We recently detected and blocked a large-scale fake account creation campaign. The attacker attempted to register tens of thousands of accounts using bots, automating the entire signup process through a modified version of Chrome. To evade detection, the bots included anti-detect techniques such as canvas randomization. However, their activity left behind telltale artifacts: inconsistent mouse movements, abnormal canvas outputs, and GPU inconsistencies surfaced through fingerprinting side effects.
Fake account creation is more than noise in your marketing metrics. Fraudsters use these accounts as disposable infrastructure for downstream abuse: sending spam, exploiting referral programs, laundering stolen credentials, or building credibility for social engineering schemes. At scale, this can overwhelm business systems, pollute analytics, and erode user trust.
In this campaign, what made the activity stand out was not only the automation itself, but the attacker’s reliance on a custom-built email infrastructure: hundreds of unique domains created solely for the purpose of bypassing anti abuse defenses.
Attackers running their own email infrastructure
When investigating the signup attempts, one detail immediately stood out: none of the email domains appeared in public lists of disposable inbox providers. Instead, the attacker had registered their own infrastructure.
We uncovered 330 unique domains, all created between 16 August and 8 September 2025 (time when the article was written). The domains were tied to a LiteSpeed-powered mail server, which had been poorly secured (which is not the case anymore). This misconfiguration allowed us to confirm how the server was operated and gave us visibility into the scale of the attack.
By running their own mail service, the attacker ensured their domains looked like small businesses or personal projects, rather than entries on a known disposable list.
This makes detection harder: from the outside, these domains were indistinguishable from legitimate new registrations. And because they were created exclusively for this campaign, they would never appear in community-maintained blocklists.
Why disposable domain lists aren’t enough
Static blocklists of disposable domains are a useful first filter. They can quickly weed out the most obvious throwaway services. But as this case shows, they are not enough on their own. Attackers have several options to bypass lists:
- Use inboxes from trusted providers like Gmail or Outlook, which cannot be blocked wholesale.
- Register their own domains, as we saw here with 330 custom domains created just for this attack.
This is why effective defense against fake account creation requires a multi-layered approach that goes beyond static indicators. At scale, you need to combine:
- Fingerprinting signals to surface anti-detect artifacts and hardware inconsistencies.
- Behavioral analysis to catch automated signup flows and unrealistic interaction patterns.
- Proxy and infrastructure detection to link traffic back to abuse networks.
- Email intelligence to evaluate new or low-reputation domains, regardless of whether they appear on public lists.
Taken together, these layers create resilience. Instead of relying on any single signal, they allow defenders to detect bespoke infrastructure, spot automation artifacts, and stop attackers before fake accounts take hold.
IoC: full list of attacker-controlled domains
As part of this investigation, we identified 330 custom email domains controlled by the attacker. These were registered and used exclusively for the fake account creation campaign described above. None appear in public disposable email lists, since they were purpose-built and likely discarded after use.
For teams that want to analyze or cross-reference infrastructure, the full list is provided below.
[
"ainchemails.store",
"alderstone.store",
"alevra.biz",
"alphacore.biz",
"altaris.store",
"altavero.store",
"alturabiz.biz",
"alturion.biz",
"alverton.store",
"anadolugroup.biz",
"ankatech.biz",
"arventa.biz",
"ashbournevale.store",
"ashbury.store",
"asilnet.biz",
"astrego.biz",
"aurevix.store",
"aventrix.biz",
"axenor.biz",
"axenor.store",
"axiora.biz",
"axtongroup.store",
"beyazyol.biz",
"birikim.biz",
"bizfusion.biz",
"blackford.store",
"blockvia.store",
"blueledger.store",
"boldmark.biz",
"boldstep.biz",
"braveey.store",
"bravento.biz",
"briarcliff.store",
"brightleap.biz",
"brightora.biz",
"brightweld.store",
"briventa.biz",
"brontiva.biz",
"capitalpoint.biz",
"certivia.store",
"cinchemails.store",
"circuitra.store",
"clearhaven.biz",
"cloudence.store",
"clovira.biz",
"clyrion.biz",
"clyron.store",
"clyvera.biz",
"codevia.store",
"codezap.biz",
"cognira.store",
