We Analyzed 100,000 Fake Signups. Here Is What We Found.
A data-driven deep dive into fake signup patterns: top burner domains, time-of-day spikes, geographic clusters, and device fingerprint analysis across 100K fraudulent accounts.
The Dataset
Over the past six months, BigShield has processed over 14 million email validation requests. From that pool, we isolated 100,000 signups that were confirmed as fraudulent through a combination of our scoring system, client-reported chargebacks, and post-signup behavioral analysis (accounts that never activated, immediately abused free-tier limits, or were part of known bot campaigns).
We anonymized and aggregated this data to look for patterns. What follows is the most comprehensive public analysis of fake signup behavior that we are aware of.
Finding #1: The Burner Domain Landscape Is Fragmented
Most people think of disposable email as "tempmail.com and a few others." The reality is far more fragmented. In our dataset, we identified 1,247 unique burner domains used across the 100K fake signups.
Here are the top 15 by volume:
| Domain | Count | % of Total |
|---|---|---|
| tempmail.plus | 4,812 | 4.81% |
| guerrillamail.com | 3,947 | 3.95% |
| mailnator.com | 3,201 | 3.20% |
| throwamail.net | 2,688 | 2.69% |
| yopmail.com | 2,534 | 2.53% |
| sharklasers.com | 2,101 | 2.10% |
| trashmail.me | 1,876 | 1.88% |
| dispostable.com | 1,743 | 1.74% |
| fakeinbox.org | 1,612 | 1.61% |
| burnermail.io | 1,498 | 1.50% |
| 10minutemail.com | 1,387 | 1.39% |
| emailondeck.com | 1,244 | 1.24% |
| mintemail.com | 1,109 | 1.11% |
| throwaway.email | 987 | 0.99% |
| getairmail.com | 901 | 0.90% |
The critical takeaway: the top 15 domains account for only 31.6% of burner email usage. The remaining 68.4% is spread across 1,232 other domains. Many of these are tiny, recently created domains with fewer than 50 uses each. A static blocklist will always be playing catch-up.
Finding #2: But 38% Used Legitimate Email Providers
Here is the number that should worry you. Of the 100,000 confirmed fake signups, 38,214 used emails at legitimate providers like Gmail, Outlook, Yahoo, and ProtonMail.
- Gmail: 21,847 fake accounts (57.2% of legitimate-provider fraud)
- Outlook/Hotmail: 8,932 (23.4%)
- Yahoo: 4,103 (10.7%)
- ProtonMail: 2,112 (5.5%)
- Other: 1,220 (3.2%)
Domain blocklists cannot catch these. You need signal-level analysis: email pattern detection, IP reputation, behavioral fingerprinting, and more. This is why free-tier fraud costs so much to address manually.
Finding #3: Time-of-Day Patterns Are Striking
Legitimate signups follow predictable patterns tied to human behavior: peaks during business hours (9am-12pm and 1pm-5pm local time), dips overnight, modest weekend activity.
Fake signups look completely different. We normalized all timestamps to UTC and found:
- Peak fraud window: 02:00-06:00 UTC (accounting for 34% of daily fake signups)
- Secondary peak: 14:00-16:00 UTC (18% of daily fake signups)
- Lowest fraud activity: 10:00-12:00 UTC (only 4% of daily fake signups)
The overnight UTC peak corresponds to business hours in Southeast Asia (where many bot farms operate) and late evening in Eastern Europe (where many freelance fraud operators work). The secondary afternoon UTC peak aligns with morning hours in the US, when automated scripts run before operators start their workday.
What makes this useful for detection: if you see a spike of signups at 3am UTC from IP addresses that do not match the claimed timezone, that is a strong fraud signal.
Finding #4: Geographic Clustering Reveals Bot Farms
We geolocated the IP addresses associated with each fake signup. While fraud is global, certain regions showed disproportionate concentration:
- Vietnam: 14.2% of fake signups (primarily Ho Chi Minh City and Hanoi)
- Nigeria: 11.8% (Lagos dominates at 73% of Nigerian fraud)
- Indonesia: 9.4% (Jakarta and Surabaya)
- India: 8.7% (distributed across multiple cities)
- Russia: 7.1% (Moscow and St. Petersburg)
- United States: 6.9% (but 78% of US fraud originates from datacenter IPs, not residential)
- Brazil: 5.3%
- Philippines: 4.8%
- Other: 31.8% across 94 countries
An important nuance: raw geographic blocking is a terrible idea. India has 8.7% of our fake signups, but it also has millions of legitimate SaaS users. The signal is not "block this country" but rather "combine geography with other signals for a more complete picture."
Finding #5: Device Fingerprint Clustering Is the Smoking Gun
This is where the data gets really interesting. When we analyzed device fingerprints (browser, OS, screen resolution, installed fonts, WebGL renderer), we found that fake signups cluster dramatically.
- Top 1% of device fingerprints accounted for 23.4% of all fake signups
- The single most common fingerprint appeared on 1,847 different fake accounts
- 67% of fake signups shared a fingerprint with at least 5 other fake accounts
- For comparison, only 3.2% of legitimate signups shared a fingerprint with 5+ other accounts
The most common bot fingerprint profile: Chrome 120 on Windows 10, 1920x1080 resolution, English (US) language, generic Intel UHD Graphics WebGL renderer. This is the default configuration for most headless browser setups and cheap VPS instances.
Finding #6: Campaign-Style Attacks Are the Norm
Fake signups do not trickle in one at a time. They arrive in campaigns. Using time-clustering analysis (grouping signups that share at least 3 signals and occur within a 2-hour window), we identified 1,342 distinct fraud campaigns in our 100K dataset.
Campaign characteristics:
- Average campaign size: 74 fake signups
- Median campaign duration: 47 minutes
- Largest single campaign: 2,814 signups in 3 hours (targeting an AI writing tool)
- Most persistent actor: One fingerprint cluster ran 23 separate campaigns over 4 months
For more on how we detect and attribute these campaigns, see our writeup on coordinated fraud attack detection.
Finding #7: The "Free Trial Ladder" Pattern
We identified a sophisticated pattern we call the "free trial ladder." A single operator creates accounts across multiple AI SaaS products, uses each free tier to its limit, then moves on. By correlating across our client base (with appropriate anonymization), we found:
- 412 distinct operators who created free accounts at 5 or more of our client products
- The most prolific operator had accounts at 31 different SaaS products
- Average time from signup to free-tier exhaustion: 2.3 days
These operators are not trying to commit traditional fraud. They are arbitraging free tiers, often reselling the API access or generated content. It is a business model built entirely on fake signups.
What This Means for Your Signup Flow
If you are relying solely on email domain blocklists, you are catching roughly 62% of fake signups at best. The remaining 38% sail right through because they use Gmail, Outlook, and other legitimate providers.
Effective fraud prevention requires layered signals: email pattern analysis, domain reputation, IP intelligence, device fingerprinting, and behavioral analysis. No single signal catches everything, but combined, they achieve detection rates above 95%.
The data is clear. Fake signups are not random noise. They are organized, patterned, and increasingly sophisticated. But those very patterns are what make them detectable, if you know what to look for.
BigShield analyzes 20+ signals in real time to score every signup in under 200ms. If the numbers in this article feel familiar, we can help you see exactly what is happening in your signup flow and start blocking the fraud before it costs you.