INDUSTRY BENCHMARKS
LIVE FORTER DATA
AI INSIGHTS
FRAUD RINGS
Global Performance Benchmarks
Benchmark your performance against retailers in Forter's global network of businesses.
�
Welcome to the Cyber Month 2025 Insights Hub, your central destination to monitor fraud trends, benchmark performance, and track consumer activity. New data drops every Tuesday through December 2nd.
CYBER MONTH
2025
The Forter Global Network: Live Shopping Data
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut
63%
Traffic & Approval Rate Change
2.30%
of total traffic from bots
$XX,000,000,000,000
$XXM
Total Approved Volume
$XX
Average order value
vs 2024
XX%
Average online growth
vs 2024
16%
Agentic Growth vs. October Average
Fraud Ring Report
This holiday season, we're profiling the most complex fraud rings targeting retailers. Below are detailed breakdowns of their targets, signatures, and tactics.
�
Want the full
Cyber Month Report?
�
$4.2M Fashion Bot Attack
48-Hour Coordinated Bot Attack (Nov. 5–7, 2025)
Bots
Nov. 6, 2025 08:51 - 08:56 (5min, 630 txs)
Peak Attack Window:
$4.2M USD
FRAUD PREVENTED:
A highly coordinated bot ring executed a simultaneous, high-velocity attack across multiple fashion merchants. Over a 48-hour period, the attackers masked their activity within early holiday traffic, utilizing stolen American Express cards and synthetic identities to purchase premium streetwear. By leveraging automated account creation, device manipulation, and fraudulent business domains to impersonate legitimate shoppers, the campaign drove volume to peaks of 180 transactions per minute.
�
Initial Assessment:
Key Evidence
Fraud Signature: “0-Day Identity Trio”�
94% new accounts (< 24 h old)
100% new or null spoofed devices
Single stolen AmEx BIN 374279 across all txs
Synthetic Identity Profile
�
�
Fake fashion domain to impersonate legit business. Such as: SWILLSNEAKERS.COM
Format [word][2digits].[word]@FAKEDOMAIN.COM (e.g., cyphers98.chins@)
Random-common names (“Olivia Robinson,” “Oliver Wilson,” “Poppy White”)
Billing + Shipping: 100% Either GB or US dominant.�
Network & Payment Fingerprint
40 residential IPs across 23 Class-A ranges → rotating proxy/VPN setup
Payment type: AmEx credit card from American Express Services Ltd.�
Behavioral Signals
Bot-like velocity: 180 tx/min peak
Identical account + spoofed device pairings; no device fingerprint
Device Spoofing/ Device Manipulations indications�
Targeted Products
High-AOV streetwear mostly, along with some luxury fashion items.
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent orders paid with American Express cards. Look for combinations of new accounts (<24 hrs), new or missing spoofed devices, and fake business-style email domains (e.g., SWILLSNEAKERS.com). Any overlap of these traits may indicate early probing activity.�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
See if those combos appear in short bursts: clusters of new accounts, new spoofed devices, and unfamiliar emails (in the given pattern) created within minutes of each other. Look for clusters showing different device indicators, as this ring frequently performs sophisticated device manipulation to hide its origin.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model tracks less common device components (e.g., GPU vendor, WebGL renderer ID, timezone offset), as these secondary identifiers are often left unchanged by the ring.
�
The First Agentic Commerce Holiday Season
SEND ME THE REPORT
It's the early days of agentic commerce, but how we understand this holiday season - and how merchants handle it - will set the tone for the AI-powered year ahead. The 2024 holiday season saw no agentic traffic. Fast forward 12 months and chatbots like ChatGPT, Claude & Gemini can now be used to drive consumers to your site. If you're not tracking the impact of agentic activity on your site, it's time to start.
The scale of our network is what powers our holiday intelligence. This global network of 400,000 businesses and
2 billion shoppers provides the data behind our industry benchmarks, emerging AI insights, and fraud ring analysis.
�
Top Emerging Fraud MOs
32%
ATO (Account Takeover)
44%
DTO (Device Takeover)
25%
Return Fraud / Abuse
YoY Increase
Sign up for Forter's deep dive analysis of the AI-driven trends and fraud tactics that shaped the peak holiday season.
�
10%
Good bots
90%
Bad bots
Data reflects activity from Nov 1 - Dec 1
�
�
Average Site Traffic
Want more insights like these once the Cyber Month rush is over?
GET THE FULL DEEP-DIVE REPORT
11%
Average Approval Rate
$800K AI Damaged Goods Return Ring
7-Day Coordinated Operation
10 home-goods merchants, expanding into multiple fashion merchants
�
$800K USD
FRAUD PREVENTED:
A coordinated return-fraud ring has been actively abusing instant-refund workflows across home-goods merchants and has recently begun expanding into the fashion sector. The operation uses a simple but high-volume method: purchase low-AOV items, generate AI-crafted “broken” or “corrupted” item photos, or ship back empty boxes, then request immediate refunds. This lets the actors keep or resell the items while also receiving the refunded amount.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Identify short-window clusters where multiple refund attempts share freight-forwarding addresses, cloud-hosted IPs, similar product types, or unusually fast refund timing. These combinations are often strong indicators of coordinated ring activity.
