ShieldLabs is an anonymous visitor identification and traffic quality platform. It analyzes device, browser, IP, and network signals, detecting mismatches between them to identify anonymous visitors and assign a real-time explainable risk score to every visit, as well as detect abuse patterns across your traffic.

What is ShieldLabs used for?

ShieldLabs is used to identify anonymous visitors, assess traffic quality, and detect abuse activity such as multi-accounting, fake account creation, account takeover, free trial abuse, bonus abuse, ban evasion, referral fraud, account sharing, coupon abuse, subscription abuse, giveaway fraud, voting manipulation, and survey fraud.

Who is ShieldLabs for?

ShieldLabs is best for startups, small-to-mid-sized businesses, and digital platforms with medium to high traffic volume that need a cost-effective anonymous visitor identification solution. Built for product, fraud, and growth teams at SaaS platforms, fintech, iGaming, e-commerce, Web3, media and streaming, travel, and technology platforms - any business dealing with anonymous traffic and abuse.

How accurate is ShieldLabs?

ShieldLabs detects anonymized connections and environment spoofing with up to 99% accuracy through multi-layer analysis.

How is ShieldLabs different from traditional abuse prevention platforms?

ShieldLabs delivers the same level of visitor identification and abuse detection used by platforms like Google and X / Twitter — with transparent per-request pricing, self-serve integration in 5 minutes, and an explainable risk score. No "Contact Sales," no enterprise contracts.

Can a visitor be recognized when IP changes?

Yes. ShieldLabs generates a persistent visitor ID. This identifier remains stable across sessions even when the visitor changes IP, clears cookies, switches to incognito mode, or creates a new account.

What is a persistent visitor ID?

A persistent visitor ID is a stable identifier assigned to each visitor. Unlike cookies or IP addresses, it survives IP rotation, cookie clearing, incognito mode, and account changes - allowing real-time recognition of returning visitors regardless of how they try to hide.

What is browser fingerprinting?

Browser fingerprinting is a technique for identifying website visitors by collecting unique browser signals such as browser version, preferred language, screen resolution, installed fonts, and graphics rendering. These signals are combined to generate a unique identifier that recognizes the visitor across sessions — even without cookies.

What is device fingerprinting?

Device fingerprinting identifies a visitor based on hardware and operating system signals such as device type, OS version, memory, processor, and screen parameters. Combined with browser fingerprinting, it produces a more stable and accurate identification.

How does device fingerprinting differ from browser fingerprinting?

Browser fingerprinting collects signals from the browser — version, language, plugins, screen resolution. Device fingerprinting collects signals from the hardware and operating system — device type, OS, memory, processor. ShieldLabs combines both to generate a persistent visitor ID with higher accuracy than either method alone.

Does ShieldLabs do device fingerprinting or browser fingerprinting?

Both. ShieldLabs analyzes 70+ signals across device, operating system, and browser to generate a persistent visitor ID. It then cross-validates these signals against network and IP data to detect mismatches and expose anonymous visitors.

Is browser fingerprinting safe?

For businesses, browser fingerprinting is used to identify anonymous visitors and distinguish between legitimate users and potentially fraudulent ones. ShieldLabs does not track users across sites and does not collect personally identifiable information during the fingerprinting process. For visitors, the process is invisible and adds no friction to their experience.

Can ShieldLabs detect a visitor in incognito mode or on a VPN?

Yes. Device and browser fingerprinting signals remain consistent even in incognito mode. VPN connections are detected through IP intelligence and cross-layer mismatch analysis. ShieldLabs identifies the visitor in both cases.

What can ShieldLabs detect?

ShieldLabs detects VPN, proxy, TOR, iCloud Private Relay, anti-detect browsers, tampered browsers, anti-fingerprint tools, data center and hosting infrastructure, environment spoofing, device tampering, location spoofing, timezone mismatches, and abuse activity. All detection works in real time.

Does ShieldLabs detect anti-detect browsers?

Yes. Anti-detect browsers are designed to mask device fingerprints and rotate identities. ShieldLabs detects them through cross-layer mismatch analysis, identifying the difference between what the browser claims and what is actually detected.

