Detecting Coordinated Fraud Attacks: A Guide to Campaign Attribution

A single fake signup is annoying. A thousand fake signups in a coordinated wave can bring your platform to its knees. The difference between amateur fraud and professional fraud is coordination, and detecting that coordination is what separates a good fraud detection system from a great one.

When we analyzed 100,000 fake signups across our customer base, one pattern stood out above all others: the vast majority of fraudulent accounts were created in clusters. Not random, isolated attempts, but organized campaigns with shared characteristics that, once you know what to look for, become surprisingly visible.

This article breaks down how to detect coordinated signup fraud, from timing analysis to infrastructure fingerprinting to campaign clustering algorithms that group attacks together and attribute them to common sources.

Why Coordinated Attacks Are Different

Individual fraudsters creating one-off accounts are relatively easy to catch. They make mistakes. They use obvious burner email providers. They skip the basics.

Coordinated attacks are different because they operate at scale. An attacker running a botnet or a fraud-as-a-service operation needs to create hundreds or thousands of accounts quickly. That urgency leaves fingerprints, even when each individual account looks legitimate on its own.

The key insight is this: you stop looking at individual signups in isolation and start looking at the relationships between them. Patterns that are invisible at the account level become obvious at the campaign level.

Timing Analysis: The First Signal

The simplest and most powerful signal for detecting coordinated fraud is timing. Humans signing up for a service follow natural patterns. They arrive from different time zones, at different times of day, with variable gaps between signups. Bots and coordinated attackers do not.

Inter-Arrival Time Distribution

Track the time between consecutive signups. Legitimate traffic follows a Poisson distribution with natural variance. Coordinated attacks often show unnaturally regular spacing, like signups arriving every 3.2 seconds with minimal deviation.

interface SignupEvent {
  email: string;
  timestamp: number;
  ip: string;
  userAgent: string;
}

function detectTimingAnomaly(events: SignupEvent[], windowMs: number = 300000): boolean {
  const sorted = events.sort((a, b) => a.timestamp - b.timestamp);
  const gaps: number[] = [];

  for (let i = 1; i < sorted.length; i++) {
    gaps.push(sorted[i].timestamp - sorted[i - 1].timestamp);
  }

  if (gaps.length < 5) return false;

  const mean = gaps.reduce((a, b) => a + b, 0) / gaps.length;
  const variance = gaps.reduce((sum, g) => sum + Math.pow(g - mean, 2), 0) / gaps.length;
  const coefficientOfVariation = Math.sqrt(variance) / mean;

  // Legitimate traffic typically has CV > 1.0
  // Bot traffic often has CV < 0.3
  return coefficientOfVariation < 0.4;
}

Burst Detection

Beyond regular spacing, look for volume bursts. A sliding window that counts signups per minute can flag sudden spikes. But be careful: a viral tweet or a product launch can cause legitimate bursts too. The trick is combining burst detection with other signals.

We use a multi-window approach at BigShield. We track signup rates at 1-minute, 5-minute, and 30-minute windows simultaneously. A legitimate viral spike will show a gradual ramp-up across all windows. A bot attack often appears as a sharp spike in the 1-minute window with no corresponding build-up in the longer windows.

Shared Infrastructure Signals

Coordinated attackers share resources. Even when they rotate through different IP addresses and email providers, they often leave traces of shared infrastructure.

IP Clustering

Look beyond individual IPs to network-level patterns. Are signups coming from the same /24 subnet? The same ASN? The same hosting provider? A burst of signups from DigitalOcean's Frankfurt datacenter at 3am is not organic growth.

interface IPCluster {
  subnet: string;
  asn: number;
  provider: string;
  signupCount: number;
  uniqueEmails: number;
  timeSpanMs: number;
}

function clusterByNetwork(events: SignupEvent[]): IPCluster[] {
  const clusters = new Map<string, SignupEvent[]>();

  for (const event of events) {
    // Group by /24 subnet
    const subnet = event.ip.split('.').slice(0, 3).join('.') + '.0/24';
    if (!clusters.has(subnet)) clusters.set(subnet, []);
    clusters.get(subnet)!.push(event);
  }

  return Array.from(clusters.entries())
    .filter(([_, events]) => events.length >= 3)
    .map(([subnet, events]) => ({
      subnet,
      asn: lookupASN(events[0].ip),
      provider: lookupProvider(events[0].ip),
      signupCount: events.length,
      uniqueEmails: new Set(events.map(e => e.email)).size,
      timeSpanMs: Math.max(...events.map(e => e.timestamp)) - Math.min(...events.map(e => e.timestamp)),
    }));
}

Email Domain Clustering

Attackers often register bulk email accounts with the same provider, or they use a small set of custom domains. Track the distribution of email domains across signup waves. If 40% of signups in a 10-minute window all use the same obscure email provider, that is a strong signal.

Also watch for domain age clustering. Freshly registered domains used for signups are suspicious individually. A batch of signups from five different domains, all registered within the same week, is a campaign.