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model monitors secondary device & network attributes (timezone, language settings, infrastructure patterns) Link these traits to repeated use of freight-forwarding addresses to uncover cross-merchant connections that appear unrelated at the surface level.
�
�
�
Fraud Signature: “AI-Generated Damage Refunds”�
AI-generated damage photos used across merchants
Empty/low-weight boxes sent instead of merchandise
Aged accounts (<6months) paired with a few clean txs
Legitimate payment methods used throughout�
Network & Payment Fingerprint
Buyer devices show Chinese language settings and timezone offsets
Underlying network signals suggest origin activity consistent with China
Heavy use of hosting/cloud infrastructure with frequent US region rotation
Payments via legitimate cards, PayPal, Apple Pay, and BNPL to avoid fraud flags�
Behavioral Signals
Same IP or address rarely used more than a few times before rotation
Cross-channel evasion: new devices, shifting locations, and lightly aged accounts
Refund requests often submitted shortly after delivery or immediately after photo upload�
Targeted Products
Items eligible for low-friction refund approvals
Fragile home-goods items and now lightweight fashion items�
Synthetic Identity Profile
�
�
Generic Western names using major email providers (Gmail, Outlook, Hotmail)
Frequent use of freight-forwarding addresses
Devices tied to recent spoofing or anonymization activity�
Review refund requests from the past week involving damage photos. Pay attention to accounts aged a few months, rapid refund submissions, and repeat activity tied to the same buyer device or card.
�
�
$650K Gift Card ATO Fraud Ring
Nov 8th - Nov 12th
November 9, 2025 12:40–13:10 (30 min/220 txs)
�
Peak attack Window:
$650K USD
FRAUD PREVENTED:
A coordinated fraud ring carried out a multi-merchant ATO attack on high-value digital gift cards ($100-$150), likely after a successful phishing campaign amplified by AI. They leveraged compromised "aged" accounts to buy liquid, instantly deliverable gift cards—ideal for rapid monetization. At the same time, they rotated through numerous IPs and mimicked normal user behavior to blend into holiday traffic. This combination enabled them to quickly resell the gift cards before victims noticed the takeover and canceled the orders.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review gift card purchases from accounts with sudden behavioral changes; new devices, new IPs, newly added payment instruments. Look for aged accounts that abruptly shift into high-value gift card spending.
�
�
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Cluster transactions across accounts showing combinations of fresh device fingerprints, newly added payment methods, repeated gift card purchases, along with any card-testing activity. Look for identity-level overlaps. Include this analysis from the login phase, where the compromised accounts were first accessed.
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model links early-funnel actions (such as login activity and payment-method updates) to downstream gift-card checkouts. Early interactions usually expose stable device traits that fraudsters struggle to spoof, allowing you to anchor identities and detect coordinated ATO activity.
Fraud Signature: “High-Velocity ATO Gift Card Purchases”�
Hacked + aged accounts used to purchase digital gift cards for fast monetization
Card testing performed beforehand, either by attempting to update payment methods or by making small-dollar test transactions
Adding dozens of payment instruments to old accounts within a short time
Attempting purchases at a steady pace to avoid triggering anti-fraud alerts�
Network & Payment Fingerprint
New logins from a device with a language/timezone patterns inconsistent with historical account activity (ATO indicator)
Burst in failed payment attempts in old accounts due to card testing
Use of rotating mobile IPs and hosting/cloud infrastructure to disguise true origin
The use of mobile ISPs, through a mobile app and an old Android��
Behavioral Signals
Sudden transition from normal buying patterns to repeated, high-AOV gift card purchases
Gift cards were sent to auto-generated email addresses following a [fullname][4digits]@GMAIL.COM (ravijkumar3456@gmail.com) pattern
Rapid card-testing behavior: several new instruments added and attempted in short bursts over several old accounts.�
Synthetic Identity Profile
�
�
Aged accounts (multi-year histories) suddenly showing new devices, new IPs, and abnormal purchase behavior.
Gift cards being sent as gifts to different and unrelated emails.
Multiple payment methods added quickly across accounts, typical of takeover-driven gift card fraud�
$4.2M Fashion Bot Attack
48-Hour Coordinated Bot Attack (Nov. 5–7, 2025)
Nov. 6, 2025 08:51 - 08:56 (5min, 630 txs)
Peak Attack Window:
$4.2M USD
FRAUD PREVENTED:
A bot ring carried out a 48-hour, high-velocity attack across multiple fashion merchants, aiming to hide in the early holiday traffic and using stolen American Express cards and synthetic identities to purchase premium streetwear items. The operation relied on automated account creation, device spoofing/manipulation, and fake business-style domains to impersonate legitimate shoppers, reaching peaks of 180 txs per minute.
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent orders paid with American Express cards. Look for combinations of new accounts, new or missing cookies, and fake business-style email domains. Any overlap of these traits may indicate early probing.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
See if those same combinations appear in short bursts: clusters of new accounts, new cookies, and unfamiliar emails created within minutes of each other. Look for clusters showing different device indicators, as this ring frequently performs sophisticated device manipulation to hide its origin.
