Skip to main content
Tripwire sits alongside your KYC vendor, not in place of it. The vendor checks whether the identity is valid; Tripwire checks whether a real human at a real device is operating the form. Stacking the two catches fraud that passes each layer individually — especially synthetic-identity farms, anti-detect browsers, and repeat submissions from one device under many identities.

The threat

KYC-gated flows (fintech onboarding, crypto exchanges, gambling, lending, payouts, any “high-limit” account upgrade) attract some of the most well-funded browser automation on the public internet. The rewards per account are large enough to justify real investment: stolen identity kits bought on dark markets, anti-detect browsers ($100–$500/month retail), residential proxy pools, and increasingly LLM-driven agents that can fill forms and respond to vendor prompts autonomously. Four abuse patterns dominate:
  • Synthetic identities. Fabricated or Frankenstein PII (real SSN, fake name; real name, fake DOB) submitted through automated browsers. Individual submissions may pass the KYC vendor’s checks because the underlying data points look plausible; the tell is the browser operating the form, which Tripwire sees.
  • Identity farming. Operator runs dozens or hundreds of accounts through KYC on one device using different PII each time, then resells the verified accounts. Every individual submission looks fine; the durable visitor fingerprint betrays the pattern.
  • Anti-detect browser fraud. Multilogin, GoLogin, Kameleo, and similar tools specifically exist to defeat device fingerprinting — the KYC fraud market is their primary customer base. These environments push Tripwire’s overall risk_score up even when the behavioral profile looks human, and the durable session’s runtime_integrity surface explicitly flags tampering and virtualization.
  • Liveness / video bypass. Virtual cameras, deepfakes, and face-swap tooling target the selfie/liveness step. This is primarily the KYC vendor’s problem, but the browser environment used to run the bypass often trips Tripwire’s virtualization and anti-tamper signals.
Against all four, Tripwire produces signal before the KYC vendor sees the request — cheap, high-precision, and useful in two ways: as a pre-check that stops obvious fraud before paying the vendor per-verification fee, and as an input to a layered decision for everything the vendor returns as “approved but we’re not sure.”

The flow

1

Start Tripwire when the KYC flow begins

This might be the “Upgrade your account” button or the start of a dedicated onboarding journey. Collection needs time — KYC is one of the rare surfaces where you can afford to wait for fingerprint readiness.
2

Gate form submission on waitForFingerprint()

Unlike a login page, KYC users expect friction. It’s fine to disable the final submit button until Tripwire’s durable fingerprint has frozen — this guarantees you’ll get a stable visitor_fingerprint.id for cross-session correlation.
3

Call getSession() at submit

Handoff travels with the KYC payload.
4

Pre-check the Tripwire verdict and risk score

Hard-block on bot. For human verdicts, apply a stricter risk_score threshold than you would on a lower-friction surface — a borderline score on a regulated flow usually warrants manual review.
5

Check the durable fingerprint's history

GET /v1/fingerprints/:visitorId — has this device run KYC before under a different identity?
6

Forward to the KYC vendor with Tripwire metadata attached

So the vendor’s own decision engine can incorporate the signal on their side.
7

Monitor post-KYC sessions

A verified account that starts behaving like automation later is a strong account-takeover or farming signal. Keep Tripwire on sensitive in-app actions.

Client integration

KYC is the one surface where waitForFingerprint() should block submission. False positives from slow fingerprinting are cheap here (the user will wait), and false negatives from submitting before fingerprint freeze are expensive (you lose the durable visitor ID that catches identity farming). 
<script type="module">
  const tripwirePromise = import("https://cdn.tripwirejs.com/t.js").then(
    (Tripwire) =>
      Tripwire.start({
        publishableKey: "pk_live_your_publishable_key",
      }),
  );

  const submitButton = document.querySelector("#kyc-submit");
  submitButton.disabled = true;

  tripwirePromise.then(async (tripwire) => {
    tripwire.onError((error) => {
      console.error("Tripwire error", error.code, error.message);
    });

    await tripwire.waitForFingerprint();
    submitButton.disabled = false;
  });

  async function submitKyc(formData) {
    const tripwire = await tripwirePromise;
    const { sessionId, sealedToken } = await tripwire.getSession();

    return fetch("/api/kyc/submit", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
        ...formData,
        tripwire: { sessionId, sealedToken },
      }),
    });
  }
</script>

Server verification

The pattern below uses a generic kycVendor.verify(...) placeholder. Substitute Persona, Onfido, Veriff, Sumsub, Socure, Alloy, or your internal equivalent. The KYC_RISK_SCORE_THRESHOLD below is set at 0.3 as a starting point — well below Tripwire’s default bot verdict threshold (~0.7) but strict enough that genuinely suspicious sessions don’t auto-approve on a regulated flow. Tune it to your traffic. 
const { Tripwire, safeVerifyTripwireToken } = require("@abxy/tripwire-server");
const client = new Tripwire({ secretKey: process.env.TRIPWIRE_SECRET_KEY });

const KYC_RISK_SCORE_THRESHOLD = 0.3;

app.post("/api/kyc/submit", async (req, res) => {
  const tr = safeVerifyTripwireToken(
    req.body.tripwire.sealedToken,
    process.env.TRIPWIRE_SECRET_KEY,
  );

