How E‑commerce Platforms Fight Double‑11 Fraud: Inside NetEase’s Anti‑Cheat Architecture

Understanding Fraudsters’ Process and Tools

During large‑scale shopping events, organized groups (often called “wool‑pullers”) exploit promotional offers by automating account creation, coupon grabbing, and resale. Their typical toolchain includes:

Bulk accounts : Purchased email, social‑media, and phone numbers to bypass registration limits.

Proxy/IP resources : Commercial proxy services or compromised hosts that provide a wide range of IP addresses, helping evade per‑IP rate limits.

Captcha‑solving platforms : Automated OCR for simple captchas and human‑in‑the‑loop services for more complex image or SMS codes.

Android emulators : Tools such as BlueStacks that simulate real devices, allowing manipulation of GPS, MAC address, and other hardware identifiers.

Custom automation scripts : Tail‑made programs that integrate the above resources to perform mass registrations, order‑snatching, and bulk purchases.

Principles of an Anti‑Fraud System for High‑Traffic Events

The core defensive strategy is to raise the economic cost of cheating. NetEase Cloud Security (易盾) implements a multi‑layered approach that combines human‑machine verification, network controls, and device‑level identification.

Advanced CAPTCHAs : Interactive challenges such as drag‑to‑match, puzzle pieces, or text‑selection that are difficult for OCR.

SMS verification : One‑time codes sent to real phone numbers, adding a cost proportional to the number of required phone resources.

IP rate‑limiting and blacklist : Limits on request frequency per IP and blocking of known proxy ranges.

Device ID / Browser fingerprint : Generation of stable identifiers from hardware and browser attributes, with statistical analysis to detect abnormal usage patterns.

NetEase Cloud Security Anti‑Fraud Architecture

The system consists of four tightly coupled components:

Rule Engine : Supports dynamic rule configuration and real‑time scoring. Each incoming order is evaluated against a set of conditions; the engine can either sum the scores of all matched rules or return the highest‑severity rule result.

// Example pseudo‑rule configuration
{
  "rule_id": "R001",
  "condition": "order.ip in proxy_list",
  "score": 30,
  "action": "flag"
}

User Portrait Scoring : A specialized profile focused on stock‑piling behavior. Dimensions include:

Number of distinct product categories purchased

Activity frequency (orders per hour)

Gross profit contribution

Historical malicious actions

Device usage patterns

Statistical aggregation of these dimensions yields a composite risk score that helps separate legitimate shoppers from coordinated fraudsters.

Association Network Model : Builds a graph of user interactions across orders. The workflow is:

Collect all order‑level relationships (shared IP, device ID, phone number, etc.) within a time window.

Construct a global interaction graph.

Apply graph‑partitioning to extract sub‑graphs (potential fraud rings).

Label sub‑graphs using supervised classifiers trained on known fraud patterns and unsupervised anomaly detection.

The resulting network scores are combined with rule and portrait scores.

Blacklist / Graylist Database : Business‑specific lists that separate high‑risk accounts (blacklist) from accounts requiring additional verification (graylist). Lists can be scoped per promotion (e.g., group‑buy events) to enable fine‑grained risk control.

Case Study: Order‑Level Detection in NetEase Koala Marketplace

In the Koala (考拉) platform, the anti‑fraud pipeline works as follows:

Incoming orders are streamed to the Rule Engine, which evaluates dozens of conditions (e.g., rapid order creation from the same IP, abnormal device fingerprint, suspicious coupon usage).

The engine outputs either a cumulative risk score or the highest rule severity.

User portrait scores are fetched; a shopper exhibiting high category diversity and rapid repeat purchases receives a higher fraud probability.

The Association Network Model checks whether the order belongs to a previously identified sub‑graph of coordinated accounts.

Finally, the order is cross‑referenced with the blacklist/graylist. Blacklisted accounts are blocked outright, while graylisted accounts trigger additional verification steps (e.g., SMS code).

This layered evaluation reduces false positives—legitimate high‑frequency shoppers are allowed through—while continuously increasing the operational cost for fraudsters.