Operator guideENplayersfraudriskidentity-graph

Players / Fraud Detection

Fraud-detection tab inside the player workspace with fraud risk assessment, related fraud reports, IP analysis, and identity-graph filtering.

Reader view

Clean portal guidance

This page keeps the operator explanation, field and action descriptions, and screenshots visible without exposing repo paths, raw sidecars, or editorial-only implementation details.

Narrative content

Page body

What this tab shows

Players / Fraud Detection combines several fraud-review tools for one player:

  • stored or on-demand fraud risk assessment
  • related fraud-report rows
  • login IP analysis
  • geolocation and proxy/VPN context
  • aggregated risk-band, common-risk-factor, and per-IP score summaries built from stored fraud-check history

When to use it

Use this tab when you need to:

  • check whether the player shares suspicious signals with other accounts
  • review IP and geolocation anomalies
  • compare local vs identity-graph matches
  • decide whether the player needs escalation for fraud review

How to read it

The tab has three major blocks:

  1. Fraud Risk Assessment for running or reviewing risk checks.
  2. Related Fraud Reports table with source-mode filtering.
  3. IP Address Analysis and optional map view for the player's login IPs.

Inside Fraud Risk Assessment, the FE renders two distinct read blocks when history exists:

  • Risk Score Analysis: overall average score, risk-band counts, trend, per-IP averages, and common risk factors
  • MaxMind Reports List: stored raw report history behind the same fraud-check flow

Known caveats

  • Combined, Local, and Identity Graph are filter modes on the fraud-report dataset, not separate player statuses.
  • IP analysis can load additional location data after the first render. Operators may see a partial view before enrichment finishes.
  • Running a new fraud check consumes an external risk-check flow; it is not just a UI refresh.
  • Run New Fraud Check and Run New Check (Uses Credits) are the same MaxMind-backed action. The wording explicitly warns operators that a new provider check can consume credits.
  • The risk analysis blocks are computed from stored fraud-check history, not directly from the related-fraud-report table. The table and the risk summary can therefore move independently.
  • The map can be unavailable when Mapbox system settings are missing, even if the IP list itself is present.

Verification status

  • status: verified_backend
  • last verified: 2026-04-18
  • note: fraud report, login-IP, IP-location, stored MaxMind history, and on-demand MaxMind insights are traced from the FE hooks used in this tab and the admin fraud controller.
Calculation notes

Calculations

calculation

Risk Level Thresholds

The FE maps stored fraud-check scores into four visible risk bands: `High Risk` for scores `>= 80`, `Medium Risk` for scores `>= 50` and `< 80`, `Low Risk` for scores `>= 20` and `< 50`, and `Minimal Risk` for scores `< 20`. Missing or invalid scores show `NO DATA`.

Verification State
verified_backend
calculation

Overall Average Risk Score

Average of all valid `riskScore` values in stored fraud-check history, rounded to the nearest integer.

Verification State
verified_backend
calculation

Risk Trend Formula

Difference between the average of the most recent five valid checks and the previous five valid checks. No trend is shown until at least ten history rows exist.

Verification State
verified_backend
calculation

Per-IP Average Score

Average of valid `riskScore` values for one IP address across all stored fraud-check rows for that IP.

Verification State
verified_backend
calculation

Common Risk Factors Aggregation

The `Common Risk Factors` block counts normalized reason strings aggregated from stored fraud-check rows, including security flags, parsed MaxMind risk reasons, parsed warnings, and recommendation-derived reason text.

Verification State
verified_backend
calculation

IP Security Flag Mapping

The map and IP rows turn anonymizer/provider flags such as Tor, anonymous VPN, public proxy, residential proxy, and hosting provider into visible risk color and risk-level labels.

Verification State
verified_backend
Grid columns

Columns

field

ID

Related player identifier from the fraud report result set.

Group
related_fraud_reports
Data Type
integer
field

Email

Related account email shown in the fraud report.

Group
related_fraud_reports
Data Type
string
field

Phone

Phone value returned on the fraud row when available.

Group
related_fraud_reports
Data Type
string
field

Country

Country code for the related account.

Group
related_fraud_reports
Data Type
string
field

City

City shown for the related account.

Group
related_fraud_reports
Data Type
string
field

Match Signals

Signal families that connect this player to other accounts.

Group
related_fraud_reports
Data Type
string
field

Merchants

Merchant set involved in identity-graph matches.