LEVEL 3: DEEP DIVE ON ADVANCED FORENSIC
Extract less common device components from the cookie (GPU vendor, WebGL renderer ID, or timezone offset). The ring manipulates major device elements like user-agent and screen size, but often leaves these secondary identifiers untouched.
�
Fraud Signature: “0-Day Identity Trio”�
94% new accounts (< 24 h old)
100% new or null cookies
Single stolen AmEx BIN 374279 across all txs
Network & Payment Fingerprint
40 residential IPs across 23 Class-A ranges → rotating proxy/VPN setup
Payment type: AmEx credit card from American Express Services Ltd.�
Behavioral Signals
Bot-like velocity: 180 tx/min peak
Identical account+cookie pairings; no device fingerprint
Device Spoofing/ Device Manipulations indications → Core Identifier�
Synthetic Identity Profile
�
�
Fake fashion domain to impersonate legit business. Such as: SWILLSNEAKERS.COM→ Core Identifier
Format [word][2digits].[word]@FAKEDOMAIN.COM (e.g., cyphers98.chins@) → Core Identifier
Random-common names (“Olivia Robinson,” “Oliver Wilson,” “Poppy White”)
Billing + Shipping: 100% Either GB or US dominant.�
$600K Home Goods Returns Fraud
7-Day Coordinated Operation
Sustained activity w/ bursts aligned to merchant refund-processing hours
Peak Window:
$800K USD
FRAUD PREVENTED:
A coordinated return-fraud ring abused instant-refund policies across 10 home-goods merchants using a simple but effective M.O. Purchase low-AOV items, generate AI-produced “broken item” photos, and request an immediate refund without returning the merchandise. This allows the fraudsters to keep the fully functional item to resell, while also getting their money back—effectively killing two birds with one stone.
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent refund requests that relied on photo-only approval flows. Look for combinations of new accounts, new spoofed devices, lower-AOV, and refund claims submitted within minutes or hours of delivery. Inspect the attached photos: fraudsters can get sloppy.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Look for clusters that combine freight-forwarding addresses with activity from “legit-looking” hosting or cloud services, especially when paired with items eligible for instant-refund approval.
LEVEL 3: DEEP DIVE ON ADVANCED FORENSIC
Analyze secondary indicators to surface the buyer’s true origin (such as timezone offsets, IP infrastructure, and other subtle device metadata). Check language settings and regional configurations to see if they correlate with a China-based origin. Cross-reference with the repeated use of popular freight-forwarding services commonly used for shipments into China.
�
Fraud Signature: “AI-Generated Damage Refunds"�
False photo evidence with AI image-generation tools
Instant refund workflows exploited across multiple merchants
New spoofed devices (few months old emails & accounts with few txs)
The ring uses its own legitimate payment methods, resulting in no chargebacks.
Network & Payment Fingerprint
Real location patterns suggest activity from China, aligning with historical behavior
Chinese language and offset on the buyer device
Hosting/cloud infrastructure and frequent IP/region rotation (around US regions) to disguise the true location
Legitimate payment methods to avoid payment-fraud flag�
Behavioral Signals
Transactions never originate from the same IP or address more than a handful of times. After ~10 attempts, the ring rotates both
Evidence of cross-channel evasion: new spoofed devices + rotating locations + account aging�
Synthetic Identity Profile
�
�
Core Identifier: Using Freight Forwarding Services as a shipping address
Accounts aged 1–6 months with a few clean transactions to build reputation
Generic Western names and mainstream email providers (Gmail, Hotmail, Outlook)
Consistent use of fresh/new spoofed devices�
95%
Agentic Growth over the last 6 months
970%
Increase from H1 2025 to H2 2025 in fraudulent checkout attempts by agents
13%
Increase since November 1
Agentic Traffic
Top 6 Agentic Referral Sources
AI Agent-Initiated Fraud
Agentic Conversion Rate
1. OpenAI ChatGPT
2. Google Gemini
3. Microsoft Copilot
4. Anthropic Claude
5. Perplexity
6. xAI Grok
AI-Enabled Fraud
210%
YoY increase in the % of fraud attacks leveraging automation (as a % of total fraud)
AI Fraud Growth
210%
Percentage of fraud attacks leveraging automation (as a percentage of total fraud)
AI Fraud Growth
210%
Percentage of fraud attacks leveraging automation (as a percentage of total fraud)
$2.2M Gift Card Fraud Attack
72-Hour Coordinated Bot Operation (Nov. 9-21)
Nov. 20, 2025 14:12 - 14:18 (6min, 410 txs)
Peak Attack Window:
$2.2M USD
FRAUD PREVENTED:
A coordinated bot ring executed a three-day attack across several merchants, focusing specifically on high-value gift orders. The actors attempted to blend into seasonal gifting traffic by using stolen Visa cards and lightweight synthetic identities. Their operation relied on automated account creation, device spoofing, and rapid rotation across low-reputation email domains. At peak velocity the bots pushed more than 65 transactions per minute, often reusing the same identity template with minor edits.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check recent Visa-paid gift orders. Look for newly created accounts, spoofed or missing device fingerprints, and low-reputation email domains. Any overlap of these traits may indicate probing by this ring.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for short bursts of gift orders where accounts were created within minutes of each other. Look for clusters with inconsistent billing and shipping details and mismatched buyer–recipient pairs.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model monitors email domain reputation. Identify newly created/ low-reputation domains from the attack window, then cluster those with device manipulation and bot indicators (rapid user-agent changes or missing persistent cookies) Linking suspicious domains to the same spoofed device traits helps reveal coordinated gift-order/gift-card attempts.
