Guest: Valentin Vasilyev
Company: Fingerprint
Show Name: Secure By Design
Topic: Application Security

Fraudsters have mastered the art of digital disguise—VPNs, location spoofing, fake accounts, emulators. But there’s one thing they can’t easily fake: when dozens of devices are physically crammed together in the same room, running coordinated fraud operations. Standard geolocation tools miss this critical signal. Fingerprint’s new Proximity Detection technology changes that game entirely.

From Open Source to Enterprise Fraud Prevention

Valentin Vasilyev, CTO and Co-Founder of Fingerprint, didn’t start with fraud prevention in mind. In 2012, he created FingerprintJS as a hobby project—an open source library for device identification. Over the years, developers and enterprises began using it to solve fraud issues, personalize user experiences, and protect accounts. By 2018, Vasilyev saw an opportunity to turn the open source library into a commercial product. In 2020, he and co-founder Dan Pinto launched Fingerprint.com, building a more robust solution on top of the original library.

Today, Fingerprint serves enterprises dealing with sophisticated fraud operations, from credential stuffing to delivery fraud to mass account registration. Their latest innovation, Proximity Detection, addresses a gap that has long plagued security teams: identifying when multiple devices are physically co-located, even when fraudsters use every trick in the book to hide their tracks.

The Technical Gap: Why Geolocation Alone Isn’t Enough

Mobile apps have had access to location data for years. Facebook, Google, and countless other platforms know where users are at all times. Yet security teams struggle to use this data effectively against fraud. The problem isn’t access to coordinates—it’s what you do with them.

“Working with geolocation and geospatial data is hard,” Vasilyev explains. “You’re dealing with a set of coordinates on a surface. You cannot work with traditional rectangular, Cartesian coordinate systems—you have to work with a spherical, geodesical system.”

The biggest challenge is understanding relative positioning. When you have a pair of latitude and longitude coordinates, you know where one device is. But you don’t know if there are five, fifty, or five hundred other devices sitting in the same room. That’s the signal that matters for fraud detection. Device farms—where dozens or hundreds of phones sit on racks running fake accounts—leave a distinctive pattern. They’re physically clustered. Standard geolocation tools don’t expose that clustering in an actionable way.

Fingerprint designed Proximity Detection to solve exactly that problem, without exposing sensitive personal location data.

A Hexagonal, Hierarchical System Built for Privacy

Proximity Detection uses a zone-based, hierarchical architecture. Devices are grouped into hexagonal zones of varying sizes—10 meters, 50 meters, 100 meters—depending on the use case. This gives developers precise control over granularity. If you’re hunting for a tightly packed device farm in a single room, you query at 10 meters. If you’re investigating ride-hailing fraud across a city block, you expand to 100 meters.

“Developers have this flexibility to query the data using larger and larger radiuses,” Vasilyev says. “If they want to find devices sitting only in a small area, like a room, they would use a query parameter of 10 meters. If they want to expand that search, they can use 50 meters or 100 meters, depending on their use case.”

Critically, the system never exposes raw GPS coordinates. Instead, it generates anonymized proximity identifiers—hashed tokens that cannot be reverse-engineered back to precise locations. This design protects user privacy while giving fraud teams the signal they need: how many devices are clustered together in a given zone.

The system also handles multi-story buildings correctly, accounting for altitude in addition to latitude and longitude. A device farm on the third floor won’t be confused with legitimate users on the ground floor.

Beating Location Spoofing and Emulators

Fraudsters don’t sit idle. They use spoofing software to fake their coordinates. Fingerprint anticipated this. Proximity Detection is paired with geolocation spoofing detection. If a device’s coordinates have been tampered with, Fingerprint flags it.

“Even though a device could have a completely different or new proximity identifier, we would also tell that it’s a fake identifier which you shouldn’t trust,” Vasilyev notes. “So when you get that spoofing intent, you shouldn’t trust the proximity ID. It boils down to two cases: trusted geolocation, where you can understand co-located devices, and spoofed geolocation, where you shouldn’t trust it and treat it with suspicion by default.”

This dual-signal approach—Proximity Detection plus spoofing detection—creates a powerful defense. Even when fraudsters mask their location, the attempt itself becomes a red flag.

Real-World Use Cases: Beyond Device Farms

Proximity Detection targets three primary use cases: account protection, item delivery fraud, and ride-hailing services. Each scenario has distinct fraud patterns, but all benefit from understanding device clustering.

In account takeover and credential stuffing attacks, fraud rings deploy hundreds of devices in tight physical proximity. The sheer volume of co-located devices is the smoking gun. A legitimate household might have 10 or 15 devices. A device farm has 200.

In delivery fraud, the pattern is different. A scammer might claim an item was delivered when it wasn’t. Proximity Detection can reveal that the delivery driver’s device and the recipient’s device were in the same room at the time of the alleged delivery—an impossibility if the delivery was legitimate.

For ride-hailing fraud, the same logic applies. If a driver and passenger’s devices are consistently co-located before rides even begin, it signals collusion.

“Proximity ID is helpful for cases when the number of devices is very large—it’s a very clear-cut situation,” Vasilyev says. “Or if the use case allows for a small number of devices, you look at the relationship and the history of proximity identifiers, and you can understand if that co-location is unlikely from a business perspective.”

The AI Factor: Fraud Acceleration and New Defenses

AI has lowered the barrier to entry for fraud. Anyone can spin up automated bots and fake accounts using generative AI tools. Vasilyev expects fraud volumes to accelerate, but he distinguishes between low-level, exploratory fraud and high-impact, professional operations.

“The access to fraudulent tools has become commoditized with AI,” he says. “However, for professional and high-scale, high-impact fraud, that’s not going to happen quickly with AI. The high-impact fraud will remain in the area of specialized tools and specialized software.”

Fingerprint provides more than 100 fraud signals, including web automation detection, bot detection, and malicious browser detection—all designed to catch AI-driven fraud. Proximity Detection adds a new layer specifically for mobile devices, grouping them together when traditional device fingerprinting generates one ID per device.

“Sometimes you want to assign a single ID to a group of devices,” Vasilyev explains. “That’s where Proximity Detection is very helpful.”

The Long Game: Making Fraud Economically Unviable

Will fraud ever be defeated? Vasilyev is pragmatic. “I don’t think fraud will ever be defeated. It’s a cat-and-mouse game. But Fingerprint’s goal is to make it so expensive and hard and long that economically, it’s not going to be a viable thing to do.”

That’s the real victory. Not eliminating fraud entirely, but making it so costly and difficult that bad actors give up and move on. Proximity Detection is one more tool in that arsenal—one more way to raise the cost of doing business for fraudsters.

For enterprises dealing with account takeover, device farms, or AI-driven fraud, Proximity Detection offers a new line of defense. It turns physical proximity—something fraudsters can’t fake—into an actionable fraud signal.