--- title: Sardine uncovers ATO fraud ring for tier 1 Canadian bank — Sardine Customer Story source_page: https://www.sardine.ai/customers/sardine-uncovers-ato-fraud-ring-for-tier-1-canadian-bank canonical: https://www.sardine.ai/customers/sardine-uncovers-ato-fraud-ring-for-tier-1-canadian-bank format: text/markdown --- **Quick links:** [Human page](https://www.sardine.ai/customers/sardine-uncovers-ato-fraud-ring-for-tier-1-canadian-bank) · [Home](https://www.sardine.ai) · [Customers](https://www.sardine.ai/customers) · [Blog](https://www.sardine.ai/insights/blog) · [Demo](https://www.sardine.ai/demo) --- # Sardine uncovers ATO fraud ring for tier 1 Canadian bank **Industries:** Financial services **Products used:** Device Intelligence, Behavioral biometrics, Automated fraud visualization systems ## Results - $800,000: total losses prevented - 26%: fewer false positives - 881: Dismantled fraud ring accounts One of Canada's six systemically important banks needed a stronger defense against account takeover fraud. Cybercriminals were able to launch account takeover (ATO) and credential stuffing schemes at scale, forcing the bank to try to differentiate between legitimate customer activity and fraud. Facing increased compliance challenges and customer losses, the bank partnered with Sardine to identify risk factors and unmask broader fraud networks. Sardine delivered device intelligence and behavioral biometrics that blocked a spearfishing attack and uncovered a fraud network with hundreds of accounts. The challenge: High-volume logins and the “friction” tax Online banking brings greater access and greater risk of fraud. As fraud rings increase their capabilities, accounts are under threat from ATO schemes. Frequent data breaches have made consumers’ logins available for purchase online on Telegram or the dark web, allowing bad actors to use them for large-scale credential stuffing attacks. The Canadian bank saw firsthand the havoc this can cause. In practice, the lack of a unified device and behavioral solution slowed investigations and hindered the bank's ability to respond. This manifests in three specific ways: The manual investigation trap: Without automated detection, analysts are forced to spend their time retrieving stolen funds and providing reactive support. This turns fraud prevention into a costly administrative chore rather than a proactive strategy. The visibility gap: Fragmented systems made it impossible to identify compromised accounts in real time. Without a centralized hub to verify if a user was masking their location or using a hijacked device, the bank struggled to distinguish between bad actors and legitimate customers. The friction-loss dilemma: With over 400 million logins per year, the bank faced a constant struggle to balance security and user experience. Tightening rules to stop ATO attempts often resulted in high false-positive rates, which frustrated loyal users and increased the burden on support teams. The solution: Separating high-risk and low-risk traffic To break the cycle of manual investigations, the Tier 1 bank partnered with Sardine to move beyond simple login signals and adopt a holistic view of user behavior. This shifted the strategy from reactive defense to a systematic response to account takeover. By integrating Sardine’s suite of device and behavioral biometrics, the bank gained the ability to see the "how" behind every login. The platform splits traffic using real-time signals like new device IDs, IP shifts, and behavioral changes, allowing the team to separate high-risk attempts from legitimate customers instantly. Intelligence beyond the login Sardine provides technical insights that legacy tools cannot reach. Through deep session-level telemetry, the bank can now detect automated activity and coordinated fraud infrastructure before an ATO attempt succeeds. The team can see if a "customer" is actually a bot script jumping straight to specific actions without natural pauses, or if a device ID has been tethered to thousands of other accounts across the dark web. This allows the bank to stop bot-driven attacks before a single dollar is moved. Rapid rule deployment Sardine’s rule engine allows the bank to build and deploy custom logic without waiting for lengthy engineering cycles. This agility was instrumental in uncovering a mass spearfishing attack that had previously gone unnoticed. The bank moved from a position where they couldn't take action based on login signals alone to a proactive stance where they test hypotheses against historical data and go live with new protections immediately. Neutralizing coordinated networks By leveraging Community Risk Intelligence, the bank moved from investigating isolated incidents to neutralizing entire fraud infrastructures. After receiving the first batch of data, the system identified sophisticated credential stuffing driven by bot networks, including coordinated logins from shared IP addresses and email domains. By tracing these links, the bank can now identify and block coordinated networks that use thousands of accounts to exploit the system. The results: $800,000 saved and reduced false positives Within days of deployment, the bank gained the technical leverage necessary to turn detection signals into platform-wide protection. By collapsing data silos into a single, graph-powered view, the fraud team moved from reactive investigations to proactive threat neutralizing. This shift saved the institution $800,000 in potential losses. The shift from manual workflows to automated intelligence allowed the bank’s fraud team to focus on high-level strategy instead of administrative maintenance. This manifests in three core operational improvements: Decentralized strategy: By removing the need for manual data retrieval and engineering-heavy labeling, analysts now deploy new detection logic in minutes. This agility allowed the bank to take immediate action on 148 compromised accounts and dismantle a fraud network of 733 accounts. Improved conversion accuracy: Higher detection precision reduced the false positive rate by 16% to 26%. This directly protects the customer experience and reduces the massive support volume that typically spikes when over-tuned rules block legitimate banking actions. Network-level visibility: The bank now neutralizes the infrastructure that powers fraud rings at the point of entry. Instead of waiting for a fraudulent transaction to signal a problem, the team identifies threats like international device handoffs or bot-driven credential stuffing the moment they appear. Neutralizing international fraud clusters Sardine’s intelligence exposed sophisticated patterns that legacy systems missed. In one instance, the system uncovered a legitimate Canadian session followed immediately by a Romanian IP. This revealed a clear device handoff and account resale scheme. By tracing these links, the bank identified a fraud cluster of 370 customer IDs connected through 94 shared devices across nearly 3,000 sessions. The bank used these insights to initiate targeted interventions during high-risk actions such as beneficiary changes or large transfers. This level of granularity allowed the institution to put 149 customers into immediate account protection and notify them of the threat before additional losses occurred. Through automated, graph-powered detection, the bank has transitioned to a model of sustained prevention. The high detection rate and reduced operational workload have provided a significant return on investment. Looking ahead: Scaling proactive defense With this success, the client and Sardine are expanding analysis into tailored integration strategies like visitor fingerprinting and credential stuffing detection. Future work includes quantifying fraud losses prevented, improving mobile fraud detection, and leveraging connected component analysis for broader fraud network disruption. Sardine continues to work with the Tier 1 bank to halt new attack vectors and optimize for cost through deeper, iterative ROI analysis.