"coltris.store",
"corelnex.store",
"coreviax.store",
"corptora.store",
"corvantis.store",
"corvexis.store",
"crafttide.store",
"credaro.store",
"credovia.store",
"crestmore.store",
"cresventa.store",
"crosvia.store",
"crownvale.store",
"cryonix.biz",
"cyberlinq.store",
"darlie.store",
"dataforgex.store",
"datavero.store",
"datiora.biz",
"datiora.store",
"digivesta.store",
"domerra.store",
"domivex.store",
"dorantis.biz",
"doruktech.biz",
"doverton.store",
"dravion.biz",
"dravorex.biz",
"dunleigh.store",
"dynetra.biz",
"eastminster.store",
"einchemails.store",
"eldermore.store",
"elvora.biz",
"equinoxa.store",
"eryvon.biz",
"evertonic.store",
"evolventa.store",
"exovian.biz",
"fairbrooke.biz",
"fairmontic.store",
"feltrion.biz",
"felvora.biz",
"fervia.store",
"finbiznet.biz",
"finchemails.store",
"fintravo.store",
"fintrix.store",
"firmalix.store",
"firmantis.store",
"flowmark.biz",
"futurenest.biz",
"fyntriva.biz",
"fyntrix.biz",
"fyrox.store",
"glaventa.biz",
"globantis.biz",
"globantis.store",
"gloventa.store",
"granford.store",
"granitec.store",
"granitefield.biz",
"gravisio.store",
"grenton.biz",
"gridlocke.store",
"halberg.store",
"harlington.store",
"harperston.store",
"hedefler.biz",
"hexablend.store",
"hexora.biz",
"hexorvia.biz",
"highlandic.store",
"hitcornika.biz",
"hukinge.store",
"infranova.store",
"intervexa.store",
"interviax.store",
"jinchemails.store",
"jukengi.store",
"jukinge.store",
"juravia.store",
"kalegroup.biz",
"kendrix.biz",
"kensworth.store",
"keyvora.biz",
"kiklume.store",
"kimderdiki.biz",
"kinchemails.store",
"kingshaven.store",
"kingsmere.store",
"kingsvale.store",
"klyptus.biz",
"klyvante.biz",
"klyvera.biz",
"kryvent.biz",
"kyntravo.biz",
"kyroa.store",
"kytrion.biz",
"kyvera.biz",
"laryvo.biz",
"legatora.store",
"lexindus.store",
"linchemails.store",
"loomflow.store",
"lorix.store",
"lorvex.biz",
"loryvia.biz",
"lucivon.biz",
"luxtrion.biz",
"lyvantis.biz",
"magnaris.store",
"magnora.biz",
"marketvibe.biz",
"marketzap.biz",
"maxrion.biz",
"meriona.biz",
"meriton.store",
"millhaven.store",
"minchemails.store",
"miravon.biz",
"montcrest.store",
"montorra.biz",
"myntis.store",
"myntivar.biz",
"myntora.biz",
"myronex.biz",
"neurovia.biz",
"nexabiz.biz",
"nexiron.biz",
"nexuswave.biz",
"nexverra.store",
"northcrest.store",
"northdale.store",
"northminster.store",
"northvale.biz",
"novabiz.biz",
"novizo.biz",
"noxenta.biz",
"oakleigh.store",
"oakmere.store",
"oceansky.biz",
"olinge.store",
"olyvante.biz",
"omniglobe.store",
"omnilis.store",
"omnitor.biz",
"omnivera.biz",
"omvex.biz",
"omvex.store",
"omviora.biz",
"optimobiz.biz",
"optiron.biz",
"optivex.biz",
"optivex.store",
"optivora.biz",
"orvelta.biz",
"orvenix.biz",
"oryvia.biz",
"ovrix.store",
"oxio.store",
"oxirax.store",
"peakfold.store",
"peakpoint.biz",
"pinchemails.store",
"plenxor.biz",
"plorantis.biz",
"primebiz.biz",
"primetra.store",
"primetrax.store",
"prionix.store",
"pryva.store",
"pryvista.biz",
"pyloria.biz",
"pylorix.biz",
"qenzor.biz",
"qeyra.store",
"qryvion.biz",
"ravencrest.store",
"redmont.store",
"ridgefield.store",
"ridgehaven.store",
"ridgepoint.biz",
"ridgewell.store",
"risepoint.biz",
"risevibe.biz",
"rovexa.biz",
"savorent.biz",
"servebiz.biz",
"shopease.biz",
"silverbrook.store",
"smartobiz.biz",
"smartpeak.biz",
"softpeak.biz",
"solidora.biz",
"solvira.biz",
"statora.store",
"stonewell.store",
"strathmore.store",
"stratmore.store",
"stratovix.store",
"stravica.biz",
"stravion.biz",
"strivaro.store",
"strovian.biz",
"summitline.biz",
"summittrust.store",
"swifttrend.biz",
"sylvora.biz",
"techbizgroup.biz",
"techspire.biz",
"techthrive.biz",
"tinchemails.store",
"tkilima.online",
"topgoal.biz",
"toptrust.biz",
"torvantis.biz",
"torvento.biz",
"transico.store",
"trelyon.biz",
"trevia.biz",
"trevox.store",
"treya.store",
"trivora.biz",
"trovantis.biz",
"truetrend.biz",
"truevale.biz",
"trustgate.biz",
"trustovia.store",
"trustvia.store",
"tulvora.biz",
"uinchemails.store",
"ulyvora.biz",
"umutlar.biz",
"unitara.store",
"unitrex.store",
"univesta.biz",
"urbanconsult.biz",
"urbanpeak.biz",
"urbantrade.biz",
"ustravon.biz",
"valentra.biz",
"valorcrest.biz",
"velantis.biz",
"veliona.biz",
"ventaris.biz",
"veradix.store",
"veylor.biz",
"veyora.biz",
"vinchemails.store",
"virtelon.store",
"visionpartners.biz",
"vitalpath.biz",
"voltrix.biz",
"westbridge.store",
"westgrove.store",
"wetherby.store",
"xerovian.biz",
"xonitra.biz",
"xyden.store",
"xyntra.store",
"yeniufuk.biz",
"yinchemails.store",
"zaferyolu.biz",
"zelixo.biz",
"zenithra.biz",
"zenqora.biz",
"zentivo.biz",
"zentrium.store",
"zerico.store",
"zerla.store",
"zerya.store",
"zonelush.store",
"zuhanga.store",
"zyntravo.biz",
"zyphobiz.biz",
"zyrantis.biz",
"zyricon.biz",
"zyvantis.biz"
]
