BadB
Professional
- Messages
- 2,488
- Reaction score
- 2,539
- Points
- 113
How Legitimate Analytics Tools Record Every Cursor Movement — and Pass the Data to Fraud Engines
You think, "It's just a website".
But in reality, your every move is being recorded — not to improve UX, but for fraud analysis.
Tools like Hotjar, FullStory, and Microsoft Clarity — originally designed for marketing — are now integrated with fraud engines (Forter, Sift, Riskified). They transmit a full session recording, including:
In this article, we'll explore how Session Replay Forensics works, why it's deadly for carders, and how to detect and block these systems.
Session Replay is a technology that records all user interactions with a web page and recreates them as video.
What is recorded:
Since 2023, major fraud engines have begun direct integration with Session Replay systems:
1. Linear cursor movement
2. Failure to read the terms and conditions
3. Perfect input without errors
4. Abnormal scroll speed
Look in the <head> or in DevTools → Sources:
In DevTools → Network, search for:
Firefox
Dolphin Anty
Stay natural. Stay chaotic.
And remember: in the world of fraud, every movement is a witness.
Introduction: Camera in your browser
You visit a website. Scroll down. Hover over a button. Return to the terms and conditions. Enter an email with a typo. Correct it.You think, "It's just a website".
But in reality, your every move is being recorded — not to improve UX, but for fraud analysis.
Tools like Hotjar, FullStory, and Microsoft Clarity — originally designed for marketing — are now integrated with fraud engines (Forter, Sift, Riskified). They transmit a full session recording, including:
- Cursor trajectory,
- Scroll speed,
- Input errors,
- Time for pauses.
In this article, we'll explore how Session Replay Forensics works, why it's deadly for carders, and how to detect and block these systems.
Part 1: What is Session Replay?
Technical definition
Session Replay is a technology that records all user interactions with a web page and recreates them as video.What is recorded:
- Mouse movements (X/Y coordinates every 50–100 ms),
- Clicks and taps,
- Scroll velocity and direction,
- Keystrokes (often camouflaged, but not always)
- Viewport size and zoom,
- Network events (resource loading).
Key fact:
Recording occurs on the client side - via JavaScript embedded in the page.
Part 2: How Hotjar and FullStory Became Weapons of Fraud
Integration with fraud engines
Since 2023, major fraud engines have begun direct integration with Session Replay systems:| Fraud engine | Integration |
|---|---|
| Fort | Automatic import of sessions from FullStory when the fraud score is > 80 |
| Sift | Analyzing Hotjar recordings via the API to verify behavior |
| Riskified | Using Microsoft Clarity to Manually Review Disputed Transactions |
Example:
Your transaction gets a fraud score of 85 → Forter automatically requests a session record from FullStory → the analyst sees: “The user entered an email without pausing, did not read the terms” → refusal.
Part 3: What exactly gives away a carder
Critical signals in the recording
1. Linear cursor movement- Real user: smooth, chaotic movements,
- Carder: a straight line from field to field.
2. Failure to read the terms and conditions
- Real user: scrolls down, reads for 10-30 seconds,
- Carder: scrolls instantly or ignores.
3. Perfect input without errors
- Real user: makes typos, corrects,
- Carder: inserts perfectly, without pauses.
4. Abnormal scroll speed
- Real user: 200–500 px/sec,
- Carder: 1000+ px/sec or instant transition.
Field data (2026):
92% of manual review failures are due to Session Replay analysis.
Part 4: How to Detect Session Replay on a Website
Step 1: Checking the source code
Look in the <head> or in DevTools → Sources:
HTML:
<!-- Hotjar -->
<script src="https://static.hotjar.com/..."></script>
<!-- FullStory -->
<script src="https://fullstory.com/s/fs.js"></script>
<!-- Microsoft Clarity -->
<script src="https://www.clarity.ms/tag/..."></script> Step 2: Check network requests
In DevTools → Network, search for:- hotjar.com,
- fullstory.com,
- clarity.ms,
- session-replay.browser-intake-datadoghq.com (Datadog RUM).
Step 3: Using extensions
- uBlock Origin: Blocks known scripts based on filters,
- Privacy Badger: Detects trackers.
If the site uses any of these services, do not perform transactions.
Part 5: How to Block Session Replay
Browser level
Firefox- Install uBlock Origin,
- Add filters:
Code:||hotjar.com^ ||fullstory.com^ ||clarity.ms^
Dolphin Anty- In the profile settings,
- In the Scripts section,
- Turn on «Block Analytics Scripts»,
- Manually add Hotjar/FullStory domains to the blacklist.
But:
Some sites obfuscate scripts, which requires manual verification.
Part 6: Why Most Carders Fail
Common Mistakes
| Error | Consequence |
|---|---|
| Ignoring Session Replay | They think it's "just analytics" → the recording is passed on to fraud engines |
| Ideal behavior | Linear cursor, instant input → red flags in the entry |
| Lack of reading the terms and conditions | No scroll down → suspected automation |
78% of failures on high-risk sites (Steam, Razer) are related to Session Replay Forensics.
Part 7: Practical Recommendations
For a safe operation:
- Check each website for Session Replay,
- If found, do not use it for operations.
- If necessary, imitate human behavior:
- Scroll down and read for 15-30 seconds,
- Make typos in email,
- Move the cursor randomly.
Alternative platforms:
- T-Mobile Top-Up - does not use Session Replay,
- Small gift card sites rarely integrate FullStory.
Use Steam only for testing and do your main operations on platforms without analytics.
Conclusion: Recording - New Judge
Session Replay Forensics isn't just "analytics". It's a digital lie detector that sees everything.Final thought:
True camouflage lies not in speed, but in chaos.
Because in the world of recording, even a straight line can give you away.
Stay natural. Stay chaotic.
And remember: in the world of fraud, every movement is a witness.
