Last week, we launched a new user registration campaign offering a 50 yuan coupon. We expected a surge in new users, but the monitoring system frequently triggered alarms—over 20,000 coupons were claimed in just 6 hours, yet actual transactions were nearly zero.
We were "sheared."
Initial investigations revealed that these accounts all used new phone numbers, and verification codes passed through code receiving platforms instantly. The behavior path was highly consistent: register → claim coupon → exit. Traditional rules based on phone numbers or device IDs failed completely.
After reflecting on this, I realized: to identify "humans" versus "machines," we shouldn’t just look at accounts but at the network identity behind them—IP addresses and device traces.
Fraudsters typically use proxy IP pools and automation scripts for bulk operations. If we can identify "data center IPs" or "abnormal IPs with frequent geographic location switching" at the request entry, combined with detecting whether the device is an emulator or if the fingerprint is duplicated, it will significantly improve interception accuracy.
Thus, I started researching IP data services. I compared several major vendors, evaluating factors such as: IPv6 support, richness of risk tags, API response speed, offline database availability, and geolocation accuracy.
In testing, IPnews accurately identified data center and high-anonymity proxies over 99.9% of the time. Its offline database is updated daily, making it highly suitable for our hybrid deployment risk control architecture. However, since IPnews.io is still a relatively new provider, we need further testing to ensure it meets our requirements. On the plus side, the free query limit largely covers our needs, so we only need to pay a small fee for risk data, greatly reducing our budget concerns.
Deployment Strategy:
If the IP is marked as "data center" or "proxy" and the device fingerprint is seen for the first time → force CAPTCHA verification.
If the same IP triggers more than 30 registrations within 10 minutes → automatically added to the watchlist.
Results were immediate:
- Abnormal registration volume decreased by 78%;
- Effective user conversion rate increased by 12%;
- False interception rate was just 0.35%, primarily consisting of real users using proxies/VPNs, which we plan to optimize through whitelisting.
This experience has made me deeply realize that operational security isn’t something to fix afterward; it should be designed upfront. The IP address is no longer "ancillary information" but one of the core signals in the risk control system.
Three pieces of advice for peers:
- Before launching a campaign, ensure IPs and basic device fingerprints are collected.
- Link IP data with behavior rules to avoid isolated judgments.
- Ensure all data processing complies with the Personal Information Protection Law, and anonymize raw device IDs and other privacy-related information.
Fighting sheep-shearing is no simple task, but with precise IP intelligence, it's like we gained a pair of "eyes" that can clearly see the true nature of traffic after utilizing IPnews' offline database service.
Top comments (0)