iGaming Affiliate Fraud: 8 Patterns Operators Detect

iGaming affiliate fraud is fraud committed by, or routed through, affiliates marketing online casino, poker, lottery, and sportsbook operators. It looks different from generic affiliate fraud because the standard iGaming contract is revenue share, not flat CPA: the operator pays the affiliate a percentage of each referred player’s lifetime negative net gaming revenue (NGR), often for the life of the account. That contract shape rewards a specific menu of scams: scrubbing winners, farming losers, re-registering self-excluded players, bypassing KYC, and routing US-state traffic to non-US-licensed brands. Spider AF benchmarks put roughly 45% of affiliate traffic in the invalid or fraudulent bucket, with iGaming running materially above that average (HUMAN Security, 2025, reports sophisticated invalid traffic now evades standard rule-based filtering at over 60% rates, a gap concentrated in high-LTV verticals like iGaming). ^[1] Juniper Research, 2025, projects global advertising fraud losses to reach $172 billion by 2028, with gambling and crypto verticals overrepresented in the loss share.

This guide breaks down what makes iGaming structurally different, the 8 fraud patterns we see consistently inside casino, poker, and cross-product affiliate programs, the signals operators use to catch them, and the regulatory layer that turns each detected event into a reporting obligation.

What makes iGaming affiliate fraud structurally different?

iGaming affiliate fraud is shaped by five structural factors that do not apply to most other affiliate verticals. ^[5] Together they explain why fraud rates in casino and poker programs run materially higher than the cross-vertical average, and why detection has to look at the player lifetime, not just the click.

Revenue-share contracts versus flat CPA

The dominant iGaming affiliate contract is revenue share on NGR: the affiliate earns a percentage (commonly 25-45%) of the player’s net losses for the life of the account. A flat CPA is the alternative, and many programs run hybrid. Revenue share changes the fraud surface in three ways. First, the affiliate has long-term economic interest in players who lose, which incentivizes filtering out winners pre-deposit. Second, the operator has long-term economic interest in shrinking the revenue-share base, which incentivizes scrubbing. Third, the unit of payout is not a one-shot event but a lifetime curve, which means fraud has a much longer attack window than CPA fraud.

Multi-jurisdiction compliance

iGaming is licensed jurisdiction by jurisdiction. The UK Gambling Commission (UKGC) covers UK-facing brands. The Malta Gaming Authority (MGA) covers EU-facing Maltese-licensed operators. Curacao eGaming licenses a large share of offshore brands. In the US, New Jersey’s DGE, Pennsylvania’s PGCB, and Michigan’s MGCB each license operators state by state, with the licensed market expanding. ^{[2] [3]} An affiliate selling traffic into the wrong jurisdiction is a compliance breach, which makes geo-laundering a regulator-facing fraud type, not just a commercial one.

High CPC plus high LTV creates the incentive

iGaming carries some of the highest paid-search CPCs in advertising, and FTD-level lifetime value commonly runs into the hundreds of dollars on regulated US state traffic. The combination, expensive clicks plus valuable signups plus revenue-share continuity, makes the unit economics of fraud uniquely favorable. A single fraudulent NDC (New Depositing Customer) with a fabricated KYC package can extract welcome-bonus value and seed a long-tail revenue-share commission stream.

Bonus economics

Every regulated iGaming operator runs welcome bonuses, no-deposit free spins, deposit matches, cashback offers, and loyalty rewards. The economic incentive for fraud is direct: a $200 deposit-match bonus claimed across 50 synthetic accounts is a $10,000 fraud event before any wager clears the wagering requirement. Bonus terms are designed to make abuse uneconomic for casual users, but they are routinely solved by professional bonus-abuse networks running stolen identity packages.

Cross-product affiliate networks

Many iGaming affiliates work across casino, sportsbook, and poker simultaneously. Networks like Income Access, Cellxpert, and MyAffiliates carry cross-product attribution, which means an affiliate can arbitrage traffic between products. A user clicking a sports-betting ad and registering on the casino side, or vice versa, blurs attribution and creates room for incentive games that no single-product fraud detection layer sees. See our click fraud protection for sports betting deep dive for the sports-side view.

