How do websites know I have multiple accounts?

Websites combine browser fingerprinting, IP correlation, cookie syncing, and behavioral analysis to build a profile. Even if you change your IP, your canvas fingerprint, WebGL renderer, installed fonts, and browsing patterns can link accounts together.

Is changing my IP address enough to avoid detection?

No. IP is just one signal among dozens. Websites use browser fingerprints (canvas, WebGL, audio), cookie syncing, timezone correlation, and even typing patterns. Defeating only IP detection while ignoring fingerprinting gives a false sense of security.

Can airdrop projects detect Sybil farmers?

Yes, and they're getting better at it. Projects like LayerZero and Hop Protocol used clustering algorithms that analyzed on-chain patterns, timing, funding sources, and browser-level signals to filter out multi-account farmers.

What is behavioral fingerprinting?

Behavioral fingerprinting tracks how you interact with a page - mouse movement patterns, scrolling speed, typing cadence, and click timing. These patterns are surprisingly unique and hard to fake because they're subconscious habits.

Do I need to defeat every detection method?

You need to address the methods that matter for your use case. For crypto and airdrops, the combination of browser fingerprint isolation, separate IPs per profile, and separate on-chain activity is the minimum. Behavioral analysis matters more for high-value accounts.

Back to Blog

DetectionMulti-AccountFingerprintingSecurityAntidetect

How Websites Detect Your Multiple Accounts (And What You Can Do)

From browser fingerprinting to behavioral analysis - a look at the techniques websites use to link your accounts together and flag multi-accounting.

April 22, 2026

Raven Wallet Team

A friend of mine lost about $12,000 worth of airdrop allocations last year. Not because he got hacked. Because LayerZero's Sybil detection flagged 47 of his wallets as linked. He'd used different emails, different IPs, even different computers for some of them. Still got caught.

That got me curious. How exactly do websites figure out that five "different people" are actually one guy in a basement?

Turns out, it's not one trick. It's a stack of signals, and most people only defend against the obvious ones.

The signal stack

Think of detection like a courtroom. No single piece of evidence convicts you. But pile up enough circumstantial stuff and the jury stops buying your story.

Websites work the same way. They assign a confidence score. Each matching signal bumps it up. Cross a threshold and you're flagged.

Here are the signals, roughly in order of how commonly they're used.

Browser fingerprinting - the big one

I've written about browser fingerprinting before, so I'll keep this brief. Your browser leaks a ton of identifiers:

Canvas fingerprint - your GPU renders text and shapes slightly differently than everyone else's. Sites hash the output. Same hash across accounts? Red flag.

WebGL renderer strings - your browser literally tells websites your exact GPU model and driver version. "ANGLE (NVIDIA GeForce RTX 4070 Direct3D11 vs_5_0)" is pretty unique.

Audio context - similar to canvas but for audio processing. The AudioContext API produces slightly different results per hardware.

Font enumeration - websites can probe which fonts are installed. Your specific combination of fonts is surprisingly distinctive. Especially if you've installed some random font pack for a design project three years ago.

Screen resolution and device pixel ratio - less unique on their own but combined with everything else, they add up.

ClientHints and navigator properties - hardware concurrency, device memory, platform. Individually harmless. Together, a fingerprint.

Most people know about fingerprinting by now. Where they mess up is thinking that's all there is.

IP and network signals

Obviously. Same IP, same person. But the detection goes deeper than just matching IP addresses.

IP reputation databases track whether an address belongs to a residential ISP, a datacenter, or a known VPN provider. Show up from a NordVPN exit node and the site already knows you're hiding something.

ASN correlation - if three of your "different" accounts all come from the same autonomous system number, that's a signal. Even if the actual IPs differ.

WebRTC leaks - your real IP can leak through WebRTC even when you're behind a proxy. I've seen people do everything right except leave WebRTC enabled in their browser profile. All that effort, gone because of one API.

Timezone mismatches - connecting from a Japanese IP but your browser reports America/New_York timezone? That's either a VPN user or a very confused person. Either way, suspicious.