Can ShieldLabs detect fake accounts and multi-accounting?

Yes. The system builds an identity graph linking visitors, devices, and accounts across sessions. When the same person creates multiple accounts — even using different IPs, browsers, or anti-detect tools — the system connects them through shared device and network characteristics.

Can ShieldLabs detect account takeover?

Yes. When an account is accessed from an unrecognized device, suspicious connection, or unusual location, the system flags it as a potential account takeover.

Can ShieldLabs detect location spoofing?

Yes. The system detects timezone and geolocation mismatches between what the browser reports and what the IP and network reveal — indicating masked or spoofed visitor location.

Does ShieldLabs detect account sharing?

Yes. When multiple devices, locations, and network signatures access the same account, the system flags it as potential account sharing — helping protect subscription value and enforce per-user access.

Risk Score is a numerical assessment of explainable risk for every visit. It is calculated from anonymity indicators, cross-layer mismatches, and network signals. A high score indicates an increased probability of an anonymous or masked visit. Every score includes clear reasons for every contributing factor.

How is Risk Score calculated?

Each detected signal contributes to the final score - VPN detection, proxy connection, OS mismatch between browser and network, timezone conflict, data center IP, and more. Risk score reflects the cumulative risk level and explains each factor.

What is traffic risk level?

Traffic risk level is an overall assessment of anonymity across all your traffic. It shows what percentage of visitors are clean, low risk, medium risk, or high risk - giving you visibility into overall traffic quality.

Does ShieldLabs automatically block users?

No. ShieldLabs provides risk score, scoring reasons, and detailed visitor data. The blocking decision is made by you - either manually or through automated rules you configure.

What is an identity graph?

An identity graph is a map of connections between visitors, devices, and accounts. ShieldLabs builds this graph automatically by linking persistent visitor IDs, device fingerprints, and network signals across all sessions — revealing which accounts are connected and the risk level of each connection.

What are abuse patterns?

Abuse patterns are ready-made detection rules that identify suspicious connections between visitors, devices, and accounts — such as many accounts on one device, changing IDs on one account, or many devices on one account. Each pattern flags potential multi-accounting, account sharing, ban evasion, or coordinated abuse.

What is traffic quality?

Traffic quality is a measure of how much of your traffic comes from real, identifiable visitors versus anonymous, masked, or suspicious traffic. ShieldLabs assigns a risk level to your overall traffic and a risk score to every visitor.

How long does integration take?

Integration takes approximately 5 minutes. Add a code snippet to your site, and the system immediately begins anonymous visitor identification and real-time traffic analysis.

Which frameworks are supported?

ShieldLabs supports JavaScript, Next.js, React, Angular, Vue.js, Preact, and Svelte.

Does ShieldLabs provide API and Webhooks?

Yes. Risk score, visitor IDs, and detailed detection signals are available via API and Webhooks in real time for automation of fraud prevention rules and protection scenarios.

Does ShieldLabs affect real users?

No. The system operates in the background and does not require any additional actions from visitors. No CAPTCHAs, no challenges, no friction.

How does pricing work?

ShieldLabs offers transparent per-request pricing with a free tier. Start free, scale as you grow. No enterprise contracts, no "Contact Sales."

Is there a free plan?

Yes. The free plan includes 5,000 requests for initial traffic quality check and anonymous visitor identification.

Can JavaScript alone detect multi-accounting?

JavaScript catches some of it, like a device fingerprint that reappears under a fresh email or a screen size that contradicts the declared device, but the strongest linkage sits at the network and transport layer that page scripts can't reach. Reliable detection pairs the browser-side read with server-side signals, then anchors them to a stable device identifier and scores how many agree the accounts are linked, so the honest answer is partly, but not on its own.

How reliable is multi-accounting detection against residential proxies?

A residential proxy hands one user a fresh, clean IP per account, so any rule that leans on the address alone waves them through. Detection holds up by anchoring on the device, not the IP: a stable identifier built from many device and browser traits survives the exact IP rotation a proxy provides, and the more layers a user spoofs, the more surfaces they have to keep consistent across every account. The reliability comes from correlation across signals, not from any single one.

Is multi-accounting illegal?