“affiliate fraud overview”

Which 8 fraud patterns are specific to iGaming affiliates?

iGaming affiliate fraud follows recognizable patterns that generic affiliate-fraud detection wasn’t built to score. ^[4] The eight below appear in nearly every operator review we run. Each gets the same treatment: what it is, how it works, the diagnostic signal, and who pays.

#	Pattern	Where it lives	One-line signal
1	Bonus-abuse multi-accounting (stolen IDs)	Registration + KYC	Device-fingerprint cluster + repeat KYC document hashes
2	Revenue-share scrubbing	Operator or affiliate side	NGR distribution materially diverges from program baseline
3	Self-excluded re-registration	KYC + GAMSTOP/state registers	Self-exclusion match across device, payment, or document hash
4	Jurisdiction laundering (US traffic to Curacao)	Affiliate routing layer	ASN/geo mismatch between declared and actual user location
5	KYC bypass services	Pre-deposit verification	KYC vendor failure-then-success pattern + shared document hashes
6	Loyalty-program farming	Aged accounts, time-limited offers	Cluster of aged accounts claiming bonuses in narrow windows
7	Click flooding on bonus pages	Last-click attribution	Implausibly high click-to-FTD ratio from a single affiliate ID
8	Cookie stuffing for FTD attribution	Pre-click	FTD from a referrer with zero on-page engagement

1. Bonus-abuse multi-accounting using stolen IDs

What it is. Fraudsters use stolen, synthetic, or rented identity packages to open multiple accounts and claim each welcome bonus or no-deposit offer, then cash out where bonus terms allow.

How it works. The fraud ring sources identity packages on dark-web markets or through “fullz” vendors, then automates the registration funnel with rotated device fingerprints, residential proxies, and disposable email addresses. KYC documents are forgeries or stolen scans, often re-used across operators. Bonus value is extracted through wagering-requirement-completion strategies that minimize variance.

Detection signal. Device-fingerprint cluster plus repeated KYC document hashes across accounts that present as separate users. Canvas, WebGL, audio context, and font enumeration produce a multi-signal fingerprint that is much harder to vary than IP. Document-hash matching with the KYC vendor (Jumio, Onfido, Sumsub) catches the re-used identity packages directly.

Who pays. The operator absorbs the bonus loss, the KYC processing fee, the AML review cost, and, if a self-excluded user is part of the cluster, the regulatory exposure. Affiliates routing this traffic typically retain their CPA or revenue-share commission unless the operator’s fraud-clause scrubbing removes the cohort.

2. Revenue-share scrubbing

What it is. Either the operator removes “unprofitable” players from the affiliate’s revenue-share base, or the affiliate filters depositing winners to other brands and declares only losers under the contract. Both are scrubbing, but they happen in different directions.

How it works on the affiliate side. A sophisticated affiliate operates multiple brand contracts in parallel. Depositing players who look like winners (large deposits relative to bonus, low playthrough patterns, professional-grade play) get re-routed to a competing brand or a different account. Losers, who fit revenue-share economics, stay on the contract. The affiliate optimizes the cohort the operator sees.

How it works on the operator side. The operator’s affiliate manager retroactively flags genuine winning players as “fraud” or “bonus abuse” to remove them from the affiliate’s NGR pool. The contract carve-outs for fraud are broad enough that this is hard to dispute. The operator keeps the player’s losses, the affiliate sees a shrunken base.

Detection signal. NGR distribution of the scrubbed cohort versus the unscrubbed cohort. Statistically, scrubbing for legitimate fraud produces a scrubbed cohort with disproportionate bonus-abuse markers (short account life, no second deposit, KYC anomalies). Operator-side fraudulent scrubbing produces a scrubbed cohort whose loss profile is indistinguishable from the unscrubbed cohort, the diagnostic is “the scrubbed players were not actually bad players.”

