1) Briefing: what iGaming affiliate fraud looks like — and why CPA deals take the hit
We didn’t set out to find a “new” tactic. We stumbled on a familiar shape wearing a modern mask: a classic incentivized-traffic scheme dressed up as social virality. The promise is simple and seductive—“a prediction bot that beats roulette or crash games”—and the business model thrives where cost-per-acquisition (CPA) deals exist. CPA is perfect oxygen for this fire: pay on first-time deposits (FTDs), and you invite actors who can engineer shallow conversions at scale.
In this investigation, we’ll walk you through a real case we ran at Ad Trust Group. It starts on Instagram, detours to Telegram, and cashes out through CPA programs. The pattern looks legit to the untrained eye: glossy reels, rags-to-riches narratives, voice notes, screenshots of “wins,” and a “limited-access bot.” The funnel is tight, the attribution is controlled, and the payout clock starts the moment users hit a very specific, very telling minimum deposit.
If you run an affiliate program, here’s the uncomfortable math: incentivized funnels shove volume into your FTD counter while quietly crushing LTV and poisoning your cohort data. You’ll see baseline thresholds being gamed, FTD spikes that align to currency-specific minimums, and cohorts that refuse to activate beyond the first deposit. That’s not acquisition; it’s surface-level arbitrage.
Throughout this report we’ll share the exact artifacts we saw (you’ll add the screenshots), the metrics that lit up our dashboards, and the policy levers that actually work—baseline rules, anti-incentive clauses, and KYC for both affiliates and networks. As we like to say internally: “If many FTDs land exactly on the minimum, you’re not acquiring players—you’re paying for a math trick.”
T0 — First sightings on Instagram: reels promising “casino prediction bots” (roulette/crash)
The first breadcrumb was a reel with all the familiar tropes: a creator who “used to be broke,” now “wants to share the method.” The hook wasn’t Forex signals this time; it was a casino prediction bot—roulette, crash, or “unbeatable” patterns. The content looked mass-produced, and the comments were stacked with obvious social proof. We knew the genre instantly.
What stood out was the CTA discipline: no spammy link-in-bio to a brand; instead, a soft nudge to “DM for access” or “request the bot.” Why? Because the real action happens off-platform. Instagram is the billboard—Telegram is the store. And if you’ve ever tried to police this flow, you know Instagram won’t follow you into Telegram. That’s the whole point.
We archived multiple examples (you’ll insert images): creators promising daily signals, “exclusive bot access,” and “proof of payouts.” More than once, we heard the same short audio snippets recycled across different accounts—same pitch, same “from poor to rich,” same testimonial voice. It’s a content assembly line built to churn believers.
The narrative is engineered for speed: grab attention, establish authority, tease scarcity, then move the prospect to the channel where enforcement is weaker and scripting is automated. At T0, our hypothesis was straightforward: Instagram drives curiosity; Telegram manufactures FTDs. We just needed to map the middle.
Field note: “The storytelling repeats. They claim they were skeptical at first, tried the bot ‘just once,’ and now it ‘changed everything.’ The cadence is identical across accounts.”
T+1 — Mapping the funnel to Telegram: /start scripts, recycled social proof, voice notes
Once inside Telegram, the mask comes off: a prebuilt /start flow, buttons that simulate “live predictions,” and a queue of canned replies. The “bot” looks smart, but it’s theater. As we saw repeatedly, it’s a basic automation that prints confidence. Voice notes come in at the right moments—“you’re doing great,” “try this next round”—and screenshots materialize showing “other users winning.”
We captured multiple sequences where the same “thank-you” reviews were recycled with different names and flags. That doesn’t prove fraud alone, but the repetition across unrelated accounts is telling. The system is optimized for scale and speed: fast reassurance, fast instructions, and a fast move to the monetization step.
Here is where the funnel tightens:
- “To enable the bot, you must register using our link.”
- “Share a screenshot of your user ID so we can unlock access.”
- “Make at least the minimum deposit or the bot won’t work.”
That trio is the spine of the grift. The link locks the attribution to the affiliate. The user-ID screenshot aligns the account with the expected CPA payout. And the minimum deposit primes the KPI we’re about to watch explode.
Direct quote we heard over and over: “The Telegram bot was theater: a simple automation to create the illusion of prediction.”
T+2 — The attribution trap: “register only with our link” + user-ID screenshots to align CPA
Attribution is where fraud either gets paid or starves. These operators know it. They insist on their registration link or code “so the bot works,” but the real reason is to hard-bind attribution. Then comes the user-ID screenshot request—framed as “verification,” but in practice used to tally CPA-eligible accounts.
We’ve seen affiliates inside networks execute this to add a layer of deniability between themselves and the operator. If a network’s controls are weak, the fraudster can rotate IDs and links fast, burning brands across geos and moving on before clawbacks hit.
Operationally, the attribution trap creates three downstream symptoms:
- Compressed time-to-FTD: users deposit almost immediately after signup because the script demands it to “unlock the bot.”
