I'm working on a phone app that involves users acquiring money and cashing out to their PayPal/bank account/etc. In that context, security is obviously an important concern. Right now I'm building systems to detect users creating multiple accounts. Attackers often try to create many accounts to abuse the system via scripts. If we can detect linked accounts, then we can ban all related users when we find an attack.

So far, I've approached detecting multi-account users by looking for identifying data and matching that between accounts. For example, if two accounts sign in using the same android deviceId, the system will assume they're both operated by the same person.

Currently we capture and match on:

• email addresses and variations on base emails
• device identifiers (androidId/ios device token)
• verified phone number
• paypal/cashout account info

I capture IP addresses, but it looks like many users end up with overlapping IPs eventually, likely because they're using the same VPN services. Some also have self-hosted VPNs which are difficult to detect. We have tricks to detect when people are on VPNs, and could take that into account, but it seems like IPs are difficult to use without introducing statistical guessing (e.g. if two users share 5 IPs they're probably linked). Is there any way to make them more useful or get better data?

Some of the attackers/scams that we face are relatively sophisticated. They have pools of cloud-based emulators and groups of people hired with physical phones. For that reason I think methods involving sessions/cookies are unlikely to be effective.

Are there any other methods used to detect/combat multi-account users? Is there any other identifying info I can get access to?