Usually it is a terms-of-service violation rather than a crime. Most platforms prohibit operating multiple accounts to evade limits or bans. It can cross into fraud when it is used to steal payouts or chargebacks, but on its own it is typically a platform-policy issue your team enforces, not law enforcement.

How do you detect multi-accounting without blocking real users?

Anchor detection on a stable device identifier and a stack of signals rather than a single spoofable one like IP. A risk score with a breakdown of which signals fired lets your team set its own threshold, reviewing borderline cases and acting only on high-confidence ones, instead of auto-blocking on a noisy rule.

Does ShieldLabs block multi-accounts automatically?

ShieldLabs does not block multi-accounts automatically. It scores visits and surfaces patterns; it does not take action. Its pre-built patterns highlight a possible case for human review rather than asserting abuse. You take in the risk score, the identifiers, and the named signals, and your rules decide.

How fast can I start detecting multi-accounting?

Time-to-first-signal is about 5 minutes with the web JS snippet. The free tier includes the first 5,000 identifications, so you can see real risk scores and patterns on your own traffic before committing.

Back to blog

June 29, 2026Multi-accounting Detection Fraud prevention

How to prevent multi-accounting and stop fraud

Vladislav PuhalskyProduct Manager

One user behind many accounts, linked back to a single identity by correlated device and network signals

Last updated on June 29, 2026 · 12 min read

Multi-accounting is when one person operates many accounts on the same service, not the accounting software the term sometimes returns. It powers fake-trial farming, bonus and promo abuse, and ban evasion. In 2025, Stripe's analysis of first-party fraud found that 7.4% of sign-ups at AI companies were implicated in suspected multi-account abuse.

Picture one laptop running an anti-detect browser to open eight "different" accounts and claim the same referral bonus eight times. Stopping it starts with seeing the pattern: the question is which layer you read, and where the data stops and your decision begins.

Key takeaways

Multi-accounting is one person operating many accounts on a single platform, usually to extract value a single account would not allow. It is the mechanic behind trial farming, bonus abuse, and ban evasion.
It is hard to catch because users change the visible layer (IP, cookie, email, declared location) while the device underneath stays the same. Detection that reaches the stable device layer wins.
IP-based detection fails from both directions: carrier-grade NAT puts many real users behind one shared IP, and residential proxies give one user a fresh IP per account.
Detection, prevention, and response are three separate jobs. Keeping them apart restores the control a black-box "fraud platform" takes away.

What is multi-accounting?

Multi-accounting is the practice of one person, or one automated user, controlling multiple accounts on a single platform, usually to gain something a single account would not allow. Each account looks independent on the surface: a different email, a different username, sometimes a different IP. Underneath, they trace back to the same user.

The concept is closely related to what online communities call sockpuppetry, an online identity used for deception. Multi-accounting is the same mechanic applied to a product: many identities, one hand on the keyboard, usually to extract value rather than to argue in a comment thread. Its mirror image is account sharing, where one login is used by many people instead of one person running many logins.

Most platforms restrict it explicitly. Discord's Terms of Service and similar consumer policies prohibit operating accounts to evade bans or abuse features; gaming, fintech, and marketplace platforms layer on their own one-account-per-person rules. The rule is easy to write. Enforcing it is the hard part, which is where detection, prevention, and response come apart.

One scoping note before the mechanics. Detection here means linkage: tying accounts that already exist back to one user. Scoring a single registration the moment it is created, before there is even a second account to link it to, is the adjacent problem of stopping new-account fraud at signup, read at the same device layer but at an earlier point. This guide is about the linkage half; the rest assumes the accounts already exist.

How does multi-accounting work?