  // 1. Fail closed — no valid token, no KYC.
  if (!tr.ok) {
    return res.status(403).json({ status: "rejected", reason: "verification_failed" });
  }

  const { decision, attribution, visitor_fingerprint } = tr.data;

  // 2. Hard block obvious automation before paying the KYC vendor.
  if (decision.verdict === "bot") {
    await logKycRejection({ reason: "bot", decision, kycPayload: req.body });
    return res.status(403).json({ status: "rejected", reason: "automation_detected" });
  }

  // 3. Human verdict but elevated score — KYC is a stricter surface than
  //    signup or checkout. A borderline score warrants manual review even
  //    when the top-level verdict is "human".
  if (decision.risk_score >= KYC_RISK_SCORE_THRESHOLD) {
    await flagForManualReview({ reason: "elevated_risk_score", decision });
    return res.json({ status: "manual_review" });
  }

  // 4. Identity farming — has this device already completed KYC?
  if (visitor_fingerprint?.id) {
    const priorClaims = await findPriorKycByVisitor(visitor_fingerprint.id);
    if (priorClaims.length > 0 && priorClaims.some((c) => c.userId !== req.session.userId)) {
      await flagForManualReview({ reason: "identity_farming", priorClaims });
      return res.json({ status: "manual_review" });
    }
  }

  // 5. Forward to the KYC vendor with Tripwire metadata attached.
  const vendorResult = await kycVendor.verify({
    user: req.body.user,
    documents: req.body.documents,
    metadata: {
      tripwire_session_id: req.body.tripwire.sessionId,
      tripwire_verdict: decision.verdict,
      tripwire_risk_score: decision.risk_score,
      tripwire_visitor_id: visitor_fingerprint?.id ?? null,
    },
  });

  // 6. Layered decision — inconclusive Tripwire + vendor "approved" = manual review.
  if (decision.verdict === "inconclusive" && vendorResult.status === "approved") {
    await flagForManualReview({ reason: "tripwire_inconclusive_despite_vendor_approval" });
    return res.json({ status: "manual_review" });
  }

  await recordKycResult({
    userId: req.session.userId,
    visitorId: visitor_fingerprint?.id ?? null,
    tripwireVerdict: decision.verdict,
    tripwireRiskScore: decision.risk_score,
    vendorResult,
  });

  res.json({ status: vendorResult.status, verified: vendorResult.status === "approved" });
});

Layered decision matrix

The decision you hand back to your own business logic (and record on the KYC row) should be the product of Tripwire and the vendor verdict, not either one alone. risk_score is a 0–1 float; below the bot verdict threshold of ~0.7 there’s still a lot of useful gradient, and KYC is the surface where you should care about it.
Tripwire verdictrisk_scoreVendor resultRecommended action
human< 0.3approvedApprove.
human< 0.3declinedDecline (vendor-driven).
human0.3 – 0.7approvedManual review. Borderline scores on a regulated flow should not auto-approve.
human0.3 – 0.7declinedDecline.
inconclusiveanyapprovedManual review. Don’t auto-approve borderline sessions on regulated flows.
inconclusiveanydeclinedDecline.
botanyanyReject before the vendor. Log and rate-limit by IP and visitor fingerprint.
Two principles worth holding:
  • Never auto-approve on vendor-only signal for a KYC-gated flow. If Tripwire’s risk_score is elevated or the verdict is inconclusive, the vendor saying “approved” is not enough to promote an account to its full permission set.
  • Use a stricter risk_score threshold than you would on other surfaces. Tripwire’s default bot/human cutoff is tuned for broad use across signup, login, and content surfaces; KYC’s false-negative cost justifies treating anything above roughly 0.3 as worth a human look.

Runtime integrity: deeper environment signal

When the sealed-token verdict isn’t enough — high-limit approvals, compliance-heavy jurisdictions, repeat-review queues — fetch the durable session and inspect runtime_integrity. These are discrete named flags computed server-side from the full observation stream, and they let you write precise rules instead of thresholding a single aggregated score.
Node.js
const session = await client.sessions.get(sessionId);
const ri = session.runtime_integrity;
// {
//   tampering_detected: boolean,
//   developer_tools_detected: boolean,
//   emulation_suspected: boolean,
//   virtualization_suspected: boolean,
//   privacy_hardening_suspected: boolean,
// }
FlagWhat it means on a KYC submission
tampering_detectedExplicit environment tampering (patched navigator properties, stealth-plugin artifacts, injected globals). On a KYC flow this is a strong manual-review signal regardless of the sealed-token verdict.
emulation_suspectedDevice emulation — typically a mobile emulator on a desktop. Almost always fraud when the vendor expects a real phone for document capture and liveness.
virtualization_suspectedSubmission is coming from a VM. Legitimate in some corporate setups (Citrix, VDI) but overrepresented in fraud operations. Weight it; don’t auto-reject.
developer_tools_detectedDevTools open during submission. Common on legitimate support calls and among advanced users — useful context, not dispositive.
privacy_hardening_suspectedHardened privacy browser (Firefox resistFingerprinting, Brave shields, Tor). Usually a real user; primarily helpful as an explanation for a missing visitor_fingerprint.id.
tampering_detected and emulation_suspected deserve a manual-review route even when the sealed-token verdict is human and the risk_score is under threshold. They’re the signals most likely to be silent on the aggregated score when an attacker is specifically tuning against it. runtime_integrity is only available via GET /v1/sessions/:sessionId — it’s not on the sealed token. Two integration shapes work well:
  • Durable read on every KYC submission. One extra API call per verification; negligible next to the cost of the KYC vendor itself.
  • Durable read only on borderline cases. Fast path on clean human + low-score submissions; fetch the durable session for everything else, including the manual_review paths in the code above.

