fraud Detection, Device Fingerprint Analysis, Bonus Abuse Prevention
25 minutes | from first anomaly flag to account suspension plan
47 fraudulent accounts identified across a coordinated ring
€89K in bonus abuse blocked before cashout
Challenge
Elena Vasquez has seen bonus abuse before. Every European operator has. A lone player, or a small family cluster, figures out how to create two accounts, collect the welcome bonus twice, and withdraw before the wagering requirements bite. Compliance teams catch these cases during routine KYC or AML reviews. They're a nuisance, not a crisis.
What hit BastionPlay on a Wednesday morning in early March was something different in scale, structure, and sophistication. Gaming Mind's anomaly detection surface flagged an unusual velocity spike in welcome bonus redemptions — forty-seven accounts had triggered the bonus in a compressed six-hour window overnight, all following a nearly identical behavioural pattern: deposit minimum qualifying amount, collect bonus, place low-RTP bets at the lowest allowable stake until the wagering requirement was technically met, then withdraw the maximum cashout amount. Rinse, repeat. The accounts had been created across a four-day period, carefully paced to avoid triggering standard velocity thresholds.
"The accounts were designed to look organic. Different email providers, different first deposit amounts — all just slightly varied to avoid our automated flags. If Gaming Mind hadn't been running fingerprint correlation in the background, we might have processed some of those withdrawals before we even opened a review."
— Elena Vasquez, Head of Risk & Compliance, BastionPlay
The manual process Elena had relied on before Gaming Mind was built for individual fraud cases, not coordinated rings. Pulling device logs, cross-referencing IP addresses against registration data, and mapping the financial flow across forty-seven accounts manually would have taken her team two full working days — time during which some of the ring's accounts could have successfully withdrawn. The ring had already accumulated €89K in bonus funds across active accounts. At least a third of those were approaching the minimum wagering threshold required for cashout.
Solution
Elena opened Gaming Mind at 8:47 AM when the overnight anomaly alert landed in her inbox. What followed was a twenty-five-minute investigation that built a complete forensic picture of the ring, mapped every account's position in the fraud lifecycle, and produced a prioritised suspension list her team could action immediately.
Here's exactly how the conversation unfolded:
Elena: "Show me the bonus anomaly flagged overnight — what's the pattern?"
| Metric | Flagged Ring (47 accounts) | Legitimate FTD Cohort (same week) |
|---|---|---|
| Accounts | 47 | ~420 (rest of FTD week) |
| Registration window | March 27–30 (4 days) | Spread across full week |
| Bonus claimed | €200 welcome bonus | €200 welcome bonus |
| Avg session length | 11 minutes | 38 minutes |
| Avg wager per session | €2.10 | €14.60 |
| Wagering requirement met? | Yes (minimum stake) | Yes (natural play) |
| Post-wager action | Withdraw maximum cashout | Mixed — play continues |
| Behavioural pattern | Near-identical across all 47 | Natural variance |
⚠️ Gaming Mind flags: Coordinated pattern confirmed — not independent low-value players. All 47 accounts follow an identical deposit-wager-withdraw lifecycle: collect €200 bonus, place minimum-stake bets to meet the 25× wagering requirement (median 11-minute session, €2.10 avg wager), then withdraw. Average session length is 71% shorter than the legitimate FTD cohort; average wager is 86% lower. Velocity spike compressed into a 6-hour overnight window.
Gaming Mind surfaces the full shape of the anomaly before Elena has to ask a follow-up question. Forty-seven accounts opened between March 27th and March 30th all claimed the €200 welcome bonus, then executed betting sessions with a median session length of eleven minutes — just long enough to meet the platform's twenty-five-times wagering requirement at minimum stake. Average wager per session was €2.10, nearly identical across all forty-seven accounts. The deviation from normal new-player behaviour was stark: legitimate FTD cohorts from the same week averaged thirty-eight minutes of session time and €14.60 in average wager. Gaming Mind flags this as a coordinated pattern, not independent low-value players.