Multi-accounting works by changing the signals a service uses to tell users apart, so one person presents as many. A user wipes the cookie, rotates the IP, spoofs the device fingerprint, and swaps the email between accounts, defeating any system that trusts those visible layers. The toolkit is small and well understood, and in 2026 it is cheaper and more automated than ever. The signals it manipulates are exactly the ones a naive system trusts:

Shared device, fresh sessions. The simplest approach: clear cookies, open an incognito window, or wipe local storage between accounts. To a cookie-based system, each session looks brand new.
IP rotation. Residential and mobile proxies hand out a fresh IP per account, so an IP-based rule never sees the same address twice.
Anti-detect browsers. An anti-detect browser spoofs the device profile per account, so each signup presents a synthetic, "unique" identity built to defeat fingerprinting.
Disposable and plus-addressed emails. Throwaway inboxes or name+1@, name+2@ variations generate an endless supply of "new" identities, often under fresh emails that no blocklist has seen.
Geolocation spoofing. VPNs, proxies, and timezone manipulation make accounts appear to come from different countries to dodge region limits or look organic.

The thread connecting all of these: the user changes what is visible (IP, cookie, email, declared location) while the underlying device stays the same or the network footprint repeats. Detection that only reads the visible layer loses. Detection that reaches the stable layer, the device, wins. That is the gap device intelligence is built to close.

A diagram: the email, IP, and cookie change with every account, but the one device fingerprint underneath stays the same and links the accounts back together

Why is multi-accounting a problem?

Multi-accounting is a problem because each fake identity quietly converts a feature meant for acquisition into a leak, and the cost lands twice: once on the payout and again on the metrics teams steer by. The most common cost centers, treated as directional estimates rather than audited figures since real numbers vary widely by platform:

Abuse type	Where it hits	Rough impact
Fake free-trial signups	SaaS activation, sales pipeline	~10–15% of trial starts on some products
Promo / referral / bonus abuse	E-commerce & growth budget	~2–5% of promotional spend
Abuse-account LTV	Support, infra, analytics	Negative: costs to serve, never converts

The damage is not only direct payout. Fake accounts poison the metrics teams steer by, and the results show up everywhere a growth team looks: CAC looks cheaper than it is, activation and conversion rates inflate, and cohort LTV bends toward accounts that will never pay. A growth team optimizing against polluted analytics optimizes for the wrong users. That is why free-trial abuse prevention is as much an analytics-integrity problem as a fraud one, and why "trust your analytics" sits alongside "stop abuse" in how the work gets framed.

Where multi-accounting shows up

The mechanic is always one user with many accounts, but what it buys differs by industry, and so does the vocabulary:

Gaming and gambling carry the richest slang. Smurfing is a high-ranked player making low-ranked alternate accounts to beat weaker opponents, inflating their own record and driving newer players away. Chip dumping is one account deliberately losing to another to concentrate value in a single wallet, which doubles as a way to move money between parties. Gnoming is running several accounts at one poker table so the user sees more hands and can collude. And sign-up-bonus or affiliate fraud spins up accounts purely to claim new-player bonuses or self-referral payouts without ever really playing.
E-commerce and marketplaces. One person claims a first-order discount, referral payout, or promo many times under fresh accounts, and on review platforms the same accounts post fake reviews, inflate a seller's rating, or skew a survey.
Streaming and subscriptions. Free trials get cycled indefinitely, and the inverse problem shows up too: one account shared across more devices and people than the plan allows.
SaaS and AI tools. Freemium plans and trials get cycled under fresh accounts to dodge a usage cap, and on AI products the same move farms free model credits, one user drawing far more free compute than a single account is meant to get.
Crypto and Web3. One person runs many wallets and accounts to pass as a crowd, farming token airdrops, swaying governance votes, or gaming launch allocations, the pattern usually called a Sybil attack.
Ticketing and events. Scalpers open many accounts to slip past per-person purchase limits and buy up inventory in bulk to resell, so a single buyer behind a wall of accounts corners a release.
Fintech. Multiple accounts slip under per-account limits or build up synthetic identities. This is a real phenomenon, but it sits in regulated identity-verification territory.

Underneath all of them the pattern is identical: one person, many accounts, value a single account is not meant to reach. The names change with the industry; the detection question does not.

Why detection, prevention, and response must stay separate

Detection, prevention, and response are three separate jobs, even though most tools collapse them into one word, "fraud prevention," and ship a black box that quietly blocks users. Detection is the data, prevention is the policy you apply before a bad outcome, and response is the action after a flag. Keeping them apart is what restores the control a black box takes away.

