-
Desktop browsers bear the brunt, with 4.4% of desktop identifications in 2025 showing tampering techniques
-
With 12% of desktop traffic running in virtual machines, 6% loading with developer tools open, and 96% of detected desktop automation associated with abuse, most fraud is seen on desktops
-
VPNs have become mainstream, with roughly one in five identification events involving VPN usage across all traffic, signaling a shift from suspicious behavior to baseline privacy practice
Fingerprint, a leader in device intelligence for fraud prevention, released its Device Intelligence Report: Data Trends and Risk Patterns in Global Online Traffic. Drawing on its industry-leading dataset of 23.4 billion identification events across 7.3 billion unique browsers and devices worldwide, the report reveals how modern mobile users and web visitors behave at scale.
As AI-driven fraud increasingly mimics legitimate user behavior, obvious fraud signals are becoming unreliable. Fingerprint’s report provides insights into web traffic, highlighting the shift from simpler network-level abuse to more sophisticated browser and device manipulation.
“Our device intelligence report reveals fraudsters are combining traditional tactics with new AI-powered automation,” said Valentin Vasilyev, CTO and co-founder of Fingerprint. “Meanwhile, legitimate users increasingly use privacy tools like VPNs, making it harder to separate real visitors from malicious ones. These findings demonstrate the shift fraud teams need to make toward using multiple signals to evaluate intent as the web traffic landscape evolves.”
Browser Tampering Nearly Doubles Year-Over-Year in 2025
Browser tampering is a tried-and-true method fraudsters use to modify or obscure device characteristics: spoofing identifiers, altering reported properties, and using anti-detect or heavily customized browser setups. Fingerprint’s report reveals that browser tampering nearly doubled year-over-year, with 4.4% of desktop browser identifications in 2025 showing these techniques.
Tampering appears less frequently on mobile browsers — less than 1% of identifications — but the lower baseline on mobile reflects tighter technical and practical constraints than on desktops. In other words, when these signals do appear on mobile devices, they are a strong red flag for fraudulent activity.
Despite mobile browsers accounting for 71% of browser-based identification events, desktop remains the primary target for sophisticated tampering techniques. This makes desktop security disproportionately critical even as mobile dominates overall traffic volume.
Desktop Browsers Become the Primary Battleground for Online Fraud
Desktop browsers are becoming the primary battleground for sophisticated fraud. The Fingerprint team found that in 2025, 12% of desktop browser traffic ran in virtual machines, 6% loaded with developer tools open, and 4% exhibited browser tampering (with the highest concentration on Chromium-based browsers).
Individually, each signal might reflect legitimate workflows, but when combined, they reveal sessions that deviate significantly from typical user behavior. This concentration of fraud signals on desktop gives teams clear enforcement targets, particularly for high-value activities like checkout, account recovery, and password resets.
Marketing Technology News: MarTech Interview with Omri Shtayer, Vice President of Data Products and DaaS at Similarweb
Automation represents a concentrated threat on desktop. While it accounts for only 1.4% of Fingerprint’s filtered browser identification traffic, it reaches 8% on desktop specifically. More critically, it’s overwhelmingly malicious, with 96% of detected automation on desktops associated with abuse.
Privacy Signals Become the New Normal
VPN usage has surged across both desktop and mobile devices. The increase in privacy-first technologies, from Apple’s Intelligent Tracking Prevention to Mozilla Firefox’s new privacy browser, continues to compound fraud detection challenges, dismantling traditional tools fraud teams once relied on. The report showcases that across all traffic, about one in five of all identification events involve VPN usage.
On desktop, Chromium-based browsers account for the highest concentration of VPN usage, with roughly a third of identification events showing VPN traffic. Meanwhile, mobile VPNs were detected in 13% of mobile identification events across browsers and apps.
This trend continues to accelerate in desktop and mobile users, showing growing VPN adoption, indicating that VPNs are now a normal part of how users access the web.
The practical takeaway is that network privacy signals are best used to provide context about a visitor rather than serve as standalone fraud indicators.
Marketing Technology News: Martech Architecture For Small Language Models: Building Governable AI Systems At Scale
The Era of Single-Signal Detection is Ending
Most web and mobile traffic still appears “normal,” making anomalies easier to detect. However, the definition of “normal” is shifting. Automation now includes AI agents operating for a legitimate purpose on a user’s behalf, and VPNs have become standard privacy tools rather than suspicious signals. As these patterns evolve, understanding the context behind each signal becomes critical.
Fraud teams need to adapt. The most effective controls combine multiple signals and adapt to different environments, recognizing that anomalous behavior varies across platforms, browser types, mobile devices, and runtime groups. Advanced prevention methods and friction should be reserved for sessions that fall outside everyday traffic patterns, and spotting those requires looking at multiple signals together.
