Leverage location intelligence to pinpoint where multi-accounting rings, ATO hotspots, and bonus abusers are. Then, stop them in the act.
650+ new accounts. 650+ new account promotions claimed. All from a handful of hotels in New Jersey.
In a legacy fraud stack, this looks like 650+ different usernames, device IDs, and IP addresses. In other words, a giant haystack of disconnected data points.
Which is why we developed a model that takes all of that intel and plots it on a map. It’s called the High-Risk Locations Model, and it literally maps out glaring hotspots of suspicious activity as it occurs.
That’s how we figured out those 650+ accounts were being created in the same select places.
Here, Ali Jalalifar, Senior Data Scientist in GeoComply’s Product and Engineering team, breaks down everything you need to know about the High-Risk Locations Model: how we built it, how it works, and how it’s revolutionizing the day-to-day for fraud and risk investigators.
The problem: Promos and bonuses open platforms up for exploitation
You don’t need us to tell you that customers these days demand something back. Rewards programs win market share, especially in cutthroat sectors like e-commerce, fintech, and iGaming.
But with rewards come risks: fraudsters use high-tech methods like device farms, bots, and stolen credentials to pose as good customers so they can exploit promos and drain bonuses. And they’re hard to catch.
“Fraud teams are often left with a mess of disconnected clues, manually stitching together user info, device IDs, easily-spoofed IP addresses. This can take days to sort through and piece together. By the time a pattern becomes clear (if it does at all) it’s too late. The money is gone,” Ali explains.
Rewards reaped. Acquisition and marketing spend wasted. Investigation time drained.
The playbook has become easy to execute: traditional fraud signals—account IDs, payment details, KYC data, email addresses—are easy to simulate, swap, or steal. Fraudsters create an account with a fake ID, drain the bonus, wipe their device, and start all over again.
Rinse, repeat.
Each attack is “one and done”, so by the time you pick up on the pattern, you’ve already taken the hit.
The same problem shows up in ATO
Bonus abuse gets the headlines, but it’s not the only fraud type that exploits disconnected data.
Account takeover works the same way: an attacker accesses a legitimate account from a new device, in a new location, and nothing in the traditional signal stack flags it as anomalous because each data point looks plausible in isolation.
The solution: Ground truth signals that expose the attackers
Fraudsters can try to spoof WiFi, root devices, swap IDs… But once you know where they are and what device they’re using, there’s nowhere to hide.
Our High-Risk Location Detection stops fraud at the source by tying the risk directly to a fraudster’s physical location, device activity, and behavioural patterns.
What is High-Risk Location Detection?
GeoComply’s ground truth intelligence goes way beyond simple IP detection and device fingerprinting. It employs a full stack of 820+ granular signals, including:
- Location intelligence, including WiFi, cellular, GPS, VPN/proxy detection, and advanced spoofing detection.
- Deep device intelligence, including detection of rooted/jailbroken devices, malicious software, emulators, and RDPs.
- Behavioural intelligence, including link analysis between devices and locations and account creation patterns.
“Our High-Risk Location Detection model takes all of this intelligence and maps it to precise locations using advanced geo-hashing,” Ali explains. “The model scores locations in real-time. Once a geohash crosses the risk threshold, it goes into a real-time enforcement table and every new signup at that location gets flagged the instant it happens.”
The faster you see it, the faster you stop it. High-Risk Location Detection works in tandem with our device manipulation and link analysis models to spot promo and bonus abuse as it happens, shifting you from reacting after the hit to shutting it down mid-play.
Remember those 650+ accounts we mentioned? That’s exactly how GeoComply’s Fraud and Risk Team flagged the activity, allowing our partner to act fast with high confidence.
“The High-Risk Location model isn’t a standalone detector, it’s an intelligence layer,” Ali says. “When a location flags, that signal feeds into everything else: device signals get weighted differently, identity checks carry more context, behavioral patterns get interpreted against a known risk environment. A user who looks borderline on any single signal can look very different once you know they’re operating from a geohash with a high confirmed-fraud rate.”
Wait. What’s a geohash?
Geohashing divides the Earth’s surface into a grid of cells, each represented by a short alphanumeric code. The longer the code, the more precise the cell: a 4-character geohash covers a wide area whereas a 7-character geohash narrows it down to roughly the footprint of a single building.
Every user session, device check, and transaction that occurs within a cell gets the same geohash tag. That shared identifier is what makes location-based pattern recognition possible at scale.
“When you assign a geohash to every data point, density becomes queryable,” Ali says. “Instead of chasing individual accounts, investigators can instantly see how many users, how many devices, and how many transactions are resolving to the same physical location, and over what time window.”
GeoComply’s ML models map behavioural signals—device resets, account creation patterns, spoofing indicators—to geohash cells in near real-time. When activity in a cell crosses a risk threshold, the model surfaces it as a ranked signal, with full context attached.
A single new account on a new device is unremarkable. 650 of them resolving to the same geohash cell is not. And that pattern only becomes visible when location is treated as a first-class signal.
How can fraud teams use High-Risk Location Detection?
All of this intelligence is accessible to your Fraud and Risk Team via API or through GeoComply’s Case Management System.
“We’ve built it to suit your risk appetite,” Ali says. “You have access to tools and systems that make manual investigation far quicker and more efficient. You can also set up automated action, so when activity occurs in a location deemed high-risk, you can choose to monitor, step-up, or block the user.”
Triage: Get real-time risk signals
The days of searching through the haystack are over.
The model ranks and prioritizes cases by risk, eliminates duplicates, and lets analysts snooze lower-priority alerts, so the most urgent activity surfaces first.
One click from GeoComply Hub opens a full case: pre-populated coordinates, satellite view, complete activity history.
Investigate: Decide what’s fraud, with confidence
See the whole story in one screen.