User-Agent and Browser Fingerprint Overlap

Even when attackers randomize their user-agent strings, they often make subtle mistakes. The same rare screen resolution, the same unusual font list, the same WebGL renderer string. For a deeper look at these techniques, see our guide to device fingerprinting for multi-account detection.

Campaign Clustering Algorithms

Once you have individual signals, the real power comes from clustering them together to identify campaigns. Think of it as connecting the dots between seemingly unrelated signups.

Feature Vector Construction

For each signup, build a feature vector that captures the signals you are tracking:

• IP subnet and ASN
• Email domain and domain age
• Signup timestamp (binned to 5-minute windows)
• User-agent family and version
• Device fingerprint hash (if available)
• Timezone and language settings
• Form completion time

Similarity-Based Clustering

Use a similarity metric to group signups that share multiple features. DBSCAN works well here because it does not require you to specify the number of clusters in advance, and it handles noise (legitimate signups) naturally.

function calculateSimilarity(a: SignupFeatures, b: SignupFeatures): number {
  let score = 0;
  let maxScore = 0;

  // Same /24 subnet: strong signal
  maxScore += 3;
  if (a.subnet === b.subnet) score += 3;

  // Same ASN: moderate signal
  maxScore += 2;
  if (a.asn === b.asn) score += 2;

  // Same email domain: moderate signal
  maxScore += 2;
  if (a.emailDomain === b.emailDomain) score += 2;

  // Close in time (within 10 min): moderate signal
  maxScore += 2;
  if (Math.abs(a.timestamp - b.timestamp) < 600000) score += 2;

  // Same user-agent: weak signal (common UAs are shared)
  maxScore += 1;
  if (a.userAgent === b.userAgent) score += 1;

  // Same timezone + language combo: weak signal
  maxScore += 1;
  if (a.timezone === b.timezone && a.language === b.language) score += 1;

  return score / maxScore;
}

A similarity threshold of 0.5 to 0.6 works well in practice. Two signups that share a subnet, email domain, and timestamp are almost certainly part of the same campaign, even if everything else differs.

Graph-Based Attribution

For more sophisticated analysis, model signups as a graph. Each signup is a node, and edges connect signups that share specific attributes (same IP, same email domain, overlapping device fingerprint, etc.). Connected components in this graph often correspond to fraud campaigns.

This approach catches attacks that simple threshold-based clustering misses. An attacker might rotate IPs perfectly but reuse the same email naming pattern. Another might use unique emails but share a device fingerprint. The graph connects them through transitive relationships.

Attribution Techniques

Detecting a campaign is step one. Attributing it (identifying the source and connecting it to past attacks) makes your defense stronger over time.

Campaign Fingerprinting

Every fraud campaign has a "style." The email naming conventions (john.smith.8472 vs j_smith_random), the IP rotation pattern, the timing profile, the form-filling behavior. Build a fingerprint for each detected campaign and store it. When a new attack begins, compare its emerging fingerprint against historical campaigns. You will be surprised how often attackers reuse their playbook.

Infrastructure Tracking

Track the infrastructure used by identified campaigns: IP ranges, hosting providers, email domains, proxy services. Build an internal blocklist that feeds back into your real-time scoring. An IP range used in a campaign last month should get elevated scrutiny this month.

Temporal Pattern Matching

Some attackers operate on schedules. They run campaigns at the same time each week, or they ramp up before holidays or sales events. Tracking campaign timing across weeks and months can help you predict and preemptively block the next wave before it starts.

Putting It Into Practice

You do not need to build all of this from scratch. Here is a practical starting point:

1. Start with timing. Implement burst detection and inter-arrival time analysis. This alone catches a surprising percentage of coordinated attacks.
2. Add IP clustering. Group signups by subnet and ASN. Flag clusters that exceed a threshold within a time window.
3. Layer in email domain analysis. Track domain distribution and domain age for signups within each time window.
4. Build campaign records. When you detect a cluster, save its characteristics. Use them to catch the next attack faster.
5. Feed it back into scoring. Every detected campaign should improve your real-time scoring for future signups.

The compounding effect is powerful. Each campaign you detect and fingerprint makes detecting the next one easier. Over time, returning attackers get caught faster and faster, often within the first few signups of a new campaign.

The BigShield Approach

BigShield runs campaign detection as part of its Tier 2 signal processing. When a signup arrives, it is scored in real-time using Tier 1 signals (under 100ms). Simultaneously, the signup is analyzed against recent signup patterns for campaign-level signals. If a coordinated attack is detected, all associated accounts are flagged and future signups matching the campaign fingerprint receive elevated risk scores automatically.

The result: coordinated attacks that might create hundreds of accounts on an unprotected platform get stopped within the first handful of signups. If you are dealing with organized signup fraud and want campaign-level detection without building the infrastructure yourself, BigShield handles it out of the box. Check out our API at bigshield.app and start catching coordinated fraud today.