Who pays. Either the operator (when affiliates scrub winners off) or the affiliate (when operators scrub genuine winners to suppress payout). Scrubbing disputes are the most contested commercial event in iGaming affiliate management.

3. Self-excluded user re-registration

What it is. A user enrolled on GAMSTOP (UK), a state self-exclusion register (NJ, PA, MI), or an operator-level self-exclusion list re-registers under a synthetic identity or stolen documents, often funneled through an affiliate marketing the operator.

How it works. The user (or a third party doing it for them) creates a new identity package and runs the standard registration funnel. The affiliate, knowing or not knowing, earns the FTD bounty. The operator accepts the deposit, and the self-exclusion breach is now live.

Detection signal. Self-exclusion list match against device fingerprint, payment instrument, or KYC document hash. IP-level checking is necessary but insufficient. Device fingerprint plus payment-token correlation catches most re-registrations even when the declared identity is different from the originally excluded user. ^[2]

Who pays. The operator carries the regulatory exposure, which is the most serious cost in this category. UKGC has issued enforcement actions and fines for self-exclusion failures. The affiliate may or may not be sanctioned commercially, depending on whether the operator can demonstrate that the affiliate was complicit or negligent.

4. Jurisdiction laundering (selling US traffic as Curacao)

What it is. An affiliate routes US-resident traffic into a Curacao-licensed (or other offshore-licensed) operator that is not authorized to accept US players, then declares the FTD as if it came from an authorized jurisdiction.

How it works. The affiliate uses one of three routing tricks. First, a “geo-cleaner” redirect that forces a VPN handshake before the deposit page. Second, a parameter manipulation on the tracker that overrides the declared geo. Third, simple misclassification at the affiliate’s lander, with no real geo enforcement. The end state is the same: a US player deposits on a brand that is not licensed in any US state.

Detection signal. ASN and geo-consistency mismatch between declared user location and the technical fingerprint of the click. Browser time zone, language headers, payment-instrument BIN country, KYC document country, and IP ASN all have to align for a click to be jurisdiction-consistent. A single layer mismatch is the diagnostic.

Who pays. The operator carries direct regulatory exposure if a US state authority enforces. The affiliate carries reputational exposure and contract loss. The US-state-licensed operator competing for that same player loses the business. This is one of the highest-stakes patterns in offshore iGaming.

5. KYC bypass services

What it is. A specialist fraud vendor, often advertised on Telegram or specialist forums, sells “pre-verified” synthetic identity packages designed to clear a specific operator’s KYC stack. Affiliates working with these vendors send pre-verified traffic through the registration funnel.

How it works. The vendor reverse-engineers a target KYC stack (Jumio, Onfido, Sumsub configuration) and builds identity packages that pass the specific checks. Document forgeries are produced at scale, often using deepfake-quality video for liveness checks. The packages are sold in batches and routed through affiliate landers that funnel directly to the registration page.

Detection signal. KYC vendor failure-then-success patterns, where the same document hash or biometric fingerprint fails verification on one operator and clears it on another within a short window, plus shared document hashes across “separate” accounts on the same operator. Bot-detection on the liveness step catches the lower-end packages.

Who pays. The operator, in bonus loss plus KYC processing cost plus AML triggers when payments flow through. KYC bypass services are also AML reportable when detected, which raises the regulator-facing cost above the commercial fraud value.

6. Loyalty-program farming

What it is. Aged accounts (real or synthetic) are mined for loyalty-program rewards: cashback bonuses, free spins, reload offers, parlay insurance tokens. The fraud is the same as welcome-bonus abuse, but the accounts have history.

How it works. A multi-account network maintains a portfolio of aged accounts, often acquired through earlier waves of bonus abuse or bought from prior owners. The accounts deposit just enough to maintain loyalty-tier status, then claim time-limited reload offers in narrow windows. Wagering-requirement-completion strategies extract the bonus value.