CUSTOMER STORY

Financial services

Sardine uncovers ATO fraud ring for tier 1 Canadian bank

0688

6570

7460

3450

8410

3280

total losses prevented

1422

5246

fewer false positives

4698

5718

8901

Dismantled fraud ring accounts

The bank gained full visibility into connected fraud networks, equipping fraud and compliance teams with the intelligence needed to detect threats earlier and investigate them more efficiently.

Content

Products used

Device Intelligence

Behavioral biometrics

Automated fraud visualization systems

One of Canada's six systemically important banks needed a stronger defense against account takeover fraud. Cybercriminals were able to launch account takeover (ATO) and credential stuffing schemes at scale, forcing the bank to try to differentiate between legitimate customer activity and fraud.

Facing increased compliance challenges and customer losses, the bank partnered with Sardine to identify risk factors and unmask broader fraud networks. Sardine delivered device intelligence and behavioral biometrics that blocked a spearfishing attack and uncovered a fraud network with hundreds of accounts.

The challenge: High-volume logins and the “friction” tax

Online banking brings greater access and greater risk of fraud. As fraud rings increase their capabilities, accounts are under threat from ATO schemes. Frequent data breaches have made consumers’ logins available for purchase online on Telegram or the dark web, allowing bad actors to use them for large-scale credential stuffing attacks. The Canadian bank saw firsthand the havoc this can cause.

In practice, the lack of a unified device and behavioral solution slowed investigations and hindered the bank's ability to respond. This manifests in three specific ways:

The manual investigation trap: Without automated detection, analysts are forced to spend their time retrieving stolen funds and providing reactive support. This turns fraud prevention into a costly administrative chore rather than a proactive strategy.
The visibility gap: Fragmented systems made it impossible to identify compromised accounts in real time. Without a centralized hub to verify if a user was masking their location or using a hijacked device, the bank struggled to distinguish between bad actors and legitimate customers.
The friction-loss dilemma: With over 400 million logins per year, the bank faced a constant struggle to balance security and user experience. Tightening rules to stop ATO attempts often resulted in high false-positive rates, which frustrated loyal users and increased the burden on support teams.

