When fraud networks create automated bot signups, they must make each session look like it comes from a unique human buyer. They route connections through VPNs and rotating residential proxy systems, changing the IP address for every conversion.
However, while changing an IP address is simple, spoofing an entirely unique device hardware signature is highly difficult. By tracking **device fingerprinting hashes**, merchants can identify when dozens of conversions referred by an affiliate are actually originating from the same physical computer network. Let's look at how to spot duplicate fingerprints.
What is a device fingerprint?
A device fingerprint (or browser fingerprint) is a unique identifier compiled by reading a wide variety of client-side settings, hardware configurations, and browser properties. It does not rely on cookies or IP addresses.
To compile a fingerprint hash, advanced tracking scripts analyze:
- Canvas rendering signatures: How the browser renders a hidden WebGL or 2D canvas element, which varies based on GPU hardware.
- Audio context hashes: Sub-millisecond timing measurements of audio rendering processes.
- Hardware specifics: The exact number of CPU cores, GPU vendor, system memory, and device screen resolution boundaries.
- Environment specifics: Installed system fonts, browser permissions states, language settings, and speech API availability.
The combination of these details creates a unique, repeatable signature. The probability of two unrelated human customers sharing the exact same hardware hash is less than 1 in a million.
How fraudsters copy fingerprints
When using automated headless browsers (like Puppeteer), developers use plugins like `puppeteer-extra-plugin-stealth` to fake standard headers. However, because they run these scripts inside the same virtual server or container nodes:
- The **Canvas rendering hash** stays identical across thousands of sessions because they share the same backend graphics drivers.
- The **WebGL vendor** and rendering characteristics show duplicate signatures.
- The installed font libraries match perfectly, pointing to a standard headless server configuration.
How BotRefund identifies duplicate devices
BotRefund runs high-precision hardware fingerprinting on all conversion steps.
When a signup occurs, BotRefund checks the device hash against all other conversion logs in the project database. If it detects multiple signups under different emails and IPs sharing the exact same canvas hash, GPU renderer, and font list, it flags the affiliate ID for immediate review, preventing payout on duplicate emulator traffic.
Frequently Asked Questions
What is canvas fingerprinting?
It is a browser fingerprinting technique that prompts the browser to render a hidden block of text or shape. Mismatches in GPU and fonts generate a unique pixel hash that identifies the physical hardware.
Can bots randomize browser fingerprints?
While emulators can randomize user-agents, they cannot easily randomize hardware-level canvas or audio context signatures without breaking rendering capabilities, which is easily detected as an anomaly.
Is browser fingerprinting compliant with GDPR?
Yes. When used strictly for security, fraud prevention, and validation (rather than tracking user history for advertising), device fingerprinting falls under the "legitimate interest" exception of data protection laws.