Global E-Commerce Platform Reduces Account Takeover Fraud Losses by 38% with Infostealer Intelligence
Executive Summary
E-commerce and retail was the highest-volume breach target of 2025, with a 239% year-over-year increase in verified breaches. Infostealers, which harvested session cookies directly from infected devices at scale, were the primary attack vector, enabling threat actors to authenticate as legitimate customers without ever needing to crack a password or trigger an MFA challenge. For a global platform with 40 million active customer accounts across 18 countries, the combination of infostealer activity and credential stuffing had produced a sustained ATO campaign generating material fraud losses quarter over quarter.
The platform’s behavioral fraud model was sophisticated by industry standards. But it faced a fundamental limitation that no behavioral model can fully overcome: it could not distinguish between a legitimate customer logging in from a new device or location and an attacker replaying a stolen infostealer session cookie from the same geographic region as the account owner. The signals looked identical from the inside.
This case study examines how integrating Constella’s infostealer monitoring and identity risk API into the platform’s fraud decisioning layer added the external identity signal that the behavioral model was missing, enabling it to make confident, accurate decisions on the precise cases that had previously been its blind spot.
The Challenge: The Behavioral Model’s Blind Spot
The platform’s fraud team had invested heavily in behavioral analytics — machine learning models trained on login velocity, device fingerprinting, geographic consistency, purchase pattern anomalies, and session duration. The models were effective at detecting many classes of fraud. But ATO via infostealer session replay consistently evaded them.
The reason is structural: an infostealer-sourced ATO uses a cookie that was generated by the legitimate user’s own browser, on the legitimate user’s own device, after the legitimate user had successfully authenticated. The cookie contains the correct device fingerprint, the correct session parameters, and — frequently — the correct geographic origin, because many infostealers operate in the same region as their victims. From the behavioral model’s perspective, the infostealer session looks identical to a legitimate session from a returning customer.
The fraud team identified three specific loss patterns that were consistently evading detection:
- Gift Card Fraud: Attackers authenticated via stolen session cookie, added high-value gift cards to cart, and checked out through the saved payment method before the session expired. Behavioral signals were minimal — one checkout event, consistent with normal purchasing behavior.
- Account Resale: Attackers accessed accounts containing stored payment methods and loyalty points, changed the contact email and recovery phone, and relisted the accounts on criminal marketplaces. Behavioral detection typically fired on the contact update — too late, as access had already been established.
- High-Value Purchase Fraud: In accounts with saved premium payment methods, attackers made single high-value purchases and directed shipping to reshipping addresses. Geographic anomaly signals were suppressed when the attacker’s proxy infrastructure placed the session origin in the account’s home region.
The Solution: Enriching Fraud Decisioning with External Identity Risk
The platform integrated Constella’s Identity Intelligence API into its fraud decisioning pipeline at the pre-authentication enrichment layer — querying Constella’s identity data lake in real time against the email address associated with each login attempt before the authentication decision was finalized.
The integration operated in two modes:
- Real-Time Pre-Authentication Enrichment: For each login event, the fraud decisioning system queries Constella’s API with the account’s associated email. Constella returns a verified risk signal — whether that identity has appeared in recent breach or infostealer activity, the recency and source of the exposure, and whether session data for the associated domain was captured. This signal is incorporated into the fraud model’s risk score before the authentication decision is made.
- Continuous Background Monitoring: Constella’s monitoring runs continuously against the platform’s full customer identity population, generating proactive alerts when any monitored email appears in a newly ingested breach or infostealer package, independent of a login event. This enables the fraud team to preemptively flag or soft-lock accounts before an attacker attempts to use the compromised credentials.
The infostealer-specific signal was particularly impactful. When Constella’s monitoring flagged that a specific customer’s session data, including the URL for the platform’s checkout flow, had appeared in a recently ingested infostealer package, the fraud model elevated the risk score for that account’s next authentication event to a level triggering step-up verification. Legitimate customers encountering step-up verification completed it without friction; attackers replaying stolen session cookies could not.
The Result: 38% Reduction in ATO Fraud Losses
In the first full quarter following integration, the platform’s fraud team reported:
- 38% reduction in ATO-driven fraud losses: the direct result of the Constella risk signal enabling the fraud model to accurately identify and block infostealer-sourced session replay attempts that had previously evaded behavioral detection.
- Improved fraud model precision: the false positive rate on high-risk authentication events decreased because the Constella signal provided genuine differentiation between anomalous-but-legitimate logins and credential-compromised access attempts. Fewer legitimate customers were blocked or sent through step-up verification unnecessarily.
- Secondary benefit: synthetic identity fraud reduction, by cross-referencing new account registrations against Constella’s breach data, the platform identified and blocked a significant volume of new account creation attempts using known-compromised email addresses, preventing the creation of fraud-ready accounts before any transaction activity occurred.
The fraud team also reported a qualitative shift in investigative efficiency. Prior to the Constella integration, confirmed ATO investigations required manual OSINT to determine the likely source of the compromise, delaying case closure and customer notification. With Constella’s source attribution embedded in the fraud workflow, investigators could immediately see which breach or infostealer event had exposed the account, compressing investigation timelines from days to hours and enabling faster, more specific customer communication.
Key Outcomes:
- 38% reduction in ATO-driven fraud losses in the first quarter following integration
- False positive rate on high-risk authentication events decreased, fewer legitimate customers blocked
- Infostealer session replay attacks accurately identified and blocked by Constella-enriched risk scoring
- Synthetic identity fraud at account creation reduced through new registration screening
- ATO investigation timelines compressed from days to hours through Constella source attribution
Behavioral models are trained on internal signals, how the account has historically behaved. An infostealer-sourced ATO uses a cookie generated by the legitimate user’s own authenticated session, meaning the device fingerprint, geographic origin, and session parameters are consistent with the legitimate user’s history. Without an external signal confirming that those credentials have been compromised, the behavioral model has no reliable basis for differentiation. Constella’s external risk signal provides exactly that missing context.
The Constella API is a RESTful service returning a verified risk signal in response to an identity attribute query, typically an email address. In a pre-authentication fraud decisioning workflow, the call is made between the credential submission and the authentication approval, adding the Constella risk score to the fraud model’s feature set before the decision is made. Sub-second latency ensures no perceptible impact on authentication speed. The integration requires no change to the authentication flow itself, only enrichment of the data available to the decisioning model.
tep-up verification was triggered only for accounts where Constella had confirmed a current, verified infostealer exposure, meaning the population receiving step-up was a narrow, genuinely high-risk cohort. Legitimate customers in this group, those whose devices had actually been compromised, completed the step-up successfully and were able to access their accounts. The experience served as an implicit notification of their credential compromise, many of whom subsequently engaged with the platform’s account security settings. The volume of unnecessary step-up challenges affecting non-compromised accounts was negligible.
Conclusion
Behavioral fraud models are essential infrastructure for modern e-commerce security — but they have a structural limitation: they can only see what happens inside the platform. Infostealer-sourced account takeover happens outside the platform, on infected devices, in criminal markets, and in the gap between when credentials are stolen and when they are used. Closing that gap requires external identity intelligence.
For this platform, Constella’s infostealer monitoring and identity risk API provided the external signal the behavioral model needed to accurately identify its most persistent blind spot. The 38% reduction in ATO fraud losses was not a marginal improvement — it was the result of structurally solving a detection problem that no amount of behavioral model refinement alone could address.