The solution: Separating high-risk and low-risk traffic

To break the cycle of manual investigations, the Tier 1 bank partnered with Sardine to move beyond simple login signals and adopt a holistic view of user behavior. This shifted the strategy from reactive defense to a systematic response to account takeover.

By integrating Sardine’s suite of device and behavioral biometrics, the bank gained the ability to see the "how" behind every login. The platform splits traffic using real-time signals like new device IDs, IP shifts, and behavioral changes, allowing the team to separate high-risk attempts from legitimate customers instantly.

Sardine provides technical insights that legacy tools cannot reach. Through deep session-level telemetry, the bank can now detect automated activity and coordinated fraud infrastructure before an ATO attempt succeeds. The team can see if a "customer" is actually a bot script jumping straight to specific actions without natural pauses, or if a device ID has been tethered to thousands of other accounts across the dark web. This allows the bank to stop bot-driven attacks before a single dollar is moved.

Rapid rule deployment

Sardine’s rule engine allows the bank to build and deploy custom logic without waiting for lengthy engineering cycles. This agility was instrumental in uncovering a mass spearfishing attack that had previously gone unnoticed. The bank moved from a position where they couldn't take action based on login signals alone to a proactive stance where they test hypotheses against historical data and go live with new protections immediately.

Neutralizing coordinated networks

By leveraging Community Risk Intelligence, the bank moved from investigating isolated incidents to neutralizing entire fraud infrastructures. After receiving the first batch of data, the system identified sophisticated credential stuffing driven by bot networks, including coordinated logins from shared IP addresses and email domains. By tracing these links, the bank can now identify and block coordinated networks that use thousands of accounts to exploit the system.

The results: $800,000 saved and reduced false positives

Within days of deployment, the bank gained the technical leverage necessary to turn detection signals into platform-wide protection. By collapsing data silos into a single, graph-powered view, the fraud team moved from reactive investigations to proactive threat neutralizing. This shift saved the institution $800,000 in potential losses.

The shift from manual workflows to automated intelligence allowed the bank’s fraud team to focus on high-level strategy instead of administrative maintenance. This manifests in three core operational improvements:

Decentralized strategy: By removing the need for manual data retrieval and engineering-heavy labeling, analysts now deploy new detection logic in minutes. This agility allowed the bank to take immediate action on 148 compromised accounts and dismantle a fraud network of 733 accounts.
Improved conversion accuracy: Higher detection precision reduced the false positive rate by 16% to 26%. This directly protects the customer experience and reduces the massive support volume that typically spikes when over-tuned rules block legitimate banking actions.
Network-level visibility: The bank now neutralizes the infrastructure that powers fraud rings at the point of entry. Instead of waiting for a fraudulent transaction to signal a problem, the team identifies threats like international device handoffs or bot-driven credential stuffing the moment they appear.

Neutralizing international fraud clusters

Sardine’s intelligence exposed sophisticated patterns that legacy systems missed. In one instance, the system uncovered a legitimate Canadian session followed immediately by a Romanian IP. This revealed a clear device handoff and account resale scheme. By tracing these links, the bank identified a fraud cluster of 370 customer IDs connected through 94 shared devices across nearly 3,000 sessions.

The bank used these insights to initiate targeted interventions during high-risk actions such as beneficiary changes or large transfers. This level of granularity allowed the institution to put 149 customers into immediate account protection and notify them of the threat before additional losses occurred.

Through automated, graph-powered detection, the bank has transitioned to a model of sustained prevention. The high detection rate and reduced operational workload have provided a significant return on investment.

Looking ahead: Scaling proactive defense

With this success, the client and Sardine are expanding analysis into tailored integration strategies like visitor fingerprinting and credential stuffing detection. Future work includes quantifying fraud losses prevented, improving mobile fraud detection, and leveraging connected component analysis for broader fraud network disruption. Sardine continues to work with the Tier 1 bank to halt new attack vectors and optimize for cost through deeper, iterative ROI analysis.