What started as a generous launch offer became a crash course in fraud detection, bot behavior, and underground VPN abuse β here’s the full story.
π The Beginning
After years of building ServerAvatar β a modern, user-friendly hosting panel β we finally launched our Managed Hosting service.
This was a big leap forward.
Until now, users could connect their own servers and manage them with ServerAvatar’s smart tools. In addition to that, we also launched managed servers, we took it a step further:
- Let users launch cloud servers directly from our panel – Powered by Premium Cloud Platforms
- Pre-configured and production-ready
- Fully managed by us
- Flexible, powerful, seamless
To celebrate the launch, we wanted people to try it for free β so we introduced:
π $10 in free server credits on signup.
Simple. Honest. Helpful.
After all, what could possibly go wrong?
π The Calm Before the Storm
The first few days? Glorious.
Real users were signing up, exploring the new system, launching servers, and deploying apps like pros.
The onboarding flow felt like magic.
Activation rates were the highest we’d ever seen.
It felt like everything was finally clicking.
Then, a wave of signups started coming in β all from obscure Chinese email domains.
We were still optimistic.
“Wowo, people love us in China too!” (Yes, we actually said that.)
What we didn’t know was that our generous little offer had been shared somewhere in black hat forums in China β and what followed wasn’t growth.
It was exploitation.
π The Flood
New signups exploded.
Hundreds per hour. Then thousands.
But something felt… mechanical.
These users weren’t curious.
They weren’t deploying WordPress or Laravel.
They weren’t touching the control panel.
Instead, they were following a scripted routine:
- Sign up with a new email
- Launch a managed server
- Create an application/system user
- Enable root access
- Log in via SSH and do⦠whatever they wanted
What stood out?
They never showed any interest in our actual hosting service.
They didn’t deploy sites.
They didn’t explore features.
They were just there for one thing: free compute.
And the $10 credits made it too easy.
π΅ The Discovery: Red Flags
Once we started digging into these accounts and the servers they launched, things got even more suspicious.
We found:
- VPN servers running silently within minutes of deployment
- Custom SSH configurations
- Suspicious ports wide open
- And the worst: Malicious scripts used for:
- Attacking public APIs
- Flooding third-party services
- Launching unauthorized bots at scale
These deployments were automated.
From signup to abuse β it took them just minutes.
They weren’t exploring our product. They were exploiting it.
We weren’t just offering cloud hosting anymore β we were accidentally powering a global VPN cartel.
π₯ The Chaos: Abuse in Real Time
The moment we suspected abuse, we activated full monitoring. It only took us few hours to get an idea “Something’s wrong!”.
We started tracking:
- Resource usage (CPU, RAM)
- Command execution patterns
- System user behavior
- SSH activity and background processes
Surprisingly, it was easy to catch the first wave.
Why?
Because they all followed the same pattern:
- Instantly create a system or app user
- Enable root access
- Log in and ignore everything ServerAvatar offers
They didn’t even pretend to be interested in application deployment.
They were only here to extract raw compute.
Even worse β they weren’t abusing bandwidth.
They were running long-term workloads on CPU and memory β from VPN relays to bulk API attackers β and they’d keep the servers running until every last cent of their $10 credit was exhausted – as it didn’t cost them a dime.
We started manually deleting these servers.
But no matter how fast we worked, new accounts kept coming β often with fresh email addresses and devices.
It became a round-the-clock game of fraudster whack-a-mole.
π§± The Battle Plan: How We Fought Back
We didn’t want to kill our free credits entirely. It allowed new users to try the platform risk-free, and we wanted to continue providing $10 credits for free.
We just wanted to protect them from being hijacked.
So, we began a phased war on abuse β and each step made us smarter.
π Step 1: Lock the Credits Behind a Form
We stopped automatic credits.
Instead, users had to fill out a verification form with:
- MCQs about current hosting provider and requirements
- Questions on how they plan to use ServerAvatar
- Hosting goals and usage intentions
Genuine users? No problem. They would help us understand their requirements and get their credits for trial.
