The ATO ring hiding in plain sight Skip to content
When the world plays, we don't blink. Our real-world signals support betting, streaming, and more.
Learn How >>

The ATO ring hiding in plain sight

Read time:
0 minutes

Maybe this one rings a bell: an influx of ATO reports had this partner flummoxed. Customer trust in flux, refunds piling up, and no clear way to stop it without making life harder for the users who did nothing wrong.

It’s not a new dilemma: tighten controls to fight back, and legitimate users get spammed with one-time password requests. Loosen them, and get hit with a pile of chargebacks. The age-old fraud vs friction battle. Lose-lose.

Until this organization looked at ATO through the lens of precise location.

Welcome to GeoComply’s Fraud Files—true fraud stories from fraud front lines.

Today, Claire Latour, Senior Fraud and Risk Analyst at GeoComply, takes us to the east coast of Brazil, where a single residential apartment building turned out to be the epicentre of a coordinated account takeover ring.

The difference between seeing ATO and stopping ATO

Map view of confirmed fraudulent activity

Legitimate customers filed legitimate complaints: accounts hijacked, funds drained. The organization watched it happening, but they couldn’t get ahead of it. The signals were unclear, and the risk of blocking an innocent user was too high for them to take action.

The hard truth: ATO is like that.

Unlike bonus abuse or emulator farms, there’s rarely a single smoking gun. Credential? Valid. Device? Looks clean. Even behaviour post-login can appear normal if the attacker already knows the account.

“The challenge with ATO is that it’s dynamic and multi-vector,” Claire says. “Phishing, credential stuffing, social engineering—often it’s a combination of all three. Existing risk stacks aren’t set up to look at these tactics and behavioural patterns in tandem.”

It’s too noisy to move with confidence. And by the time a clear fraud flag fires (if it even does) the money has already moved.

ATO is an industrial attack, targeted at the cracks

The ATO detection gap is a structural problem.

Most fraud controls are designed to evaluate individual attempts in isolation. Think: IDPV, 2FA, biometrics. Each layer checks its own box.

But ATO rings aren’t running individual attempts. They’re running high-scale operations designed to fly under per-attempt thresholds.

“ATO is rarely personal. It’s an industrial attack vector,” Claire says. “Fraudsters are using AI to get through identity verification, manipulating their way past MFA. Without the right signals, it’s very difficult to see, with certainty, when ATO is actually happening.”

Tackling this is a tricky balance. Move without certainty, and you risk false positives. Try to trip attackers up with one-time passwords and other layers of verification, and you send users running from friction.

The difference in this story wasn’t another point-in-time check, but an intelligence upgrade that plugged the existing gaps and connected the dots.

What came to light: dedicated hotspots where ATO was originating from.

Connecting the dots with location

Users and devices active within one geohash

After layering in our location and device signals, the risk team discovered:

  • 13 established accounts of varying history were accessed on just two device types
  • These device types had no previous links to these users
  • They were all operating from the same residential building
  • At a location where none of these accounts had any established history

Looking back 60 days, that same location had seen:

  • 68 users
  • 263 “unique” devices
  • Which showed signs of manipulation and resets

“While the tactics fraudsters use are often sophisticated, they still have to operate from a device at a physical location. That’s the layer we help expose: consistent links across devices and locations that keep appearing in connection with ATO activity. Once you can see those links, the pattern becomes very hard to ignore.”

Zooming out to zoom in: fraud through the lens of location

Geohash view of Brazil, showing activity density at regional level

If you know how location can be used to investigate fraud, feel free to skip ahead. If not, real quick:

  • We focus on small geographic areas. With precise location, that’s as close as a few metres.
  • Users, devices, and transactions are grouped within these areas, making it instantly visible when suspicious density builds in one location.
  • In practice, this shows up as a heatmap, with a colour view that shows high-density activity—so you can literally zoom in to find red flags.

“Our technology gives us an organised, visual view of device activity at the location level,” Claire says. “Instead of chasing individual compromised accounts, fraud investigators can zoom out to see the full picture and then zoom straight in on the fraud. It turns what would otherwise be a months-long manual investigation into something you can act on in real time.”