Group
related_fraud_reports
Data Type
string
field

Match Summary

Compact summary of the main fraud-match values.

Group
related_fraud_reports
Data Type
string
field

Created At

UTC timestamp for the related fraud-report row.

Group
related_fraud_reports
Data Type
datetime
Field dictionary

Fields

field

Fraud Risk Assessment

Stored or newly generated risk-check output for the player.

Group
fraud_risk_assessment
Data Type
report_block
field

Risk Score Analysis

Expanded analysis block that turns fraud-history rows into average-score, trend, risk-level, and factor summaries for the selected player.

Group
fraud_risk_assessment
Data Type
report_block
field

IP Address

One recorded login IP for the player.

Group
ip_address_analysis
Data Type
string
field

Location

Geo context resolved for the IP address.

Group
ip_address_analysis
Data Type
string
field

VPN / Proxy Flags

Security and anonymizer markers attached to the IP row.

Group
ip_address_analysis
Data Type
status
field

IP Map

Optional map visualization that plots the player's login IPs with geolocation and risk context once IP enrichment finishes.

Group
ip_address_analysis
Data Type
map
field

IP Location Loading State

Second-stage enrichment state while the tab resolves location and anonymizer details for visible IPs.

Group
ip_address_analysis
Data Type
status
Filter dictionary

Filters

field

Fraud Source Mode

Switches the report between combined, local-only, and identity-graph signal sources.

Type
segmented
field

Visible IP Count

Controls how many login IP rows are shown before the user expands the list.

Type
incremental
Metric dictionary

Metrics

metric

Overall Risk Assessment

Average fraud risk score across stored fraud-check history for the player. When no valid scores exist, the UI shows `N/A` and `NO DATA`.

Data Type
score
Verification State
verified_backend
metric

Total Checks

Number of stored fraud checks used by the current risk analysis.

Data Type
integer
Verification State
verified_backend
metric

Risk Trend

Directional change in average score between the most recent five valid checks and the previous five valid checks when enough history exists.

Data Type
delta
Verification State
verified_backend
metric

High Risk

Count of stored checks with risk score `>= 80`.

Data Type
integer
Verification State
verified_backend
metric

Medium Risk

Count of stored checks with risk score `>= 50` and `< 80`.

Data Type
integer
Verification State
verified_backend
metric

Low Risk

Count of stored checks with risk score `>= 20` and `< 50`.

Data Type
integer
Verification State
verified_backend
metric

Minimal Risk

Count of stored checks with risk score `< 20`.

Data Type
integer
Verification State
verified_backend
metric

Avg Score

Average score calculated for one IP address across its stored fraud-check records.

Data Type
score
Verification State
verified_backend
metric

IP Check Count

Number of stored checks that contributed to one IP's average risk summary.

Data Type
integer
Verification State
verified_backend
metric

Common Risk Factor Count

Occurrence count for one common risk factor in the `Common Risk Factors` block.

Data Type
integer
Verification State
verified_backend
Operational notes

Notes

item

Source mode filtering affects only the related-report dataset.

item

IP enrichment is a second-stage fetch on top of the base login-IP list.

item

On-demand fraud assessment in this tab is driven through `use-minfraud-check` and the embedded `PlayerFraudCheck` / `RiskScoreAnalysis` surfaces, not just through the related-report table.

item

`FraudController.minFraudInsights` validates IP presence, verifies MaxMind configuration, and logs admin-side fraud-check actions before returning the provider result.

item

The FE fraud-check buttons explicitly warn that a new check can consume MaxMind API credits.

Related references

Related pages

pagePlayers / Banking

Banking tab inside the player workspace with transaction filters, a paginated banking grid, analytics cards, CSV export, and automatic-withdrawal availability.

pagePlayers / Detail Workspace

Main player workbench at `/player/[playerId]` with tabbed sections, player-level actions, and modal-based operator workflows.

pagePlayers / Game Report

Per-player game or provider report inside the player workspace, filtered by date option and grouped either by game or by provider.

pagePlayers / Inbox

Inbox tab inside the player workspace for reviewing sent notifications, filtering by read state or notification type, and resending or deleting messages.

pagePlayers / KPI Summary

Grouped player-level KPI snapshot inside the player workspace, covering player info, deposits, withdrawals, casino totals, bonus cost, and predictive metrics.

pagePlayers / KYC Status

KYC tab inside the player workspace for browsing user documents, checking third-party verification state, and approving, rejecting, or re-requesting documents.