A recurring complaint about all-in-one fraud platforms is that they act like a closed verdict engine that is hard to second-guess and far from plug and play. When the platform owns the verdict and hides its reasoning, your team cannot tune it, audit it, or explain a decision to a flagged customer.

Pulling the three apart restores that control:

Detection is the data layer. It answers one question: are these accounts linked, and how anomalous is this visit? Output is evidence: a stable identifier, a risk score, and the specific signals that fired.
Prevention is the policy layer: standing rules you set up front, before anyone is flagged, so a bad outcome is harder to reach. Examples: require email verification on signup, cap referral payouts, gate a high-value action behind a step-up check. They apply by default and reflect your risk appetite.
Response is the action layer: what you do about a specific account after detection flags it. Examples: review it, warn the user, rate-limit, suspend, claw back a bonus, or push it to a manual queue. Prevention is the standing rule for everyone; response is the case-by-case reaction to one flag.

The detection layer gives you clean, explainable signals; you build the prevention and response logic that fits your product. This separation is also a buying lesson learned the hard way by teams who picked a data-only tool expecting a full fraud stack, then realized they still had to build the model that turns signals into decisions. That is the right mental model. The mistake is expecting the data vendor to also be your policy engine.

How do you detect multi-accounting?

Websites detect multi-accounting by tying each "new" account back to the one device and network behind it, then scoring how many independent signals agree that the accounts are linked. A user can change the visible layer per account, but the device, the network footprint, and the timing of the signups leave correlated traces that a single spoofable signal like IP never sees. The signals that do the linkage:

Persistent device linkage: a stable identifier built from many device, browser, and OS traits ties a session back to the same machine even after cleared cookies, fresh emails, and rotated IPs.
Cross-account fingerprint reuse: when two "independent" accounts return the same device profile, or a near-identical one, that repeat is the strongest single sign they share one user.
Profile-consistency lie-detection: a session whose attributes do not line up the way a real device's would, the internal contradiction a spoofed profile tends to leave behind.
IP and connection intelligence: reputation lists, datacenter-versus-residential classification, ASN, reverse DNS, and geolocation separate masked or hosted connections, the cover a user routes new accounts through.
Masking-tool detection: VPNs, proxies, Tor, privacy relays, and anti-detect browsers leave their own signatures, the tooling a user leans on to make one person look like many.
Behavioral and timing patterns: a burst of signups from one device, accounts created minutes apart, or shared funding and referral codes link records that share no obvious identifier.
Cross-signal correlation: each tell is weak alone, so they are weighed into one score, and a footprint that repeats across "unrelated" accounts becomes its own anomaly.

The pattern across all of them: detection is about correlation, not any single check. A user can buy a fresh residential IP per account and spoof the device profile, but the more layers they fake, the more surfaces they have to keep consistent across every account. A coherent device that surfaces behind eight "different" signups, or a footprint that repeats just often enough, is the disagreement a multi-signal read catches, and consistency at scale is exactly what gives the operation away.

At a glance, the indicators that move the needle most when you read across accounts, and the risk each carries:

What you can read across accounts	Why it points to one user	Risk it carries
The same device behind several "separate" accounts	one hand on the keyboard, not many people	High
An anti-detect browser or a spoofed device profile	a profile rebuilt to look unique per account	High
A VPN, anonymous proxy, or datacenter connection	network cover routed under each account	High
The same network footprint behind many "new" accounts	a farm working from one place	Medium-High
A burst of signups minutes apart from one footprint	automation, not organic growth	Medium-High
A registration region that disagrees with the network origin	one place reused behind many faked locations	Medium-High
A reused card, payout destination, or referral code across accounts	the same hand funding or cashing out	Medium
Near-identical contact or address details across accounts	accounts minted from one template	Medium

No single row is proof. A real user can sit behind a VPN, and two genuine users can share a household network. The read is correlation: an account that lights up several rows at once, especially a device already seen behind other accounts, is the one worth holding.

Why does IP-based detection fail?

IP-based detection fails because a shared IP no longer means a shared person, and a unique IP no longer means a unique person. The oldest heuristic, "block duplicate IPs," breaks for two structural reasons, both getting worse.

