As AI-driven fraud increasingly mimics legitimate user behavior, obvious fraud signals are becoming unreliable. A new report from Fingerprint looks at data from 23.4 billion identification events across 7.3 billion unique browsers and devices worldwide, to reveal how modern mobile users and web visitors behave at scale.
Browser tampering is a tried-and-true method that fraudsters use to modify or obscure device characteristics: spoofing identifiers, altering reported properties, and using anti-detect or heavily customized browser setups. Fingerprint’s report reveals that browser tampering has nearly doubled year-on-year, with 4.4 percent of desktop browser identifications in 2025 showing these techniques.
The study also shows that VPN use has entered the mainstream, usage has surged across both desktop and mobile devices. The increase in privacy-first technologies, from Apple’s Intelligent Tracking Prevention to Mozilla Firefox’s new privacy browser, continues to compound fraud detection challenges, dismantling traditional tools fraud teams once relied on. The report showcases that across all traffic, about one in five of all identification events involve VPN usage.
On desktop, Chromium-based browsers account for the highest concentration of VPN usage, with roughly a third of identification events showing VPN traffic. Meanwhile, mobile VPNs were detected in 13 percent of mobile identification events across browsers and apps.
“Our device intelligence report reveals fraudsters are combining traditional tactics with new AI-powered automation,” says Valentin Vasilyev, CTO and co-founder of Fingerprint. “Meanwhile, legitimate users increasingly use privacy tools like VPNs, making it harder to separate real visitors from malicious ones. These findings demonstrate the shift fraud teams need to make toward using multiple signals to evaluate intent as the web traffic landscape evolves.”
Desktop browsers are becoming the primary battleground for sophisticated fraud. The report team finds that in 2025, 12 percent of desktop browser traffic ran in virtual machines, six percent loaded with developer tools open, and four percent exhibited browser tampering (with the highest concentration on Chromium-based browsers).
Automation represents a concentrated threat on desktop. While it accounts for only 1.4 percent of Fingerprint’s filtered browser identification traffic, it reaches eight percent on desktop specifically. More critically, it’s overwhelmingly malicious, with 96 percent of detected automation on desktops associated with abuse.
Fou can read more and get the full report on the Fingerprint blog.
Image credit: ra2studio/depositphotos