Abusers? They just filled the form with keyboard gibberish and submitted it within seconds.
It slowed them down β but didn’t stop them.
π€ Step 2: Add a LinkedIn Speed Bump
Next, we introduced a required LinkedIn profile field in the form.
Our logic: real people = real LinkedIn presence.
Their logic: Google any public profile and paste it in.
Suddenly, our form submissions included:
- Random developers
- College students
- Founders who’d never heard of ServerAvatar
It was like a stolen tech conference attendee list. Still, it wasn’t enough.
οΈ»β³βδΈ Step 3: Bring in the Big Guns
We realized this wasn’t just a handful of freeloaders.
It was an organized abuse operation.
So, we turned to a specialized third-party service that offered:
- New account fraud detection
- Trial abuse prevention
And wow β we weren’t alone. Apparently, this is a global SaaS problem, and entire detection companies exist just to fight it.
π Step 4: Activate the Detection
First we just implemented the device information detection on our whole application to know how much infestation is already there.
Once integrated, the service flagged:
- VM/RDP usage
- Browser tampering and fingerprint spoofing
- Bot automation
- Device emulation
- Scripted behaviors
And then we saw the big picture.
VPN use? Totally fine β developers love privacy. Our customers CAN use VPN and we cannot block it.
But our real users don’t:
- Access via spoofed VMs
- Use tampered browsers
- Submit the form with automation tools
So we trained our detection logic to look at intent, not just tools.
β Step 5: Real-Time Banhammer
Today, every new registration is screened using 10+ behavioral and technical signals, including:
- Device fingerprint
- Connection origin
- Environment integrity
- Bot behavior
- Journey flow inside the panel
If anything looks shady, they’re automatically banned before reaching a server.
What used to take hours of manual detective work now takes milliseconds.
π Step 6: No More Root Access (For Managed Servers)
And finally β the most effective change we made:
We disabled root access on Managed Servers.
Here’s why:
- On self-managed servers, users already have root β no issue.
- But for managed servers, there’s no valid reason for real or fake users to need root access. All the hosting related options are available on the control panel itself. And it is capable enough to let user complete their goals without the need of root access.
Disabling root cut off the abuse pipeline at its source:
- No root = No instant server control
- No root = No VPN install scripts can be executed
- No root = No backdoor to hijack compute power
It also made our managed servers safer by default β which helps everyone – real as well as fake users (lol).
π The Bright Side: A Better, Smarter Platform
Out of all the chaos, we emerged stronger.
- Our onboarding is tighter
- Our infrastructure is more secure
- We now understand how global-scale abuse works
- And we’ve built the tools to fight it
We also gained more respect for our real users β the ones who answered the form honestly, submitted their real profiles, and stuck around.
This experience taught us how to build not just a better product β but a more resilient platform.
π§ Final Thoughts: What $10 Taught Us
We gave away $10 in free credits so people could try ServerAvatar.
What we didn’t expect was to become an accidental host for an underground VPN network and abuse scripts.
We learned.
We fought back.
We built tools.
And we made ServerAvatar better β for the real people who matter.
If you’re building a SaaS product and planning to offer free credits, we highly recommend it.
Just don’t skip the fraud detection part.
Because on the internet, there’s always someone ready to turn your generosity into their business model.
πͺ¦ The Aftermath: Fake Users still try
Initially when we decided to implement the fraud detection systems, We knew it is not going to be 100% accurate. So, some users will still pass through the process.
However, Due to no root access options, These users try various methods to somehow gain root access of the server but it is no longer possible.
We are able to detect ~80% of those users and auto-ban them. However, The remaining 20% would try on daily basis to get back what they had in good times. They would still create support tickets and ask the support team for root access. When they don’t get it, They would just go away and we would remove the servers in 72 hours. Those 72 hours, We are writing it off as user acquisition cost now.
Want to try ServerAvatar’s managed hosting? We still offer credits to genuine users β just with much better fraud protection now. π Get Started Now with free $10 server credits!