Carrier-grade NAT (CGNAT) makes shared IPs normal. To conserve scarce IPv4 addresses, ISPs route many subscribers through a single public IP. The address range reserved for this, 100.64.0.0/10, defined in RFC 6598 and standardized in 2012, exists precisely so providers can share addresses across customers. In practice, hundreds of unrelated people behind one mobile carrier or apartment-building gateway can present the same public IP. Block that IP for "multi-accounting" and you block a crowd of legitimate, unrelated users. Address sharing is now standard ISP practice, so a shared IP is weak evidence of a shared person.

Residential proxies make distinct IPs trivial. The mirror-image failure: a user routes each account through a different residential IP, so a "one IP, one account" rule sees a fresh, clean address every time and waves them all through. In 2026, IP rotation is cheap and widely available, which means IP uniqueness is no longer evidence of distinct people either.

The conclusion is uncomfortable for anyone relying on IP alone: the same IP does not prove the same person, and different IPs do not prove different people. IP is one weak signal among many. Durable detection has to anchor on the device and the broader signal stack, which is why a stable device identifier survives the exact rotation that defeats an IP rule.

How ShieldLabs detects multi-accounting

The hard part of multi-accounting is linkage: proving that eight "different" signups trace back to one hand on the keyboard after the user has cleared cookies, rotated IPs, and changed emails. ShieldLabs is the detection and prevention layer that does that linkage for you. Add one JavaScript snippet and tie it to a user account, so its pre-built patterns show which users are running several accounts and which anonymity tools they lean on.

At the center is a persistent device identifier that links a "fresh" visit back to a returning device even after cleared cookies and rotated IPs, the exact disposable layers a user counts on to look like many people. Around that identifier, each visit returns a risk score that weighs the inconsistencies and flags the session when one user is running many accounts behind masked IPs and spoofed fingerprints. All of it happens in the background, with no friction for the visitor. The score travels with a full set of anonymity signals, including VPN detection, anonymous proxy detection, datacenter IP detection, and others.

Each scored visit comes back with the visitor, the device behind it, a score from 0 to 100, and the named signals that moved it:

{
  "request_id": "3e8f1a90-2c47-4b6d-9f02-7a1c8e5d4b63",
  "visitor_id": "d4a7c218-6b93-4e51-8c0a-2f9b6d31e470",
  "device_id": "5b9e2c84-1f76-4a30-bd58-9c0e7a4f2d11",
  "score": 88,
  "connection_type": "vpn",
  "antidetect_browser": true,
  "signals": ["antidetect", "vpn"],
  "timestamp": "2026-06-11T10:15:00Z"
}

The same device_id surfacing under a fresh email and a rotated IP is the link those resets were meant to break. You read the response, or the same payload delivered to a webhook, and decide, by your own rules, what a linked account gets; ShieldLabs returns the evidence, your rules act on it.

The analytics dashboard lets your team assess overall traffic quality and patterns and quickly tell anonymous traffic from clean traffic, as a trend over time rather than one visit at a time.

All of it, the risk score, the identifiers, and the named anonymity signals, is available through an API and webhooks, so your team can readily prevent multi-accounting and other abuse and fraud.

Frequently asked questions

WebGL fingerprinting: a hidden 3D scene rendered by a device's GPU into a distinct hash that identifies the graphics hardware

Browser fingerprinting Device intelligence

What is WebGL fingerprinting? How the GPU gives a device away

WebGL fingerprinting identifies a device by how its GPU renders 3D graphics. How it works, what it reveals, and how it differs from canvas.

Pavel NuryieuHead of ResearchJune 29, 2026

TLS fingerprinting: a client's TLS handshake, its cipher suites and extensions, condensed into a JA3 or JA4 hash that identifies the software behind the connection

Browser fingerprinting Network signals

What is TLS fingerprinting? How JA3 and JA4 identify a client

TLS fingerprinting identifies the software behind a connection from its TLS handshake. How it works, what JA3 and JA4 are, and what it reveals.

Vasil MakarchukChief Technology OfficerJune 29, 2026

Font fingerprinting: the set of fonts installed on a device measured from how text renders, condensed into a value that identifies the device