Elena: "Are these accounts linked by device or network?"
| Device Cluster | Accounts in Cluster | Fingerprint Match Type | Confidence | Priority |
|---|---|---|---|---|
| Cluster A | 7 | Exact same device fingerprint (no spoofing) | 🔴 Highest | Immediate suspension |
| Cluster B | 6 | Browser profile rotation — minor font/resolution variance | 🟡 High | Suspend + review |
| Cluster C | 6 | Browser profile rotation — timezone offset variance | 🟡 High | Suspend + review |
| Cluster D | 5 | Browser profile rotation — screen resolution variance | 🟡 High | Suspend + review |
| Cluster E | 5 | Browser profile rotation — minor hash variance | 🟡 High | Suspend + review |
| Cluster F | 5 | Browser profile rotation — combined variance | 🟡 High | Suspend + review |
| Cluster G | 5 | Browser profile rotation — font list variance | 🟡 High | Suspend + review |
| Cluster H | 4 | Browser profile rotation — timezone + resolution | 🟡 High | Suspend + review |
| Cluster I | 4 | Browser profile rotation — minor hash variance | 🟡 High | Suspend + review |
| Total | 47 | 9 distinct fingerprints | — | — |
⚠️ Gaming Mind flags: 47 accounts resolve to just 9 distinct device fingerprints. Cluster A (7 accounts) share an identical fingerprint — registered from the same machine with no browser spoofing attempted. Remaining 8 clusters show minor variations consistent with browser profile rotation tools used by professional bonus abusers to simulate different devices. Cluster A flagged as highest confidence for immediate suspension.
The device fingerprint analysis is where the ring becomes undeniable. Forty-seven accounts resolve to nine distinct device fingerprints — browser hashes, screen resolution, installed fonts, and timezone offsets combined — with most clusters containing four to seven accounts each. Seven accounts share a single device fingerprint exactly, meaning they were registered from the same machine with no attempt to spoof the browser environment. The remaining clusters show minor variations consistent with browser profile rotation tools, a technique commonly used by professional bonus abusers to simulate different devices. Gaming Mind maps the cluster graph visually and flags the seven same-device accounts as highest confidence for immediate suspension.
Elena: "What do their deposit and withdrawal patterns look like across the ring?"
| Fraud Lifecycle Stage | Accounts | Bonus Funds Accumulated | Wagering Progress | Priority |
|---|---|---|---|---|
| Tier 1 — Cashout threshold reached (pending withdrawal) | 14 | €26,300 | 100% complete | 🔴 Critical — block immediately |
| Tier 2 — Near threshold (70–99% wagering complete) | 22 | €39,100 | 70–99% | 🟡 High — suspend before next batch |
| Tier 3 — Early cycle (<70% wagering complete) | 11 | €23,600 | <70% | 🟢 Moderate — suspend + EDD |
| Total | 47 | €89,000 | — | — |
⚠️ Gaming Mind flags: Total exposure across all 47 accounts is €89,000 in fraudulently claimed bonus value. The 14 Tier 1 accounts represent €26,300 in pending withdrawal requests already sitting in the payment queue — these must be blocked before the payment processor runs its next batch. At least one-third of accounts are within a single session of cashing out.
Gaming Mind renders the fraud lifecycle in three stages — deposit, wager, pending withdrawal — and shows exactly where each account sits. Fourteen accounts have already reached the cashout threshold and have pending withdrawal requests totalling €26,300 sitting in the payment queue. Twenty-two accounts are between 70% and 99% of the wagering requirement, representing another €39,100 in near-complete bonus funds. The remaining eleven accounts are earlier in the cycle, with approximately €23,600 in bonus funds not yet close to cashout. Total exposure across all forty-seven accounts: €89,000 in fraudulently claimed bonus value. Gaming Mind ranks the fourteen accounts with pending withdrawals as the critical-priority group — those requests need to be blocked before the payment processor runs its next batch.
Elena: "Can you show me the deposit sources? I want to know if they're using the same payment methods."
| Payment Instrument | Signal Type | Accounts Affected | Detail | AML Flag |
|---|---|---|---|---|
| Card BIN prefix #1 | Shared issuing batch | 9 accounts | Same issuing bank, sequential BIN range | 🔴 Bulk prepaid purchase |
| Card BIN prefix #2 | Shared issuing batch | 8 accounts | Same issuing bank, sequential BIN range | 🔴 Bulk prepaid purchase |
| Card BIN prefix #3 | Shared issuing batch | 7 accounts | Same issuing bank, sequential BIN range | 🔴 Bulk prepaid purchase |
| Card BIN prefix #4 | Shared issuing batch | 6 accounts | Same issuing bank, sequential BIN range | 🔴 Bulk prepaid purchase |
| Card BIN prefix #5 | Shared issuing batch | 5 accounts | Same issuing bank, sequential BIN range | 🔴 Bulk prepaid purchase |
| Card BIN prefix #6 | Shared issuing batch | 4 accounts | Same issuing bank, sequential BIN range | 🔴 Bulk prepaid purchase |
| E-wallet cluster | Shared top-up source | 3 e-wallets across ring | Same source wallet address in payment metadata | 🔴 Linked funding source |
⚠️ Gaming Mind flags: 6 card BIN prefixes span multiple accounts — cards issued in the same batch sequence from the same issuing bank, consistent with prepaid cards purchased in bulk. Three e-wallet accounts share the same top-up source wallet address. This is now an AML signal, not just a bonus abuse case — coordinated ring using linked payment instruments and fraudulently claimed funds crosses the SAR threshold under MGA guidelines. AML escalation flagged automatically.
