Quick access
Identity & Access Abuse
Payments & Payout Fraud
Account Opening & Kyc Fraud
Lending Trading Abuse
Platform & Api Integrity
Identity & Access Abuse
Ato Login Region Vs Hour Heatmap
New logins from unfamiliar regions immediately before high-risk actions (withdrawals, crypto transfers, limits changes).
Failed Vs Successful Logins
Spike of failed logins followed by a successful one (ATO credential testing).
Devices Accounts Network
Many accounts tied to the same devices or IP exhibiting similar actions — evidence of a multi-account ring.
Device Fingerprint Reuse Across Kyc Identities
Reused device fingerprints across distinct KYC identities.
| device_id | account_ids | kyc_ssn_last4 |
|---|---|---|
| Dev-1 | A105 | 1 |
| Dev-2 | A127, A112 | 0 |
| Dev-3 | A125, A113 | 4, 8 |
| Dev-4 | A113, A132 | 3 |
| Dev-5 | A116, A107 | 7, 3 |
| Dev-6 | A112, A129, A105 | 7, 5 |
| Dev-7 | A133, A119, A114 | 4, 7 |
| Dev-8 | A108, A118 | 9 |
| Dev-9 | A133, A111, A138 | 2 |
| Dev-10 | A111, A104, A137 | 8 |
Account-opening solution: Stops synthetic KYC identities reusing the same devices. See: https://www.crossclassify.com/solutions/account-opening/
Support Ticket Credential Change Proximity
Email or phone change followed by password/MFA reset within minutes — indicates social engineering of support.
| ticket_id | channel | change_event | minutes_before_change |
|---|---|---|---|
| T1 | phone_change | 5 | |
| T2 | phone | email_change | 15 |
| T3 | phone | pwd_reset | 60 |
| T4 | email_change | 7 | |
| T5 | phone | email_change | 3 |
| T6 | chat | mfa_reset | 120 |
| T7 | phone | email_change | 30 |
| T8 | chat | mfa_reset | 4 |
| T9 | chat | pwd_reset | 9 |
| T10 | chat | mfa_reset | 6 |
MFA solution: Prevents reset abuse by enforcing strong MFA during recovery. See: https://www.crossclassify.com/solutions/account-takeover/
Payments & Payout Fraud
Avs Cvv Mismatch Rate By Bin
AVS/CVV mismatch spikes by BIN indicate card testing.
Bank Change Then Large Payout Within 24h
Bank change followed by a large payout within 24 hours.
Multiple Wallets To Same Beneficiary
Multiple wallets funnel to the same beneficiary account.
Chargebacks Vs Settled Over Time
Chargebacks rising while settled volume is flat.
Behavioral-biometrics solution: Identifies abuse patterns behind excessive chargebacks. See: https://www.crossclassify.com/solutions/behavioral-biometrics/
Account Opening & Kyc Fraud
Document Hash Reuse Across New Accounts
Document fingerprint/hash reuse across many applicants.
| doc_hash | reused_by_accounts |
|---|---|
| H1 | 2 |
| H2 | 2 |
| H3 | 9 |
| H4 | 3 |
| H5 | 3 |
| H6 | 3 |
| H7 | 3 |
| H8 | 1 |
| H9 | 1 |
| H10 | 3 |
Email Domain Age For New Applicants
Surge of applications from very young email domains.
Signups Per Device Cluster 72h
Spikes in signups from the same device cluster in 72h.
Selfie Id Face Match Distribution
Face-match score anomalies across selfie/ID checks.
Behavioral-biometrics solution: Detects spoofing patterns in KYC face-matching. See: https://www.crossclassify.com/solutions/behavioral-biometrics/
Lending Trading Abuse
First Payment Default Rate By Cohort
First-payment default outliers by cohort.
Same Ssn Across Many Devices
Same SSN across many devices (loan stacking indicator).
Abnormal Order Rate Per Second
Abnormally high order rate per second.
Accounts To Counterparties Wash Trading
Repeated trades among the same counterparties (wash trading pattern).
Behavioral-biometrics solution: Identifies suspicious repetitive trading patterns. See: https://www.crossclassify.com/solutions/behavioral-biometrics/
Platform & Api Integrity
Excessive Requests Headless Or Script User Agents
Excessive requests from headless or script user-agents.
Extreme Search To Action Ratio By Ip Block
Extreme search-to-action ratio by IP block.
| ip_block | searches | actions | ratio |
|---|---|---|---|
| Block-1 | 2544 | 211 | 12.06 |
| Block-2 | 851 | 213 | 4 |
| Block-3 | 2985 | 87 | 34.31 |
| Block-4 | 1376 | 224 | 500 |
| Block-5 | 2333 | 81 | 28.8 |
| Block-6 | 3850 | 141 | 27.31 |
| Block-7 | 1921 | 107 | 17.95 |
| Block-8 | 3544 | 79 | 44.86 |
| Block-9 | 3786 | 176 | 21.51 |
| Block-10 | 2791 | 45 | 62.02 |
Mismatch Between Quoted And Charged Price
Mismatch between quoted and charged price.
| quote_id | quoted | charged | delta |
|---|---|---|---|
| Q1 | 14.03 | 14.03 | 0 |
| Q2 | 7.38 | 7.38 | 0 |
| Q3 | 19.09 | 19.09 | 0 |
| Q4 | 23.29 | 23.29 | 0 |
| Q5 | 35.11 | 42.61 | 7.5 |
| Q6 | 7.25 | 7.25 | 0 |
| Q7 | 6.82 | 6.82 | 0 |
| Q8 | 44.13 | 56.13 | 12 |
| Q9 | 48.19 | 48.19 | 0 |
| Q10 | 30.88 | 30.88 | 0 |
Bot-attack solution: Blocks parameter fuzzing and injection attempts. See: https://www.crossclassify.com/solutions/bot-attack/
Unsupported Parameters In Requests
Unsupported parameters in requests.
IDS/IPS and WAF rules on param allow-lists, Zero Trust request validation, rate limiting, and continuous patching & vulnerability management.