This is the difference between a suspicious flag at login that isn’t strong enough to warrant action, and a confident picture of ATO.

By combining these device, location, and behavioural signals, this organization was able to surface suspicious activities, such as device resets, account creation patterns, and spoofing indicators, and map it all back to precise locations.

Under neighbourhood watch

Signal view of multiple users at same geohash and multiple users on same devices

With this intel, the organisation could see the ATO ring clearly:

  • The same devices being reset
  • Used to break into accounts
  • Repeated at scale

Because they could see exactly where the activity was coming from, they set up perimeter alerts to automatically flag any further activity at this address in real-time. This helped them stop the attacks by challenging or blocking activity originating from that high-risk location.

“This is what shifts you from being reactive to proactive in stopping ATO,” Claire says. “You’re not waiting for the chargeback. You’re not cleaning up after the fact. You’re seeing the pattern while it’s still active and acting on it in the moment. Which is really the only window that actually matters.”

Layering in location to poke holes in ATO

Okay, now’s the part where we get nerdy about the power of location.

ATO rings use tactics that can defeat controls in isolation:

  • A stolen credential → defeats a password check.
  • A deepfake → defeats a biometric check.
  • A residential proxy → defeats an IP check.
  • Social engineering → defeats MFA entirely: a fraudster researches the victim, answers basic verification questions, convinces a customer service agent to bypass 2FA, and walks straight to withdrawal.

When the credential is clean and the device check passes, most fraud stacks have nothing to flag.

Except location. That signal is almost always suspicious.

Because here’s what fraudsters can’t fake: they can steal a username and password, scrape for security question answers, and tap into a residential proxy. But they can’t teleport into the living room, office, or coffee shop where the true account holder actually does their thing.

“Precise location builds a trusted picture of normal account behaviour over time,” Claire says. “A password reset or withdrawal request originating from somewhere an account has never been seen before is a materially different event from the same action at a familiar address. Most stacks treat them identically. We don’t.”

Adding this quiet layer of device, location, and behavioural intelligence will quickly surface high-confidence ATO signals without cluttering up the user journey.

The TL;DR

ATO doesn’t leave a single smoking gun. It leaves a pattern: device histories that don’t match, locations that have never been seen on an account, connections to other accounts already associated with attacks.

Those signals exist. The question is whether your stack is surfacing them at the right moment.

What made the difference here:

  • High-confidence location and device signals: Exposing the physical reality behind sessions
  • Location-level clustering: Turning individual data points into a visible, actionable risk picture
  • Continuous monitoring: Catching the ring while it was still active, not after the damage was done.
  • Automated responses: Blocking activity at the source without manual review for every case.
  • Using intelligence instead of friction: Layering in signals silently, rather than relying on frictional intervention that hurts good users.

Caught between stopping ATO and protecting the experience for good users? To explore how location could alleviate the need for one-time passwords and change the way you investigate ATO, set up a chat with our fraud analysts.

Claire Latour | Senior Fraud and Risk Analyst, GeoComply

Claire Latour is a Senior Fraud and Risk Analyst at GeoComply, where she works directly with operators on the front lines of emerging fraud threats. She’s known for working deskside with client teams, bridging the gap between what analysts see in the data and what GeoComply’s ML models are tuned to catch.

Madeleine Ritzker | Fraud Journalist, GeoComply

Madeleine Ritzker covers fraud intelligence for GeoComply, translating the hard work of the industry’s risk and fraud teams into stories that reveal what’s actually happening on the digital front lines. Fraud Files is your way to keep up with the latest tricks and trends sweeping through the darkest corners of the web.

Images in this article have been modified to protect personally identifiable information, but remain representative of the real case details.

Related Posts

Here’s to the next chapter: DraftKings renews multi-year agreement with GeoComply 

The ~2,000-strong device emulator farm in London’s fanciest neighbourhood

How Dabble tracked 250 bonus abuse accounts to one UK house