Detection signal. Cluster of aged accounts claiming the same time-limited offer with shared device fingerprints, payment-token overlap, or behavioral synchronicity. Loyalty fraud is harder to detect than welcome-bonus fraud because the accounts are not new, the diagnostic shifts from “registration anomalies” to “cross-account behavioral correlation.” Who pays. The operator, in cumulative bonus value over the life of the network. Loyalty fraud is structurally less visible than welcome fraud because each event is small and the accounts look legitimate at a glance.

7. Click flooding on bonus pages

What it is. An affiliate fires a high volume of low-quality clicks at the operator’s bonus pages, exploiting last-click attribution to claim FTD commission on signups that other channels actually drove.

How it works. The affiliate spreads clicks across an audience that is broad enough to overlap with the operator’s organic, paid-search, and TV-driven traffic. Some users in the click pool will later register organically through other channels, and the affiliate’s last click wins attribution. Click farms targeting promo-code search terms are the most common implementation.

Detection signal. Implausibly high click-to-FTD ratio from a single affiliate ID, paired with a click distribution that is geographically and temporally uncorrelated with the resulting FTDs. The mobile-specific variant looks like normal CTIT, which distinguishes it from click injection. See our 12 types of affiliate fraud breakdown for the cross-vertical view.

Who pays. The operator, in commission to an affiliate who did not drive the demand. Genuine paid-search and direct-response channels lose attribution credit and may scale back budget on what looks like underperforming campaigns.

8. Cookie stuffing for FTD attribution

What it is. An affiliate drops their tracking cookie onto users’ browsers without the user clicking an affiliate link. When the user later registers and deposits through any channel, the stuffed cookie wins last-click attribution and the affiliate is paid CPA or revenue share on the FTD.

How it works. Hidden iframes, popunders that load and close in under a second, image-tag affiliate URLs, and forced redirects through bought ad traffic. Each method sets the affiliate cookie without showing the user an affiliate-branded experience. iGaming-specific variants run cookie-stuffing alongside content sites that look like sports-news or casino-review properties to provide cover for the technique.

Detection signal. FTD attribution to a referrer with zero meaningful engagement on the affiliate’s claimed pages. Time-on-affiliate-page near zero, no scroll, no clicks, but the affiliate cookie is present at registration. Server-side fingerprinting of the affiliate lander catches the cookie-set-without-pageview case directly.

Who pays. The operator, in commission on an FTD that would have happened anyway. Revenue-share contracts compound the cost because the cookie wins lifetime attribution, not just the one-shot CPA.

How do operators detect iGaming-specific fraud signals?

iGaming operators deploy detection across four signal layers, with each layer tuned for patterns specific to the vertical. ^[4] The signal stack matters because a single layer (IP, device, KYC, behavior) catches a fraction of the eight patterns; multi-signal correlation catches the bulk.

Payment pattern correlation

The strongest single signal is payment-instrument correlation across “separate” accounts. BIN ranges, payment-processor tokens, e-wallet identifiers, and crypto-wallet addresses cluster fraud rings more reliably than device fingerprints because payment instruments are scarcer and harder to rotate. A wallet that funds 12 accounts within 48 hours is a textbook multi-account cluster.

Cross-account device fingerprint matching

Canvas, WebGL, audio context, font enumeration, screen metrics, and timezone produce a multi-signal device fingerprint that is materially harder to spoof than IP. Cross-account fingerprint matching catches bonus-abuse multi-accounting, self-excluded re-registration, and loyalty-program farming with a single rule layer (IAB Tech Lab, 2025, publishes the affiliate-fraud detection standards and IVT taxonomy that most operator-side fingerprint stacks align to). Modern fingerprint stacks survive normal browser variation and detect the canonical mass-spoofing tools.

LTV (lifetime value) divergence

In revenue-share programs, the strongest lagging signal is LTV divergence by affiliate cohort. A clean affiliate cohort produces a recognizable LTV decay curve: meaningful share retain at 30 days, smaller share at 90, long-tail revenue at 12 months. A fraud-heavy cohort spikes at FTD and decays to zero within days. Cohort LTV against program baseline surfaces revenue-share scrubbing and incentivized-traffic patterns that pre-deposit signals miss.