�
�
Fraud Signature: “Gift Clone Pattern"�
91% new accounts (<24 hrs)
All new, null, or short-lived spoofed devices
Nearly all orders marked as “Gift” with a separate recipient name from cardholder/account details
Network & Payment Fingerprint
55 rotating residential IPs spread across 19 Class-A network ranges
Payment method always Visa
Velocity spikes tied to VPN node switches every 2 to 4 minutes�
Behavioral Signals
Bot-like bursts of txs with identical account lifecycles
No persistent device or cookie identifiers across sessions
Device manipulation techniques applied to user-agent and screen dimensions��
Targeted Products
High-AOV gift orders
Brand gift cards, premium electronics accessories, & luxury apparel items purchased as gifts�
Synthetic Identity Profile
�
�
Fake gifting or family-themed domains [ex. FAMILYHUBMAIL.COM]
Email format: [first name][2 digits].[random word]@[fake gifting domain]
Repeated use of simple US and UK name sets
Billing + shipping patterns show 95% mismatch between buyer and gift recipient, used to mask fraud routing��
$1.4M Identity-Hijack
Storage-Unit Ring
$1.5M Freight Forwarder Ring
$4.2M Fashion
Bot Attack
$650K Gift Card
ATO Ring
$800K Returns
Fraud Ring
$1.5M Freight Forwarder Ring
November 20-23, 2025
Activity across merchants on both US East and West Coasts
SCOPE:
$1.5M USD
FRAUD PREVENTED:
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check for spikes in new or zero-cookie devices sending orders to Delaware freight-forwarder codes.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Look for bursts of gibberish or manipulated ship-to addresses combined with mobile-network origins. Cluster short-window spikes where received orders use different variations of the same underlying forwarding address.
LEVEL 3: CHECK YOUR FRAUD MODEL
Make sure your fraud model extracts address-manipulation techniques such as added digits or characters. Cluster occurrences that share the same manipulation pattern, appear on mobile connections, and point to freight-forwarding services deliveries.
�
�
�
Fraud Signature: “Gift Clone Pattern"�
Stolen cards & ATO activity blended across the same devices (about 50% ATO)
Repeated shipments to the same Delaware forwarders despite address manipulation
Random letters, digits, and unit numbers appended to addresses to evade matching
Orders placed from both coasts, indicating a distributed fraud team
Network & Payment Fingerprint
Originates from major US mobile carriers with frequent IP cycling
Usage of android phones�
Behavioral Signals
Orders routed to the same forwarding services via heavily altered address lines
Bursts of attempts within minutes across multiple merchants
Consistent targeting of high-resale electronics�
Targeted Products
Broad electronics, including small devices and components
Products eligible for expedited shipping to forwarding hubs��
Identity and Device Traits
�
�
No persistent cookies or browser/app signatures
Mobile network to obscure home networks
Compromised/newly created accounts mixed
Buyer name variations include added initials and truncated spelling���
A coordinated fraud ring used stolen cards and compromised accounts to purchase electronics and ship them through a small set of Delaware freight forwarders. To disguise repeated use of the same hubs, the actors manipulated address lines with random letters, extra numbers, and fake unit identifiers. All activity originated from mobile networks using devices with no cookies, creating the appearance of public-location traffic.
�
$4.2M Fashion Bot Attack
48-Hour Coordinated Bot Attack (Nov. 5–7, 2025)
Nov. 6, 2025 08:51 - 08:56 (5min, 630 txs)
Peak Attack Window:
$4.2M USD
FRAUD PREVENTED:
A highly coordinated bot ring executed a simultaneous, high-velocity attack across multiple fashion merchants. Over a 48-hour period, the attackers masked their activity within early holiday traffic, utilizing stolen American Express cards and synthetic identities to purchase premium streetwear. By leveraging automated account creation, device manipulation, and fraudulent business domains to impersonate legitimate shoppers, the campaign drove volume to peaks of 180 transactions per minute.
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent orders paid with American Express cards. Look for combinations of new accounts (<24 hours), new or missing cookies, and fake business-style email domains. Any overlap of these traits may indicate early probing.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
See if those same combinations appear in short bursts: clusters of new accounts, new cookies, and unfamiliar emails created within minutes of each other. Look for clusters showing different device indicators, as this ring frequently performs sophisticated device manipulation to hide its origin.
LEVEL 3: CHECK YOUR FRAUD MODEL
Extract less common device components from the cookie (GPU vendor, WebGL renderer ID, or timezone offset). The ring manipulates major device elements like user-agent and screen size, but often leaves these secondary identifiers untouched.
