In the rapidly shifting landscape of cybersecurity, the traditional perimeter has dissolved. As fraudsters swap manual labour for automated emulators and generative AI, the industry finds itself at a critical crossroads. The “classic” toolkit relying on IP addresses and browser strings is no longer just ageing; it is being actively weaponised against the enterprises it was meant to protect.
To understand how the next generation of defence is being built, we sat down with Maksym Tkach, CTO at Frogo, a comprehensive fraud prevention platform under the international RedCore business group. He breaks down the asymmetry of the current “arms race” and explains why the future of security isn’t found in a single data point, but in the complex, unmaskable artefacts of hardware behaviour.
The Failure of the “Classic” Pillar
We are seeing an intense “arms race” between fraudsters using automated emulators and security teams relying on legacy basic IP combined with browser string hashes. Why is this “classic” approach to device identification failing today’s enterprise?
Maksym Tkach: The classic approach was designed for a different reality. The two pillars it stands on IP and User-Agent are both fundamentally compromised now.
IP scoring assumes an address carries an identity signal. It doesn’t. Residential proxy networks now sell access to millions of “clean,” rotating IPs. Your system might see a standard home broadband connection in Berlin, but behind it sits an automated script running from a data center on another continent.
User-Agent strings tell the same story. Tools like Headless Chrome and Playwright execute JavaScript indistinguishably from a real user; they render pages, handle cookies and pass basic fingerprint checks with ease. Meanwhile, anti-detect browsers can spoof dozens of browser attributes simultaneously. When the signals legacy systems rely on become easy to fabricate, they become meaningless.
You’ve mentioned that AI is the primary catalyst for this shift. How is Generative AI changing the math for fraud teams?
Maksym Tkach: AI has industrialized what used to require manual effort. The global fraud rate has more than doubled in the last three years and deepfake volume is growing exponentially year over year.
AI tools can now spin up synthetic identities, automate multi-account creation at scale and generate deepfakes that bypass even sophisticated selfie and liveness verifications. But here is the important asymmetry: while AI can fabricate documents and faces, it cannot yet fake device-level behavioral artifacts. The hardware, the rendering pipeline and the micro-variations in how a specific device executes code remain “ground truth.” This asymmetry is the foundation of our approach at Frogo.
Beyond the ID: The Frogo Methodology
Frogo’s “Fingerprint” technology claims to damask even the most sophisticated environments. What specific signals or “behavioral artifacts” are you capturing that competitors are missing?
Maksym Tkach: I will be deliberately vague about specific signals and that’s by design. Publishing a detailed list of what we detect is essentially publishing a roadmap for evasion.
What I can say is that we collect hundreds of device and behavioural signals across web and native mobile environments. This includes hardware characteristics, rendering behaviour, network topology and user interaction patterns. Each signal on its own might be spoofable, but the combination, analysed in context, is not.
However, the real differentiator isn’t just the collection – it’s what happens after. Most competitors stop at device identification; they give you an ID and leave the risk decision to you. We’ve unified fingerprinting and scoring into a single flow. Our engine enriches every event with that context – identifiers, signatures, behavioural data and evaluates it against configurable rules and ML models. For the customer, it’s one API call that returns a definitive risk decision in under 300 milliseconds. We don’t just say “this is a known device.” We say “this device shares behavioral patterns with these other sessions, here are the triggered risk signals, and our recommendation is to reject.”.
Dismantling Fraud Rings with Graph Theory
Dark Reading: Graph-based forensic tools are becoming the gold standard for link analysis. How does Frogo utilize graph theory to visualize and dismantle large-scale multi-accounting rings in real-time?
Maksym Tkach: We use a two-tier architecture because real-time detection and deep investigation have fundamentally different performance requirements.
For live detection, we use Aerospike as a high-speed data store. Every scoring event persists device identifiers and session metadata immediately. When a new event arrives, the engine resolves relationships instantly matching shared fingerprints or IPs. If account number 50 in a fraud ring logs in, the system already sees the 49 accounts that came before it. We process up to 1,000 events per second through this pipeline within our sub-300ms window.
For the analytics layer, we utilize AWS Neptune, a purpose-built graph database. This is where anti-fraud teams investigate patterns and visualize ring structures. Analysts can run complex traversal queries – like “show me every account that ever shared a fingerprint with this cluster” – to map out the full topology. Real-time catches the rings as they form; AWS Neptune lets analysts perform the autopsy and feed those insights back into policy tuning.
The Developer Experience
From a developer’s perspective, integration is often a bottleneck. How have you engineered the Frogo SDK and API to ensure that “complex technology” remains simple to deploy?
Maksym Tkach: Our philosophy is simple: drop a lightweight JavaScript snippet on your frontend, call one API endpoint from your backend, and get a risk score. That’s it.
The JS snippet gathers the data, while our iOS and Android SDKs capture mobile-specific signals that browsers can’t see. The backend integration is a single REST API call that returns a JSON response including the risk score, the recommendation (pass, review, or reject), and the specific rules that are fired.
The surface area is deliberately small. There is no complex schema to map and no multi-step orchestration. A partner can go from zero to live in a single day. All the complexity – the binary signal collection via protobuf, the ML inference, the policy evaluation – lives in our infrastructure, not the client’s codebase.
What does the future look like for the Frogo engine?
Maksym Tkach: We are investing heavily in next-generation ML. Specifically, vector-based aggregators using Locality-Sensitive Hashing (LSH) for similarity matching at scale. The goal is to detect patterns that are not exact matches but are behaviorally similar. We want to catch fraud that mutates just enough to evade rule-based systems while preserving the same underlying fingerprint in vector space.
Editor’s Note:
As Maksym Tkach illustrates, the era of the “static” defence is over. In a world where AI can spoof a face or a location in milliseconds, the only remaining source of truth is the hardware itself and the unique behavioural trail it leaves behind. By collapsing the distance between data collection and real-time scoring, Frogo isn’t just identifying devices – it’s predicting intent. For enterprises in iGaming, e-commerce, and fintech, the “leap” into specialised, graph-based defence may no longer be optional – it’s a prerequisite for survival.