Six card BIN prefixes appear across multiple accounts in the ring — not identical card numbers, but cards issued in the same batch sequence from the same issuing bank, a pattern consistent with prepaid card purchases bought in bulk. Three e-wallet accounts across the ring show the same top-up source wallet address in their payment metadata. Elena notes this in her compliance file: this is now an AML signal, not just a bonus abuse case. A coordinated ring using linked payment instruments and fraudulently claimed funds crosses the threshold for a Suspicious Activity Report under MGA guidelines. Gaming Mind flags the AML escalation recommendation automatically alongside the fraud findings.
Elena: "Which accounts registered using the same IP range or VPN exit nodes?"
| IP Cluster | Accounts | IP Type | Prior Abuse Record | Notes |
|---|---|---|---|---|
| VPN Exit Node A | 17 | Known VPN exit node | 🔴 Yes — flagged in shared fraud DB | Linked to bonus abuse on other MGA operators in prior 6 months |
| VPN Exit Node B | 14 | Known VPN exit node | 🔴 Yes — flagged in shared fraud DB | Linked to bonus abuse on other MGA operators in prior 6 months |
| Residential subnet /24 — Range 1 | 9 | Residential IP (proxy cluster) | 🟡 Suspected | Residential proxy or small physical location cluster |
| Residential subnet /24 — Range 2 | 7 | Residential IP (proxy cluster) | 🟡 Suspected | Residential proxy or small physical location cluster |
| Total | 47 | — | — | — |
⚠️ Gaming Mind flags: 31 of 47 accounts registered from IP addresses resolving to 2 known VPN exit nodes — both previously associated with bonus abuse activity across other MGA-licensed operators in the past 6 months. Cross-referencing confirms this ring has targeted at least 2 other platforms using the same infrastructure. This is not BastionPlay's first encounter with this ring — it is the first time it has been caught this early.
Thirty-one of the forty-seven accounts registered from IP addresses resolving to two known VPN exit nodes — both flagged in Gaming Mind's shared fraud intelligence database as previously associated with bonus abuse activity across other MGA-licensed operators. The remaining sixteen accounts used residential IPs clustering within two /24 subnet ranges, suggesting either a residential proxy network or a small number of physical locations. The VPN node matches cross-reference against Gaming Mind's network of prior abuse events, surfacing two other operator platforms where the same exit nodes appeared in similar bonus ring patterns in the prior six months. This isn't BastionPlay's first encounter with this ring. It's just the first time anyone caught them this early.
Elena: "Give me a prioritised suspension list — highest risk first, with the rationale for each tier."
| Tier | Accounts | Action | Exposure | Device Cluster | BIN Match | VPN Flag |
|---|---|---|---|---|---|---|
| 🔴 Tier 1 — Critical (pending withdrawal) | 14 | Suspend + reverse withdrawal immediately | €26,300 | Documented | Documented | Documented |
| 🟡 Tier 2 — High (70–99% wagering complete) | 22 | Suspend + manual review before any withdrawal | €39,100 | Documented | Documented | Documented |
| 🟢 Tier 3 — Moderate (early cycle) | 11 | Suspend + enhanced due diligence if re-registration | €23,600 | Documented | Documented | Documented |
| Total | 47 | — | €89,000 | — | — | — |
⚠️ Gaming Mind flags: Three-tier action list ready for immediate handoff to compliance analyst. Each account entry includes device cluster ID, payment BIN match status, and VPN flag status — documented rationale for every action taken, meeting MGA audit trail requirements. Tier 1 (14 accounts, €26,300) must be actioned before the next payment processor batch run.