�
Fraud Signature: “0-Day Identity Trio”�
94% new accounts (< 24 h old)
100% new or null spoofed devices
Single stolen AmEx BIN 374279 across all txs
Network & Payment Fingerprint
40 residential IPs across 23 Class-A ranges → rotating proxy/VPN setup
Payment type: AmEx credit card from American Express Services Ltd.�
Behavioral Signals
Bot-like velocity: 180 tx/min peak
Identical account+cookie pairings; no device fingerprint
Device Spoofing/ Device Manipulations indications → Core Identifier�
Targeted Products
High-AOV streetwear mostly, along with some luxury fashion items.
Synthetic Identity Profile
�
�
Fake fashion domain to impersonate legit business. Such as: SWILLSNEAKERS.COM
Format [word][2digits].[word]@FAKEDOMAIN.COM (e.g., cyphers98.chins@)
Random-common names (“Olivia Robinson,” “Oliver Wilson,” “Poppy White”)
Billing + Shipping: 100% Either GB or US dominant.�
$2.2M Gift Card Bot Ring
72-Hour Coordinated Bot Operation (Nov. 19-21, 2025)
Nov. 20, 2025 14:12-14:18 (6min, 410 txs)
Peak Attack Window:
$2.2M USD
FRAUD PREVENTED:
A coordinated bot ring executed a three-day attack across several merchants, focusing specifically on high-value gift orders. The actors attempted to blend into seasonal gifting traffic by using stolen Visa cards and lightweight synthetic identities. Their operation relied on automated account creation, device spoofing, and rapid rotation across low-reputation email domains. At peak velocity the bots pushed more than 65 transactions per minute, often reusing the same identity template with minor edits.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check recent Visa-paid gift orders. Look for newly created accounts, spoofed or missing device fingerprints, and low-reputation email domains. Any overlap of these traits may indicate probing by this ring.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for short bursts of gift orders where accounts were created within minutes of each other. Look for clusters with inconsistent billing and shipping details and mismatched buyer–recipient pairs.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model monitors email domain reputation. Identify newly created or low-reputation domains from the attack window, then cluster those domains with device manipulation and bot indicators such as rapid user-agent changes or missing persistent cookies. Linking suspicious domains to the same spoofed device traits helps reveal coordinated gift-order and gift-card attempts.
�
�
Fraud Signature: Gift Clone Pattern�
91% new accounts (< 24 hours old)
100% new or null spoofed devices
Nearly all orders marked “Gift” with separate recipient name from cardholder
Network & Payment Fingerprint
55 rotating residential IPs across 19 Class-A network ranges
Payment method always Visa
Velocity spikes tied to VPN node switches every 2 to 4 minutes�
Behavioral Signals
Bot-like bursts of transactions with identical account lifecycles
No persistent device, cookie identifiers across sessions
Device manipulation techniques applied to user-agent and screen dimensions��
Targeted Products
High AOV Brand gift cards, premium electronics accessories, and luxury apparel items as gifts�
Synthetic Identity Profile
�
�
Fake gifting or family themed domains such as FAMILYHUBMAIL.COM or GIFTLINEINBOX.COM
Email format: [first name][2 digits].[random word]@[fake gifting domain]
Repeated use of simple US and UK name sets
Billing + shipping patterns show 95 percent mismatch between buyer and gift recipient, used to mask fraud routing�
$650K Cosmetics Reputation Takeover
November 22–26, 2025
Activity distributed across 5 major merchants on the US East Coast
SCOPE:
$650K USD
FRAUD PREVENTED:
A coordinated fraud ring executed a multi-merchant Reputation Takeover campaign focused on cosmetics products. The group leveraged full victim data sets, including accurate PII, emails, addresses, and historical behavioral patterns, suggesting access to a recent or unpatched data leak. They attempted to camouflage their activity by using hundreds of cheap Android devices on rotating public Wi-Fi networks. The actors appear Russia-based, operating inside the US and relying on local pickup mules across five East Coast states.
�
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Look for spikes in orders using accurate customer PII but paired with new cookies, guest checkout, and pickup delivery.
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Look for clusters of older or low-cost Android devices showing Russian language settings, especially when combined with public Wi-Fi usage and rapid cross-merchant ordering. These traits strongly signal this ring’s activity.
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Ensure your fraud model detects RTO patterns combining old high-reputation emails with newly built device histories. Cluster occurrences where public Wi-Fi, recycled Android devices, and pickup-in-store.