Self-exclusion list matching

Every licensed iGaming operator is required to check incoming registrations against the relevant self-exclusion register: GAMSTOP in the UK, state-level registers in the US, operator-level lists where the user has self-excluded directly. Modern checking does not stop at name and date of birth, it extends to device fingerprint, payment-instrument hash, and KYC document hash. ^[2]

The typical disqualification threshold for an FTD is two or more signal layers firing on the same registration or affiliate cohort over a rolling window. Single-signal flags get manual review. Multi-signal patterns get a deposit hold, KYC re-verification, and, where regulatory thresholds are met, a suspicious-activity report (SAR). For the cross-vertical view of detection stacks, see our click fraud protection pillar.

The legal and regulatory angle: AML and self-exclusion obligations

Detected fraud in iGaming is rarely “just” a finance event. Under UKGC licence conditions, MGA’s Player Protection Directive, and US state gaming laws (NJ DGE, PA PGCB, MI MGCB), licensed operators carry explicit obligations to identify and act on indicators of money laundering, identity fraud, and self-exclusion breaches. ^{[2] [3]}

The practical implications:

• AML and SAR obligations. Patterns of multi-accounting with stolen or synthetic IDs are AML triggers. Detected fraud frequently feeds a suspicious-activity report to the relevant FIU (the UK’s NCA, Malta’s FIAU, FinCEN-aligned bodies in US states).
• Self-exclusion enforcement. A self-excluded user identified at the registration stage must be refused service, and operators must document the detection. Failure to detect is itself a licence-condition breach in the UK.
• Affiliate compliance. Both UKGC and the MGA Affiliates Code of Conduct hold the licensed operator responsible for the conduct of its affiliates. Operator-side detection is the audit trail that demonstrates due diligence, the absence of it is, by itself, a regulator concern. ^[3]
• Jurisdiction laundering. US-state regulators have, and use, the power to sanction operators whose affiliate networks route non-licensed traffic. NJ DGE, PA PGCB, and MI MGCB each maintain enforcement records that include affiliate-conduct cases.

The takeaway for fraud detection vendors and operator fraud teams is consistent: detection has to produce audit-grade event logs, not just block decisions. The same evidence that supports an affiliate-scrubbing dispute also supports a regulator-facing compliance case.

Citation capsule. UKGC licence conditions and the MGA Affiliates Code of Conduct hold the licensed operator responsible for affiliate conduct, including responsible-gambling messaging and self-exclusion compliance. ^{[2] [3]} Industry estimates put iGaming affiliate fraud rates materially above the cross-vertical 45% benchmark, with operator-side scrubbing rates of 15-30% common on poorly vetted programs. ^[1]

Affiliate scrubbing: legitimate dispute versus operator-side fraud

Affiliate scrubbing is the most disputed commercial event in iGaming, because the same action (the operator removes declared conversions from the commission base) can be either compliance hygiene or commercial fraud depending on who is actually a bad player. ^[5] The honest read from field experience is that both happen, often at the same operator, and the diagnostic is statistical, not contractual.

Legitimate operator scrubbing removes:

• Bonus abusers identified after the FTD (multi-account fingerprint clusters, KYC document re-use, payment-instrument overlap)
• Chargeback events on the deposit, where the affiliate effectively delivered a stolen-card payment
• Self-excluded users caught after registration (the operator must refuse service and remove the affiliate credit)
• Jurisdiction-breach registrations where the user turned out to be in a non-permitted state or country
• KYC failures that surface after the bonus window

Operator-side fraudulent scrubbing removes:

• Genuine winning players, on a “fraud” classification that, when examined, does not match any of the above patterns
• Higher-value cohorts disproportionately, with the loss profile of the scrubbed group indistinguishable from the kept group
• Players from affiliates the operator wants to push off contract, often after the affiliate reaches a revenue-share tier the operator finds expensive

The diagnostic is scrubbed-cohort statistics against unscrubbed-cohort statistics inside the same affiliate. If the scrubbed cohort matches known fraud markers, it is legitimate. If it does not, it is the operator scrubbing for commercial reasons. Both affiliates and operators benefit from third-party, audit-grade event logs that document which case applies. “best affiliate fraud detection software”

How do you integrate fraud detection into the iGaming affiliate stack?