Device resets, transaction spikes, spoofing indicators, account creation patterns are all surfaced in context, tied back to a confirmed physical location.
Analysts get the full picture before making a call, reducing false positives without slowing down legitimate players.
Contextualize: Spot risks from a mile high
Give your analysts eyes in the sky.
An AI layer analyzes satellite imagery for each flagged location and generates a plain-language summary of what makes it suspicious, whether that’s an isolated rural compound, a residential address with commercial-scale account activity, or a building generating registrations at a rate inconsistent with its footprint.
For example, you get the context of knowing that a suspicious number of accounts are being created at a “rural property surrounded by extensive agricultural land. Location appears isolated with multiple structures forming a small compound. Accessible via dirt roads.”
Act: Home in on fraud hotspots
When something suspicious pings off in your CMS or gets added to your queue, you can set custom perimeters to monitor, zones to exclude, or pinpoint individual users to block one at a time.
That way, you single out the fraudsters, without getting in good players’ way.
Tune: Filter out the noise
What about all those fans at the game?
The model includes approximately 10,000 geohash 7 cells covering stadiums, casinos, malls, and resorts by default, filtering high-density legitimate locations from the fraud signal.
Analysts can adjust thresholds and add custom exemptions, and every case outcome feeds back into the model.
Automate: Close the loop via API
When a location is confirmed high-risk, that intelligence shouldn’t stop at the analyst’s desk.
Via API, high-risk location flags can trigger automated actions directly in your systems, such as step-up authentication at deposit, blocked withdrawals for flagged geohashes, and automatic review queues for accounts created in high-risk cells.
Companies have used this to build threshold-based rules: when a location generates a defined number of flagged accounts above a confirmed-fraud rate within a set window, the system acts without waiting for manual review.
High-Risk Location Detection in action
These are just a few ways our partners have been leveraging High-Risk Location Detection to quickly spot and stop fraudulent activity.
“That new billboard off the NJ-17 is really turning some heads.”
Pictured: Promotional abuse activity at a NJ geohash
When an operator saw a buzz of new devices active in a New Jersey neighborhood, it meant a bunch of new users must have loved the latest promo. Right?
Our device manipulation detection and High-Risk Location Detection models saw that one device was repeatedly:
- Reset to create a new device ID…
- And then used to create new player profiles…
- Which were active for 1-3 days across the same 1-7 locations…
- Before the device was reset again.
Pictured: Closer investigation at this geohash revealed device resetting and multi-accounting
Our ML-models tied at least 33 device UUIDs and 59 users back to this device and location. Further investigation found 51 devices and 71 users linked to this scheme.
“The combo of precise location and device data was the giveaway here,” Ali says. “The High-Risk Location Detection model mapped this activity to a shared hotspot, providing the operator with compelling evidence of coordinated promotional abuse.”
New device, new user—nothing to see here, folks…
Pictured: Suspicious activity at a rural geohash in Brazil
This operator saw an influx of new users active across new devices in one week, with 1 registration per device at a rough rate of 2 registrations per hour.
Suspicious? Maybe. Incriminating? Not quite.
That’s until the High-Risk Location Detection model flagged that this activity originated from the same geohash. We detected these seemingly unique users were:
- All using what appeared to be unique devices…
- To create separate new accounts…
- In the the exact same building.
Pictured: Zooming in on multi-accounting at a high-risk location.
Over the course of 1 week, this geohash tallied 55 new users on 55 new devices.
“The individual device signals weren’t enough for this fraud team to take action on, but the proximity of suspicious activity helped to pinpoint the promotional abuse happening at this high-risk location,” Ali says.
Fraud prevention’s newest frontier
Ground truth device, location, and behavioural intelligence changes the game, and promo hunters are just the start.
“This all maps back to our core strength: precise geolocation. Other fraud models lean on device or behavioural signals, which fraudsters can spoof, swap, or reset.” Ali says. “Precise location is the one signal that’s hard to fake, and the High-Risk Location model turns that signal into hotspot detection at the geohash level. So we’re not adding another detector to the stack, we’re extending what GeoComply does best into a fraud category that’s been hard to crack.”
Ali shares what we’re building towards into the future:
- Persistent location memory. “A location with a confirmed fraud history doesn’t get a clean slate just because a fraudster wipes a device or spins up new accounts. The risk stays tied to the geohash, so the longer the model runs, the harder it gets for fraud rings to keep cycling through the same physical hotspots.”
- Geohash Intelligence. “The next evolution of HRL enriches each location cell with cross-source signals: historical block rates, confirmed fraud density, spoofing hotspot classification, and operator-validated fraud outcomes. Rather than flagging activity spikes, the model will carry a persistent fraud intelligence score for every geohash, updated continuously.”
- Deeper signal fusion. “Location is increasingly the connective tissue between identity, device, and behavioral signals. The roadmap points toward a state where every signal in the stack is interpreted in the context of where it’s happening, not just what it is.”
Bonus abuse and multi-accounting are the most visible use cases today. As the model matures, the same location intelligence that catches a house full of fake accounts is the foundation for detecting account takeover, synthetic identity fraud, and coordinated cross-platform attacks.
Because when every geohash carries a fraud history, there are fewer places left to hide.
Ready to see the hotspots? Book a demo, ask your CSM, or start testing in Explorer today.
Ali Jalalifar | Senior Data Scientist
Ali Jalalifar is a Senior Data Scientist at GeoComply, where he designs and builds the machine learning systems behind GeoComply’s fraud intelligence stack. He leads the development of the High-Risk Locations Model, including its geohash-based detection architecture, real-time pipeline, and the next generation of location intelligence the team is building toward.
Case images have been anonymised to protect personal data. All details shown are reflective of the true investigation.