�
�
Fraud Signature: “Identity Theft Pattern"�
Full PII matches to real customers, consistent with data-leak–driven RTO
Low-cost Android phones rotated constantly across public Wi-Fi spots
Russian device-language settings across many events
~200 recycled devices observed, indicating well-funded operation
Pickup-in-store used to avoid shipping controls, leverage mule network
Network & Payment Fingerprint
Transactions routed through changing public Wi-Fi (cafés, libraries, malls)
Payment attempts rely on accurate victim card data, suggesting large-scale data exposure
Multiple payment failures followed by rapid retry behavior from different devices�
Behavioral Signals
Heavy use of pickup-in-store to reduce delivery-risk, enable mule coordination
Same victim identity used across different merchants within minutes
Russian-language device configurations despite US geographic footprint���
Targeted Products
High-margin cosmetics, skincare bundles, fragrance sets
Items small in size with strong resale demand�
Identity & Device Traits�
�
Newly created cookie histories inconsistent with years-old email accounts
Cheap Android devices recycled across attempts with minimal persistence
Guest checkout preferred���
$650K Cosmetics Takeover Attack
$2.2M Gift Card Bot Ring
72-Hour Coordinated Bot Operation (Nov. 19-21, 2025)
Nov. 20, 2025 14:12-14:18 (6min, 410 txs)
$2.2M USD
FRAUD PREVENTED:
A coordinated bot ring executed a three-day attack across several merchants, focusing specifically on high-value gift orders. The actors attempted to blend into seasonal gifting traffic by using stolen Visa cards and lightweight synthetic identities. Their operation relied on automated account creation, device spoofing, and rapid rotation across low-reputation email domains. At peak velocity the bots pushed more than 65 transactions per minute, often reusing the same identity template with minor edits.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check recent Visa-paid gift orders. Look for newly created accounts, spoofed or missing device fingerprints, and low-reputation email domains. Any overlap of these traits may indicate probing by this ring.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for short bursts of gift orders where accounts were created within minutes of each other. Look for clusters with inconsistent billing and shipping details and mismatched buyer–recipient pairs.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model monitors email domain reputation. Identify newly created or low-reputation domains from the attack window, then cluster those domains with device manipulation and bot indicators such as rapid user-agent changes or missing persistent cookies. Linking suspicious domains to the same spoofed device traits helps reveal coordinated gift-order and gift-card attempts.
�
�
Fraud Signature: Gift Clone Pattern�
91% new accounts (< 24 hours old)
100% new or null spoofed devices
Nearly all orders marked “Gift” with separate recipient name from cardholder
Network & Payment Fingerprint
55 rotating residential IPs across 19 Class-A network ranges
Payment method always Visa
Velocity spikes tied to VPN node switches every 2 to 4 minutes�
Behavioral Signals
Bot-like bursts of transactions with identical account lifecycles
No persistent device, cookie identifiers across sessions
Device manipulation techniques applied to user-agent and screen dimensions��
Targeted Products
High AOV Brand gift cards, premium electronics accessories, and luxury apparel items as gifts�
Synthetic Identity Profile
�
�
Fake gifting or family themed domains such as FAMILYHUBMAIL.COM or GIFTLINEINBOX.COM
Email format: [first name][2 digits].[random word]@[fake gifting domain]
Repeated use of simple US and UK name sets
Billing + shipping patterns show 95 percent mismatch between buyer and gift recipient, used to mask fraud routing�
$1.5M AI-Driven Returns Abuse Ring
$2.1M Email ATO
Pickup Ring
$2.2M Gift Card
Bot Ring
$1.4M Identity-Hijack Storage-Unit Ring
5 Day Coordinated Operation (Nov. 25-30)
Nov. 28, 2025 09:40 - 10:05 (25min, 180 txs)
Peak Attack Window:
$1.4M USD
FRAUD PREVENTED:
A coordinated identity-theft ring operated across major apparel merchants using real consumer identities paired with fake corporate-style email domains such as john_smith@fakebizdomain.com. All goods were routed to storage-unit drop points across the Midwest. The actors relied on stolen U.S. cards, recycled Android devices, and newly registered domains to blend into seasonal traffic and stay below velocity-based detection.�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Look for clusters of unknown, business-oriented email domains created during November 25–30 that appear across multiple new-cookie sessions. Confirm whether these domains correspond to accounts with no prior history and rapid checkout behavior.
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for clusters of accounts created within minutes of each other using similar email structures, device fingerprints, or repeated storage-unit addresses.
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Check whether your model incorporates domain age scoring and identity-email mismatch detection. Enhance rules linking recycled device IDs, Midwest drop-point clusters, and pre-test card behavior to coordinated identity-hijack activity.
�
�
�
Fraud Signature: “Fake Business Identity Scheme"�
Fabricated corporate email domains with no DNS history
Billing identities matched real victims, while shipping addresses were always storage-unit facilities
Accounts created rapidly with no browsing history
Network & Payment Fingerprint
Rotating residential IPs concentrated in Midwest ISP ranges
Recycled Android devices with repeated device IDs/mixed-locale settings
Stolen Visa/Mastercard details, validated through small pre-test charges��
Behavioral Signals
Missing cookies
Rapid sessions from account creation to checkout
Shipping address as storage units
Targeted Products
High AOV footwear
Clothing�
Synthetic Identity Profile
�
�
Email patterns followed: firstname_lastname@fabricatedbusinessdomain.com
Domains younger than 30 days w/ no legit web presence
Accurate data from victims�
$2.2M Gift Card Bot Ring
72-Hour Coordinated Bot Operation (Nov. 19-21, 2025)
Nov. 20, 2025 14:12-14:18 (6min, 410 txs)
Peak Attack Window:
$2.2M USD
FRAUD PREVENTED:
A coordinated bot ring executed a three-day attack across several merchants, focusing specifically on high-value gift orders. The actors attempted to blend into seasonal gifting traffic by using stolen Visa cards and lightweight synthetic identities. Their operation relied on automated account creation, device spoofing, and rapid rotation across low-reputation email domains. At peak velocity the bots pushed more than 65 transactions per minute, often reusing the same identity template with minor edits.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check recent Visa-paid gift orders. Look for newly created accounts, spoofed or missing device fingerprints, and low-reputation email domains. Any overlap of these traits may indicate probing by this ring.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for short bursts of gift orders where accounts were created within minutes of each other. Look for clusters with inconsistent billing and shipping details and mismatched buyer–recipient pairs.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model monitors email domain reputation. Identify newly created or low-reputation domains from the attack window, then cluster those domains with device manipulation and bot indicators such as rapid user-agent changes or missing persistent cookies. Linking suspicious domains to the same spoofed device traits helps reveal coordinated gift-order and gift-card attempts.