Gaming Mind produces a three-tier action list Elena can hand directly to her compliance analyst. Tier one: fourteen accounts with pending withdrawals — suspend and reverse immediately, total exposure €26,300. Tier two: twenty-two accounts approaching the cashout threshold — suspend and flag for manual review before any withdrawal is processed, exposure €39,100. Tier three: eleven accounts in early cycle — suspend and initiate enhanced due diligence if any attempt to re-register, exposure €23,600. Each account entry includes its device cluster ID, payment BIN match status, and VPN flag status so the analyst has documented rationale for every action taken — critical for MGA audit trail requirements.
Elena: "What rule changes would have caught this ring earlier — and what should I add to prevent the next one?"
| Rule Improvement | Current Gap | Implementation | Estimated Detection Window |
|---|---|---|---|
| Lower registration velocity threshold | Ring created 11–13 accounts/day — just below current threshold | Tighten threshold + rate-of-change alerting | Day 1 (vs. Day 4) |
| Device fingerprint deduplication on registration | Same-device accounts (Cluster A) not caught at signup | Block/flag duplicate fingerprints at account creation | Day 1, first login |
| Session behaviour similarity score | Wagering pattern matched abuse signature but no rule existed | Compare new-player betting patterns against known abuse signatures | Within first session |
| BIN correlation check on first deposit | Linked payment instruments not flagged at deposit | Cross-reference BIN sequences against ring patterns on deposit | First deposit |
| Combined impact | Detection window: 4 days | All 4 rules implemented | <6 hours |
⚠️ Gaming Mind flags: The ring evaded detection by exploiting 4 specific rule gaps simultaneously — registration velocity set just above their creation rate, no device deduplication at signup, no session behavioural similarity scoring, and no BIN correlation at deposit. Implementing all 4 changes reduces detection window from 4 days to under 6 hours for this pattern type, with no increase in false positive rate on legitimate players (validated against 6 months of historical data).
Gaming Mind runs a retrospective on the ring's registration timeline and shows exactly where the current rules failed. The accounts were created at a rate of eleven to thirteen per day — just below the registration velocity threshold Elena had set. A device fingerprint deduplication check on the registration flow would have flagged the same-device accounts on day one. A session behaviour similarity score — comparing new-player betting patterns against known abuse signatures rather than just velocity — would have flagged the wagering pattern within the first session. Adding a BIN correlation check to the deposit flow would have caught the linked payment instruments on first deposit. Gaming Mind estimates that implementing all four rule changes would reduce detection window from four days to under six hours for a ring of this pattern type.
Results
€89K in fraudulent bonus funds blocked before cashout
The fourteen pending withdrawal requests totalling €26,300 were pulled from the payment queue before the next batch run. All forty-seven accounts were suspended within two hours of Elena's session ending. The remaining €62,700 in accumulated bonus funds across the ring was voided. BastionPlay absorbed zero actual cashout loss from the ring.
Fraud ring neutralised at the network level
The device fingerprint clusters, VPN exit node matches, and BIN correlation data were compiled into a single fraud ring dossier and shared with MGA's fraud intelligence network. The ring's infrastructure — the device profiles and VPN exit nodes — was blacklisted at the platform level, meaning any future registration attempt using the same fingerprints is automatically declined before an account is created.
Compliance documentation completed in the same session
Elena filed a Suspicious Activity Report to the FIAU within the same working day, using the payment instrument correlation and linked deposit source data that Gaming Mind surfaced in step four. The AML flag was documented with sufficient specificity — BIN sequences, wallet addresses, IP cluster ranges — that the report met the MGA's evidentiary standard without requiring a second round of investigation. An investigation that would normally take three days of analyst time was packaged in the same twenty-five-minute session.
Detection rules hardened for future rings
All four rule improvements Gaming Mind recommended were reviewed, approved, and pushed into production by end of week. Elena's compliance analyst validated the changes against six months of historical registration data — no false positive rate increase on legitimate players. The platform's new session behaviour similarity scoring has since flagged two additional single-account bonus exploits that would previously have slipped through as low-value individual cases.
"The scariest part wasn't the €89K — it was how close the ring got. A few of those accounts were within a session of cashing out before we caught them. Gaming Mind didn't just catch the ring; it showed me exactly why our existing rules missed it and what to fix. That's the difference between closing a case and actually hardening the platform."
— Elena Vasquez, Head of Risk & Compliance, BastionPlay
Read in another language
Want to see how Gaming Mind AI can help your operation?
Get a Demo