There is no single product called “iGaming affiliate fraud detection.” There is an architecture choice across click, registration, KYC, deposit, and lifetime layers. The integration patterns we see in operator reviews cluster into three levels.

Click and registration layer

A JS tag on lander pages plus a server postback at registration, scoring clicks and registrations against device, network, and behavioral signals. Catches bonus-abuse multi-accounting, geo-spoofed clicks, click flooding, and cookie stuffing pre-deposit. Suitable for smaller operators or those running mostly direct paid traffic. This layer alone misses revenue-share scrubbing and LTV-divergence patterns because it does not see post-FTD activity.

Click plus affiliate-tracker integration

The click layer plus S2S postback integration with the affiliate tracker (Cellxpert, Income Access, MyAffiliates, in-house). Scores clicks, registrations, and FTD events with the affiliate ID propagated through. Surfaces incentivized-traffic and cross-product arbitrage patterns at the affiliate-cohort level. Standard for any operator running an affiliate program above modest volume. See click fraud protection for affiliate trackers for the integration walkthrough.

Click plus affiliate plus KYC and AML feed

The full stack. Click and affiliate detection feed into KYC vendor risk scoring, and detected fraud signals route into the operator’s AML system as inputs to SAR triage. Mandatory in our view for UKGC- and MGA-licensed operators with regulator-facing audit obligations, and increasingly expected by NJ DGE, PA PGCB, and MI MGCB on the US side. ^[2]

The integration choice is, in practice, a function of the operator’s risk tolerance and licensing posture. A Curacao-licensed offshore brand can run the click-layer-only stack and accept the loss profile. A UKGC-licensed multi-state US operator cannot.

Where Adsafee fits

Adsafee provides multi-signal click and conversion fraud detection across iGaming traffic: search, social, programmatic, push, native, and affiliate. The detection layer scores clicks, registrations, and FTDs on technical, behavioral, network, and payment-instrument signals, with native integrations into Cellxpert, Income Access, MyAffiliates, and in-house affiliate trackers via S2S postback. Audit-grade event logs are retained for regulator-facing review under UKGC, MGA, and US state gaming compliance frameworks. In our field experience, iGaming operators switching from no detection to multi-signal real-time detection reduce affiliate scrubbing disputes by 30-60% and recover 10-25% of commission spend within 90 days. If you are running a regulated casino, poker, or cross-product iGaming brand and want to see where bonus abuse, jurisdiction laundering, and scrubbing risk sit inside your affiliate funnel, start a free trial, the first audit takes about 10 minutes to configure.

---

Sources

1. Spider AF, Affiliate Fraud Benchmark Research, industry benchmark putting roughly 45% of affiliate traffic in the invalid or fraudulent category, with iGaming running materially above average. spideraf.com ↩

2. UK Gambling Commission, Licence Conditions and Codes of Practice (LCCP), social responsibility, affiliate marketing oversight, self-exclusion (GAMSTOP), and AML obligations for licensed operators. gamblingcommission.gov.uk ↩

3. Malta Gaming Authority, Affiliates Code of Conduct and Player Protection Directive, operator obligations on affiliate conduct, self-exclusion, responsible-gambling messaging, and fraud reporting. mga.org.mt ↩

4. EGR (eGaming Review), industry coverage on affiliate fraud, scrubbing disputes, and KYC bypass markets, operator-side reporting on affiliate conduct and detection practices in regulated iGaming. egr.global ↩

5. iGaming Business, industry coverage on affiliate compliance, revenue-share contracts, and regulator-facing affiliate cases, market reporting on UKGC, MGA, and US-state affiliate enforcement. igamingbusiness.com ↩