�
�
Fraud Signature: Gift Clone Pattern�
91% new accounts (< 24 hours old)
100% new or null spoofed devices
Nearly all orders marked “Gift” with separate recipient name from cardholder
Network & Payment Fingerprint
55 rotating residential IPs across 19 Class-A network ranges
Payment method always Visa
Velocity spikes tied to VPN node switches every 2 to 4 minutes�
Behavioral Signals
Bot-like bursts of transactions with identical account lifecycles
No persistent device, cookie identifiers across sessions
Device manipulation techniques applied to user-agent and screen dimensions��
Targeted Products
High AOV Brand gift cards, premium electronics accessories, and luxury apparel items as gifts�
Synthetic Identity Profile
�
�
Fake gifting or family themed domains such as FAMILYHUBMAIL.COM or GIFTLINEINBOX.COM
Email format: [first name][2 digits].[random word]@[fake gifting domain]
Repeated use of simple US and UK name sets
Billing + shipping patterns show 95 percent mismatch between buyer and gift recipient, used to mask fraud routing�
$1.5M AI-Driven Home Goods Returns Abuse Ring
7 Day Coordinated Operation (Nov. 24-30)
Nov. 28, 2025 11:20 - 12:05 (High-Load Period)
Peak Attack Window:
$1.5M USD
FRAUD PREVENTED:
A coordinated return-abuse ring leveraged AI-altered images. The actors relied on newly created customer accounts and legitimate payment methods to appear trustworthy, submitting convincing claims showing minor damage such as cracks, dents, or malfunctioning components. The group exploited merchant strain during Cyber Weekend, generating large volumes of support tickets in tight time windows to overwhelm manual review processes while rotating hosting-based IPs to fragment their identity footprint.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Look for clusters of new accounts that submit damage claims shortly after their first purchase. Review support logs during Cyber Weekend windows where complaint spikes coincide with accounts having minimal history and high refund frequency.
�
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for accounts using U.S. VPN routing but showing non-U.S. device languages, as well as repeated return-claim wording or similar image styles across unrelated users.
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model incorporates identity-level behavioral history that evaluates return-request rates, refund outcomes, and cross-account cyber signals. Ensure it analyzes behavior from an identity perspective rather than an account perspective, since these rings rotate between multiple accounts and devices.
�
�
�
�
Fraud Signature: “AI-Enhanced No-Return Refund Pattern"�
New accounts followed by immediate damage-claim activity
Repeat use of staged “corruption” images showing cracks or delivery-related faults
High refund velocity concentrated in peak times to increase acceptance likelihood�
Network & Payment Fingerprint
VPN services routing traffic through U.S. residential IPs, while device languages show Russian or Ukrainian origins
Rapid shifts between hosting-provider IP ranges to break continuity across accounts
No suspicious BIN patterns due to use of real, uncompromised payment instruments��
Behavioral Signals
High volume of near-identical support complaints across many new accounts
Quick claim submissions shortly after delivery, often the 1st/2nd tx on the account
Targeted Products
Decor
Cheap Furniture�
Synthetic Identity Profile
�
�
Legitimate credit cards and real customer information used to avoid payment-based suspicion
Accounts created in bursts, often performing a few normal transactions before fraudulent claims��
$2.1M Multi-Vertical Email-ATO Pickup Ring
Attack across 15 merchants
Nov. 27-29 (Cyber Weekend)
Peak Attack Window:
$3.1M USD
FRAUD PREVENTED:
A coordinated ATO ring executed a cross-merchant attack campaign using access to compromised consumer email inboxes. Once inside a victim’s email, the actors initiated password resets or login verifications across any merchant accounts the email was associated with. The group rotated fresh ISP IPs, operated through virtual machines to obscure device fingerprints, and used expedited shipping and pickup fulfillment to receive goods before victims detected unauthorized activity.
�
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Look for password-reset or login-verification events followed by high-value expedited or pickup orders. �
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Review clusters of device fingerprints showing VM traits, fresh device IDs, and ISP-originating IPs inconsistent with historical customer behavior along with Pickup shit method.
�
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model detects sudden shifts in behavior across previously stable customer accounts. These shifts include new device fingerprints, unfamiliar purchasing patterns, and atypical account events triggered shortly before high-value orders. The model should correlate these anomalies across multiple accounts to recognize them as a coordinated ATO ring rather than isolated incidents.
