How DataDome Protected a Global Fintech Platform From a Week-Long Credential Stuffing Attack

6.2 million malicious login attempts blocked

4.4 million unique IPs involved

Zero customer impact, no account compromise, no performance degradation

Account Takeover Bot management

Between May 14–21, 2025, a major fintech platform was targeted by a persistent and globally distributed credential stuffing attack. Over the course of one week, attackers launched more than 7.4 million bot-driven login attempts using 4.4 million unique IPs, an effort designed to blend in with legitimate traffic and evade basic defenses.

But the attack didn’t succeed. Thanks to DataDome’s multi-layered detection and real-time mitigation, more than 6.2 million malicious login attempts were blocked without disruption to users or systems.

Key metrics of the credential stuffing attack

7 5 9 0 2

, 1 5 2 5

4 2 5 9 4

6 6 4 4 5

3 4 5 6 6

, 9 6 9 5

2 5 1 9 5

6 7 1 3 8

8 2 3 7 1

total bot requests

6 3 7 9 3

, 7 8 5 8

2 1 3 3 4

9 9 4 6 5

2 4 0 1 0

, 2 8 5 4

4 6 0 0 3

7 8 0 3 2

4 1 9 4 5

malicious login attempts blocked

4 3 0 1 7

, 9 3 0 6

4 6 6 6 1

5 4 8 2 4

3 3 9 3 6

, 8 1 0 2

4 1 8 3 2

9 4 0 5 3

7 2 7 7 5

unique IPs involved

7 3 7 3 4

3 7 8 7

d 3 3 0 5

a 4 6 2 4

y 9 4 5 3

s 6 2 1 4

attack duration

Overview of the attack

The credential stuffing campaign began with relatively low-volume probing activity, but quickly escalated on May 17, reaching a peak of 350,000 requests per 3-hour window. After DataDome’s mitigation was deployed, blocking rates spiked and remained consistently high, effectively neutralizing the attack even as it persisted.

credential stuffing

Figure 1: Malicious login attempts per 3-hour window

The attackers relied on a static, outdated Edge browser user-agent, repeated header signatures, and an unusually large pool of rotating IPs—common tactics used to mimic human traffic while testing stolen credentials at scale.

Distribution of the attack

Top countries of origin:

Brazil (BR): 1.9M requests
United States (US): 1.6M
United Kingdom (GB), India (IN), Mexico (MX) followed
Attack traffic spanned over 10 countries

Figure 2: Geographic distribution of request origin

Top ASNs used (proxy-heavy sources):

COMCAST, Claro, Telefonica, AT&T, T-Mobile
Widespread use of residential proxies and mobile IP ranges

Figure 3: Top ASNs involved in attack traffic

How was the attack detected & blocked?

Despite the attacker’s attempt to mimic human traffic patterns, the bots exhibited clear behavioral and fingerprint-based anomalies:

No DataDome cookie present: Each session made just one login attempt, an atypical pattern for real users.
Static and outdated user-agent string: Unusual for login pages, indicating automation.
Inconsistent header behavior: Including a unique accept-language (en) and abnormal cache-control: max-age=0 usage.
Proxy detection: DataDome’s AI models correlated proxy origins with behavioral signals.
Fingerprint correlation: The attack generated a unique hash signature based on header and user-agent combinations, aiding fast identification.
Behavioral clustering: Repetitive behavior from certain IPs triggered additional protections via adaptive rate limiting.

Mitigation was deployed, and 403 errors (blocked requests) quickly overtook 200 responses (authorized logins), stopping the attack without disrupting legitimate users.

Figure 4: Shift in blocked traffic after mitigation was deployed

Protect your login endpoints from ATO risk

Credential stuffing attacks are increasingly common against fintech and e-commerce platforms due to the high volume of stored value and data in these accounts, and the longer they go undetected, the greater the risk of account takeovers and downstream fraud.

DataDome stops these attacks at the edge, analyzing each login attempt in real time to distinguish between good intent and bad intent, no matter how distributed or evasive.

Want to see how it works? Schedule a demo.