This one is sneaky. You visit site A, which drops a tracking cookie. Then you visit site B, which loads a resource from site A (an ad, a pixel, whatever). Site A sees the same cookie. Now sites A and B know you're the same person.

Third-party cookies are being phased out, sure. But there are alternatives:

localStorage fingerprinting - some tracking scripts write unique IDs to localStorage. Clear your cookies all you want, they're still there.

ETag tracking - the server sends a unique ETag with a resource. Your browser caches it. Next request sends the ETag back. Persistent identifier without any cookies.

Login detection - if you're logged into Google in one tab and visiting a crypto project in another, the project might not know your Google email. But Google's analytics script running on that project's page does.

This is why browser profile isolation matters so much. Separate profiles mean separate cookies, separate localStorage, separate everything. One shared browser session and all your "different" accounts share the same tracking IDs.

Timing and behavioral patterns

This is the one that gets overlooked the most.

Login timing - if accounts A, B, C, D, and E all log in between 9:14 and 9:22 AM every day, that's a pattern. Real different people don't sync their morning routines like that.

Transaction timing - for crypto specifically, if five wallets all claim an airdrop within the same 3-minute window, that's suspicious. Humans are bad at randomizing things. We think we're being random but we're really not.

Mouse movement and scrolling - yeah, this is a thing. Some anti-fraud systems track how you move your mouse across the page, how fast you scroll, where you pause. Your physical interaction patterns are more unique than you'd think. Facebook has been doing this for years.

Typing cadence - the rhythm of your keystrokes. How long you hold each key, the gaps between characters. Academic research has shown this is almost as unique as a fingerprint. Not widely deployed yet, but it's coming.

Extension detection

Websites can detect which browser extensions you have installed. Not all of them, but many. The technique involves probing for web-accessible resources that extensions expose.

If accounts A and B both have the exact same set of obscure Chrome extensions installed, that's a correlation point. Especially if one of those extensions is something niche like a crypto tax calculator with 200 users.

Antidetect browsers handle this by isolating extensions per profile. Your MetaMask in profile 1 is invisible to profile 2.

How airdrop projects combine these signals

Here's where it gets real for crypto users.

When LayerZero did their Sybil filtering, they didn't just look at on-chain data. They combined:

On-chain clustering (common funders, similar amounts, timing patterns)
IP and browser fingerprint data from their dApp frontend
Behavioral patterns during interaction
Social graph analysis

Hop Protocol did something similar. So did Starknet. The pattern is clear - projects are investing serious money into detection because Sybil farming threatens their token distribution.

And it's not just airdrops. Exchanges use the same techniques. Open five Binance accounts from the same fingerprint and you'll find them all restricted. Seen it happen.

Why defeating one method isn't enough

This is the part people struggle with. They'll set up a proxy for each account and think they're covered. Or they'll use an antidetect browser but connect from the same IP. Or they'll nail the technical side but log into all accounts at 9 AM like clockwork.

Detection is probabilistic. Each signal adds confidence. You need to address the full stack:

Fingerprint isolation - separate canvas, WebGL, audio, fonts per profile
Network isolation - separate IPs, matching timezones, no WebRTC leaks
Cookie isolation - completely separate browser sessions
Timing randomization - don't do everything at the same time
Behavioral awareness - vary your patterns, at least a little

Tools like Raven Wallet build this isolation into the wallet management workflow itself, so you're not juggling five different apps. But whatever tool you use, the principle is the same: you're only as strong as your weakest signal.

The honest take

Look, perfect undetectability probably doesn't exist. If a well-funded project really wants to link your accounts and has enough data, there's always some signal.

But most detection is automated. Algorithms looking for obvious patterns. Score thresholds. If you're above the noise floor - if your accounts genuinely look like different people on different machines - you'll pass the automated checks. That's what matters for 95% of use cases.

The 5% where it doesn't work? Government-level surveillance, manual investigation of high-value fraud cases, that kind of thing. If that's your threat model, you've got bigger problems than browser fingerprints.

Don't overthink it. Don't underthink it either. Just understand the full signal stack and address each layer. Sound familiar? That's basically the crypto opsec mindset applied to browser-level security.