�
�
�
�
Fraud Signature: “Email Takeover Pattern"�
Access to victim inbox for immediate password resets/cross-site account entry, even for merchants with passwordless logins
High-value purchases with expedited fulfillment to compress victim detection windows
VM-generated device identities rotated every transaction��
Network & Payment Fingerprint
Constant rotation of newly allocated ISP IPs to mimic legitimate consumer locations
Virtual machines with fresh device IDs for each session to evade lineage tracking
Payment instruments varied: stolen cards, unauthorized PayPal wallets & payment methods not linked to the victim��
Behavioral Signals
Rapid login → password reset → high-AOV purchase sequence executed within minutes
High rate of “pickup” ship method to reduce timelines and prevent victims from intervening
Pickup done by a “mule” that is not a part of the fraud ring
High rate of paying extra for the most expedited pickup
Targeted Products
Decor
Cheap Furniture�
Synthetic Identity Profile
�
�
Actors relied entirely on real customer accounts accessed via compromised inboxes
Shipping and contact details modified only at the final checkout step to avoid raising suspicion in account profiles��
Jewelry, Electronics, Beauty
$1.4M Identity-Hijack Storage Unit Ring
5 Day Coordinated Operation (November 25-30, 2025)
Nov. 28, 2025 09:40-10:05 (25min, 180 txs)
Peak Attack Window:
$1.4M USD
FRAUD PREVENTED:
A coordinated identity-theft ring operated across major apparel merchants using real consumer identities paired with fake corporate-style email domains such as john_smith@fakebizdomain.com. All goods were routed to storage-unit drop points across the Midwest. The actors relied on stolen U.S. cards, recycled Android devices, and newly registered domains to blend into seasonal traffic and stay below velocity-based detection.�
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Look for clusters of unknown, business-oriented email domains created during November 25–30 that appear across multiple new-cookie sessions. Confirm whether these domains correspond to accounts with no prior history and rapid checkout behavior.
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for clusters of accounts created within minutes of each other using similar email structures, device fingerprints, or repeated storage-unit addresses.
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Check whether your model incorporates domain age scoring and identity email mismatch detection. Enhance rules linking recycled device IDs, Midwest drop-point clusters, and pre-test card behavior to coordinated identity-hijack activity.
�
�
�
Fraud Signature: Fake Business Identity Scheme�
Fabricated corporate-looking email domains with no DNS history
Billing identities matched real victims while shipping to storage-unit facilities
Accounts created and checked out rapidly with no browsing history�
Network & Payment Fingerprint
Rotating residential IPs concentrated in Midwest ISP ranges
Recycled Android devices with repeated device IDs and mixed-locale settings
Stolen Visa/Mastercard details, often validated through small pre-test charges�
Behavioral Signals
Missing cookies
Rapid, automation-like sessions from account creation to checkout
Shipping address as storage unites��
Targeted Products
High AOV Footwear
Clothing
Synthetic Identity Profile
�
�
Email patterns followed firstname_lastname@fabricatedbusinessdomain.com
Domains younger than 30 days with no legitimate web presence
Accurate Victim’s data��
$1.5M Ai-Driven Reutrns Abuse Ring
7 Day Coordinated Operation (November 24-30, 2025)
Nov. 28, 2025 11:20-12:05 (High Load Period)
Peak Attack Window:
$1.5M USD
FRAUD PREVENTED:
A coordinated return-abuse ring leveraged AI-altered images. The actors relied on newly created customer accounts and legitimate payment methods to appear trustworthy, submitting convincing claims showing minor damage such as cracks, dents, or malfunctioning components. The group exploited merchant strain during Cyber Weekend, generating large volumes of support tickets in tight time windows to overwhelm manual review processes while rotating hosting-based IPs to fragment their identity footprint.
��
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Look for clusters of new accounts that submit damage or defect claims shortly after their first purchase. Review support logs during Cyber Weekend windows where complaint spikes coincide with accounts having minimal history and high refund frequency.
�
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for accounts using U.S. VPN routing but showing non-U.S. device languages, as well as repeated return-claim wording or similar image styles across unrelated users.
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model incorporates identity-level behavioral history that evaluates return-request rates, refund outcomes, and cross-account cyber signals such as recurring device fingerprints. Ensure it analyzes behavior from an identity perspective rather than an account perspective, since these rings rotate between multiple accounts and devices.
�
�
�
�
Fraud Signature: "AI-Enhanced No-Return Refund Pattern"�
New accounts followed by immediate damage-claim activity
Repeat use of staged “corruption” images showing cracks or delivery-related faults�High refund velocity concentrated in support peak times to increase acceptance likelihood��
Network & Payment Fingerprint
VPN services routing traffic through U.S. residential IPs, while device languages show Russian or Ukrainian origins
Rapid shifts between hosting-provider IP ranges to break continuity across accounts
No suspicious BIN patterns due to use of real, uncompromised payment instruments��
Behavioral Signals
High volume of near-identical customer support complaints issued across many new accounts
Quick claim submissions shortly after delivery, often the first or second transaction on the account���
Targeted Products
Decor
Cheap Furnitures
Synthetic Identity Profile
�
�
Legit credit cards and real customer info used to avoid payment-based suspicion
Accounts created in bursts, often performing a few normal transactions before fraudulent claims��