- A narrow deposit distribution: deposits cluster at the exact minimum threshold.
- Underwhelming activation: beyond the first session, engagement collapses; LTV fails to clear even conservative targets.
“They asked for a user-ID screenshot to line up their CPA,” we wrote in our field notes. “That wasn’t about user success. It was about getting paid.”
T+3 — The money lever: currency-based minimum deposits “so the bot works”
The next lever is the purest tell of incentivized traffic: minimum deposits by currency—MXN, COP, and so on. The script is explicit: “The bot only works if you deposit at least <amount>.” “At least” is doing a lot of work here.
We documented messages listing country-specific minima. Once those amounts are set, your FTD chart will mirror them like a stencil. On days when the campaign is “hot,” you’ll see FTD spikes that align perfectly with the scripted minimums. For operators with generous CPA deals and no baseline, the economics become upside-down fast.
This is where policy—not just detection—matters:
- Baselines: If a partner claims “high-quality traffic,” they shouldn’t fear a reasonable baseline. A no-baseline promise on CPA is a red flag.
- Anti-incentive clauses: Your terms must treat “deposit-gated tools” (like the so-called bot) as incentivized activity—grounds for non-payment/clawback.
- Affiliate & network KYC: You must know who you’re paying. Rotate IDs all you like; KYC ties payouts to real entities.
Field line we repeat to clients: “If many FTDs hit exactly the minimum, it’s incentivized traffic. Period.”
T+5 — Operator exposure: targets we observed and rotation patterns
Across LATAM we saw well-known operators targeted (as victims) by the same pattern: the Instagram-to-Telegram story, the tracking link compulsion, the minimum deposit gate. In our logs we flagged 1xBet, OneWin, and Lebul.mx among others—again, as victims of the scheme, not perpetrators. The fraudsters exploit whichever program will pay on time and ask the fewest questions.
Rotation happens on three axes:
- Brand rotation: move to the next operator once suspicion rises or traffic is paused.
- Network rotation: if one affiliate network raises friction (KYC, baselines), hop to another with looser checks.
- Creative rotation: recycle the same assets with minor edits—new voice note, new flag emoji, same promise.
We notified affected parties when we had solid evidence. Results varied. Some teams engaged immediately; others dismissed the risk—until data made denial impossible.
“We warned a brand, they said it wasn’t possible… a week later they were hit by the same pattern again.”
The playbook (keep handy)
Quick detection table
| Signal | Metric threshold (example) | What it usually means | Action |
|---|---|---|---|
| FTDs at exact minimum | ≥ 60% within a 48h window | Deposit-gated incentive running | Pause source; trigger audit; review chat evidence |
| Time-to-deposit compression | ≥ 70% deposit ≤ 30 min after signup | Scripted funnel pushing instant FTD | Validate link path; compare S2S postbacks vs BI |
| AFD variance too tight | AFD clustered around threshold (low σ) | Engineered deposits, not organic spread | Escalate baseline; apply clawback language |
| Cohort quality drop | Retention below P20 vs control cohorts | Shallow intent; low LTV reality | Quarantine cohort; re-allow only if depth emerges |
| Creative artifacts repeat | Recycled voice notes/screens across IDs | Centralized content factory | Blacklist creatives; share evidence with network |
| Redirect chain anomalies | Forced tracking params; mismatched domains | Attribution hard-binding by the affiliate | Map hops; enforce allowed domains list |
| Device/IP fingerprint clusters | High reuse across “unique” users | Farmed or coordinated activity | Block ranges; raise KYC tier |
PPC / tracking checklist
| Item | What to check | Tools / Notes |
|---|---|---|
| Redirect chains | Track all hops; confirm only approved domains/params | Network logs, link expanders, server logs |
| Brand bidding | Monitor trademark terms in ads & landing variants | Brand monitoring tools; ad libraries |
| Postback integrity | Compare S2S postbacks vs BI events and timestamps | MTA/BI dashboards; anomaly alerts |
| Min-deposit anomaly alerts | Per currency thresholds; histogram outliers | Custom SQL/GA4/BI; scheduled reports |
| Click → FTD time curve | Look for unnatural spikes at 0–30 minutes | Cohort charts; survival analysis |
| Creative casebook | Archive recycled voice notes/screens; hash matches | Asset hashes; shared drive; blacklist |
| Affiliate & network KYC | Entity verification; beneficiary checks; contacts | Compliance docs; UBO declarations |
| UTM / subID hygiene | Consistent parameters; no spoofed sources | Link templates; regex validation |
Tip: paste into a “Custom HTML” block in WordPress. Tables inherit your theme styles; inline styles above keep it readable if your theme is minimal.
Resources & next steps
- Evidence pack checklist: screenshots of IG reels, Telegram /start flow, user-ID requests, minimum-deposit prompts, deposit distribution chart.
- Policy templates: baseline clause, anti-incentive clause, affiliate/network KYC checklist.
- Contact: Ad Trust Group — reach out via email or Telegram (@AdtrustGroup) to review your affiliate program and set up controls.