If your site pays for signups, referrals, or first actions, one person with a VPN and a free email service can drain your budget in a weekend. We install the same 4-layer defense we built for our own AskOracle platform. From $99.
See Pricing →Referral programs look like free growth—until they aren't.
Each layer catches a different fraud pattern. Together, they make every fake account cost more than it earns.
data-appearance="interaction-only" for zero friction for humans and a hard wall for automation. Server-side verification via challenges.cloudflare.com/turnstile/v0/siteverify.
paid + credit wallet; high score → rejected + alert to moderator. Daily passive rewards only continue while the invited friend stays active (last_seen < 2 days).
/admin/queue shows pending activations with fraud flags and scores. Includes approve/reject buttons. The blacklist covers 6 identifiers: tg_username, tg_id, email, email_domain, IP, and device fingerprint. Every rejection triggers an instant Telegram alert to you with full context.
Each detects a specific fraud pattern. Scores stack—5+ points trigger an automatic block.
We eat our own dog food. AskOracle.site runs a 5-level referral pyramid paying up to $9.70 per friend (5💎 × $0.10 × 19.4 pyramid depth). Without this defense, the economy would last days. With it, we've been live since April 2024 with near-zero fraud leakage.
fraud_check.py, referral_unlock.py, passive_payout.py, admin_routes.py*/30 unlock + daily 00:05 passiveOne-time setup fees. You own the source code—no lock-in, no per-user pricing, no royalties.
/admin/queue UIWe review your reject queue weekly, tune thresholds, and extend the blacklist. Includes a monthly report of caught fraud + dollars saved.
You can, but it's not enough on its own. reCAPTCHA (and Turnstile) stops bot scripts. It does nothing about a human farmer who opens 20 browser tabs and registers manually. Layers 2-4—IP/device/timing checks, holds, and a moderator queue—are what catch that.
Our reference implementation is Python + Flask + PostgreSQL (what we use for AskOracle). We can port the logic to Node/Express, PHP/Laravel, and Ruby/Rails. The frontend is framework-agnostic—the Turnstile widget works with React, Vue, plain HTML, or anything else.
Yes, it's a parameter. Short-term programs (like flash campaigns) might use a 3-7 day hold. Long-term loyalty programs can use 30-60 days. The logic is the same; only the threshold changes.
For WordPress, yes. We can ship a plugin that wires Turnstile into WooCommerce, UserPro, or other affiliate plugins. For Shopify, it's limited. You can use Turnstile on custom checkout extensions, but referral programs are usually locked into their respective apps. We assess on a case-by-case basis.
Yes. If users authenticate via the Telegram Login Widget (like AskOracle does) or Discord OAuth, we gate the action on the backend. For fully bot-based flows, we add rate limiting and behavioral signals instead of Turnstile.
Turnstile Only: 1-2 business days. Signup Shield: 4-6 days. Referral Full: 8-12 days. Enterprise: 3-6 weeks, depending on scope.
Yes—that's how we deliver it. The entire stack can run on a single $5-20/mo VPS (Hetzner, DigitalOcean, Linode, etc.). There is no SaaS dependency and no per-user pricing. The source code and deployment scripts are yours to keep.