How DataDome Protected a Global Fintech Platform From a Week-Long Credential Stuffing Attack
Between May 14–21, 2025, a major fintech platform was targeted by a persistent and globally distributed credential stuffing attack. Over the course of one week, attackers launched more than 7.4 million bot-driven login attempts using 4.4 million unique IPs, an effort designed to blend in with legitimate traffic and evade basic defenses.
But the attack didn’t succeed. Thanks to DataDome’s multi-layered detection and real-time mitigation, more than 6.2 million malicious login attempts were blocked without disruption to users or systems.
Key metrics of the credential stuffing attack
6
9
9
7
7
2
5
3
9
,
3
1
3
8
4
4
5
5
2
6
8
4
3
9
3
2
6
2
8
,
9
1
3
1
2
7
3
8
2
6
9
0
4
4
8
3
1
6
4
6
2
3
7
7
,
8
8
5
2
2
9
4
0
5
9
8
3
6
5
2
3
7
9
7
,
6
8
3
5
4
7
5
1
4
7
8
7
8
1
4
9
5
2
7
4
5
8
6
0
,
7
7
6
5
4
6
7
0
6
5
6
7
0
4
3
1
5
3
4
,
6
1
7
1
4
9
3
5
3
9
3
7
4
4
7
4
0
8
7
7
4
4
3
4
5
7
4
6
d
3
8
1
4
a
3
5
3
8
y
9
1
7
2
s
Overview of the attack
The credential stuffing campaign began with relatively low-volume probing activity, but quickly escalated on May 17, reaching a peak of 350,000 requests per 3-hour window. After DataDome’s mitigation was deployed, blocking rates spiked and remained consistently high, effectively neutralizing the attack even as it persisted.
Figure 1: Malicious login attempts per 3-hour window
The attackers relied on a static, outdated Edge browser user-agent, repeated header signatures, and an unusually large pool of rotating IPs—common tactics used to mimic human traffic while testing stolen credentials at scale.
Distribution of the attack
Top countries of origin:
- Brazil (BR): 1.9M requests
- United States (US): 1.6M
- United Kingdom (GB), India (IN), Mexico (MX) followed
- Attack traffic spanned over 10 countries
Figure 2: Geographic distribution of request origin
Top ASNs used (proxy-heavy sources):
- COMCAST, Claro, Telefonica, AT&T, T-Mobile
- Widespread use of residential proxies and mobile IP ranges
Figure 3: Top ASNs involved in attack traffic
How was the attack detected & blocked?
Despite the attacker’s attempt to mimic human traffic patterns, the bots exhibited clear behavioral and fingerprint-based anomalies:
- No DataDome cookie present: Each session made just one login attempt, an atypical pattern for real users.
- Static and outdated user-agent string: Unusual for login pages, indicating automation.
- Inconsistent header behavior: Including a unique accept-language (en) and abnormal cache-control: max-age=0 usage.
- Proxy detection: DataDome’s AI models correlated proxy origins with behavioral signals.
- Fingerprint correlation: The attack generated a unique hash signature based on header and user-agent combinations, aiding fast identification.
- Behavioral clustering: Repetitive behavior from certain IPs triggered additional protections via adaptive rate limiting.
Mitigation was deployed, and 403 errors (blocked requests) quickly overtook 200 responses (authorized logins), stopping the attack without disrupting legitimate users.
Figure 4: Shift in blocked traffic after mitigation was deployed
Protect your login endpoints from ATO risk
Credential stuffing attacks are increasingly common against fintech and e-commerce platforms due to the high volume of stored value and data in these accounts, and the longer they go undetected, the greater the risk of account takeovers and downstream fraud.
DataDome stops these attacks at the edge, analyzing each login attempt in real time to distinguish between good intent and bad intent, no matter how distributed or evasive.
Want to see how it works? Schedule a demo.
*** This is a Security Bloggers Network syndicated blog from DataDome authored by Florent Pajot. Read the original post at: https://datadome.co/threat-research/credential-stuffing-fintech-login-attack/
