Report: Sift Uncovers and Blocks Fraud Ring Swarming E-commerce Merchants with Elaborate Account Takeover Campaign

Sift’s Q3 2021 Digital Trust & Safety Index Also Reveals Account Takeover Attacks Skyrocketed 307% Between 2019 and 2021

SAN FRANCISCO, Sept. 30, 2021 (GLOBE NEWSWIRE) -- Sift, the leader in Digital Trust & Safety, today released its Q3 2021 Digital Trust & Safety Index, which details the evolving methods fraudsters employ to launch account takeover (ATO) attacks against consumers and businesses. The report details a sophisticated fraud ring that sought to overwhelm e-commerce merchants by innovating upon typical credential stuffing campaigns. Specifically, the fraud ring, dubbed Proxy Phantom, used a massive cluster of connected, rotating IP addresses in carrying out automated credential stuffing attacks to hack user accounts on merchant websites. Using over 1.5 million stolen username and password combinations, the group flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second—all coming from seemingly different locations.

As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of “whack-a-mole,” with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace. Merchants on Sift’s network were protected against the attacks, as Sift’s platform blocked malicious logins coming from the Proxy Phantom IP clusters.

Based on data from Sift’s global network of over 34,000 sites and apps and a survey of more than 1,000 U.S consumers, the report examines the growth and evolution of ATO, as well as consumer perceptions and concerns surrounding account takeover attacks.

Account Hacking Explodes During Pandemic

Sift’s Q3 2021 Digital Trust & Safety Index also revealed a staggering 307% increase in ATO attacks between April 2019—shortly after many COVID-19 stay-at-home orders were enacted—and June 2021. This attack method made up 39% of all fraud blocked on Sift’s network in Q2 2021 alone.

Fintech Under Fire
Sift’s network data uncovered significant ATO risk for the fintech and financial services sector and its users. ATO attacks against the fintech sector soared 850% between Q2 2020 and Q2 2021, mainly driven by a concentration on crypto exchanges and digital wallets, where fraudsters would likely try to liquidate accounts or make illicit purchases.

Additionally, nearly half (49%) of consumers surveyed as part of the report feel most at risk of ATO on financial services sites compared to other industries—and with good reason. Of the ATO victims surveyed, 25% were defrauded on financial services sites, validating the public’s sentiment that these sites are some of the riskiest.

ATO Attacks’ Cascade of Chaos
The Index also paints a detailed picture of the ripple effects of ATO attacks on both businesses and consumers alike. Key findings include:

  • Compromise breeds compromise: Almost half (48%) of ATO victims have had their accounts compromised between two and five times.
  • ATO leads directly to brand abandonment: Seventy-four percent (74%) of consumers surveyed say they would stop engaging with a site or app and select another provider if their account was hacked on that site or app.
  • The aftermath of an ATO attack: Forty-five percent (45%) of those who experienced ATO had money stolen from them directly, while 42% had a stored credit card or other payment type used to make unauthorized purchases, and more than one in four (26%) lost loyalty credits and rewards points to fraudsters. Perhaps most worrisome is nearly one in five (19%) of victims are unsure of the consequences of their accounts being compromised.
  • Waning trust in ecommerce: One in five (20%) consumers surveyed feel less safe shopping online today than they did a year ago.

Defending Against the Fraud Economy
“As the discovery of the Proxy Phantom fraud ring demonstrates, fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious,” said Jane Lee, Trust and Safety Architect at Sift. “At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the Fraud Economy. To proactively secure customer accounts and fuel expansion into new markets, merchants need to adopt a Digital Trust & Safety strategy to stop these advanced attacks before they shatter consumer loyalty and stifle growth.”

Sift’s Q3 2021 Digital Trust & Safety Index can be found here.

About Sift
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of 70 billion events per month, and a commitment to long-term customer partnerships. Global brands such as Airbnb, Doordash, and Wayfair rely on Sift to gain a competitive advantage in their markets. Visit us at and follow us on Twitter @GetSift.

Media Contact:
Victor White
Director of Corporate Communications, Sift

A photo accompanying this announcement is available at

Proxy Phantom