Identity farming: cross-session correlation

The durable visitor fingerprint is the axis that catches farms. One device running KYC under five identities over two weeks looks human on every individual submission — it is human, just a human engaged in fraud. The tell is in GET /v1/fingerprints/:visitorId.
Node.js
async function findSuspiciousKycHistory(visitorId) {
  const fingerprint = await client.fingerprints.get(visitorId);

  // Count distinct accounts that have run KYC from this device
  const priorKyc = await db.query(
    "SELECT DISTINCT user_id, submitted_at FROM kyc_submissions WHERE visitor_id = $1 ORDER BY submitted_at DESC",
    [visitorId],
  );

  return {
    seenCount: fingerprint.lifecycle.seen_count,
    firstSeenAt: fingerprint.lifecycle.first_seen_at,
    distinctKycAccounts: priorKyc.rows.length,
    priorBotSessions: fingerprint.activity.sessions.filter(
      (s) => s.decision.verdict === "bot",
    ).length,
  };
}
Practical thresholds for flagging:
  • 2+ distinct accounts from the same visitor fingerprint completing KYC → manual review. Real households exist, but KYC-gated flows rarely involve two adults on the same device.
  • Any prior verdict: "bot" on that fingerprint in the last 90 days → manual review. The device has failed Tripwire before.
  • lifecycle.seen_count > 50 with first-seen under 24 hours → auto-reject. That’s a headless browser being spun up repeatedly on one machine.
See Promo & trial abuse for a more general treatment of the cross-session correlation pattern; the KYC version is essentially that page with tighter thresholds and a manual-review default.

Attaching Tripwire signal to the vendor

Most KYC vendors expose a metadata or custom_fields parameter on their verification API. Putting Tripwire’s session ID and verdict there pays off in two ways:
  • Vendor-side rules. Modern KYC platforms (Alloy, Sardine, Socure, Sumsub rules engine) let you write decisioning on custom fields. “Decline if tripwire_risk_score >= 0.3 AND document score below 0.9” is a one-line rule that would otherwise require integrating Tripwire into the vendor’s system separately.
  • Post-hoc reconciliation. When a chargeback, SAR, or compliance audit surfaces a KYC approval months later, the Tripwire session ID stamped on the vendor record lets you pull GET /v1/sessions/:sessionId and recover the full device evidence — including runtime_integrity and signals_fired — from the time of submission.
Which fields to send: 
{
  "tripwire_session_id": "sid_...",
  "tripwire_verdict": "human",
  "tripwire_risk_score": 0.12,
  "tripwire_visitor_id": "vis_...",
  "tripwire_attribution_category": "human"
}
tripwire_attribution_category pulls from attribution.bot.facets.category.value when present; on human verdicts it’s generally null, so you may want to store "human" for consistency.

Post-KYC monitoring

Getting a human verdict at KYC submission is necessary but not sufficient. Account takeover happens later — the KYC is clean, but six months on, someone logs in from a new device, hardens their settings, and starts draining the account or withdrawing funds. Keep Tripwire on:
  • Every login (see Login & credential stuffing).
  • Payout / withdrawal / transfer initiation.
  • Limit-increase requests (the typical next step after compromise).
  • Any sensitive setting change — email, password, 2FA, beneficiary.
A KYC-verified account that suddenly starts producing bot verdicts or an elevated risk_score on withdrawals is a very strong ATO signal, and the fact that the account is KYC-verified makes the response more important, not less — the attacker has done the work to look legitimate precisely to unlock high-limit actions.
KYC is a regulated flow in most jurisdictions. How long you retain Tripwire verdicts and visitor fingerprints on KYC records is a compliance question, not just an engineering one. Confirm retention requirements with your privacy/legal team before you ship. See Privacy & data for Tripwire’s side of the data picture.

What’s next

Signup protection

Stop automated account creation before KYC even starts.

Promo & trial abuse

The same cross-session correlation pattern, at lower stakes.

Verdicts & scoring

Deep-dive on verdict, risk_score, and where thresholds come from.

Privacy & data

What Tripwire stores and for how long.