Rewards Fraud is the scoring and review layer for monetized download activity.

• records session and event signals
• scores suspicious patterns
• holds or flags earnings
• supports review and later clearance
• keeps referral child earnings aligned with the parent earning lifecycle
• can use stored proxy and network intelligence without necessarily hard-blocking the original visitor

Top-level metrics currently include:

• Held Earnings
• Flagged Earnings
• Cleared Today
• Reversed Today
• High-Risk Uploaders
• Review Queue

Main operating areas include:

• Intelligence Health
• Protection Settings
• Review Queue
• Uploader Risk Scores
• Network Insights

• repeated network patterns
• suspicious downloader behavior
• high-risk held earnings
• sessions that do not match expected completion behavior

This page is where you edit fraud scoring behavior directly.

Common controls include:

• master enablement
• verified completion requirement
• auto-clear low-risk earnings
• Cloudflare intelligence usage
• proxy intelligence usage
• hash and browser-fingerprint style clustering signals
• ASN and network classification
• downloader verification and linked-account rules
• hold period and threshold tuning

Important interaction with Security:

• Enforcement mode blocks suspicious VPN/proxy traffic at access time
• Intelligence mode stores proxy intelligence for fraud scoring without blocking by itself

That distinction matters because Rewards Fraud can now benefit from stronger proxy and VPN signals even when you do not want to hard-block the user.

When rewards are enabled, cron should run:

• fraud_scores
• fraud_clearance
• fraud_cleanup

If those tasks stay at Never, check the live cron path and make sure the deployed src/Cron/Run.php is the current one.

The Review Queue is where you make manual decisions on held or flagged earnings.

Actions:

• Clear: approve the earning so it can move forward normally
• Keep Held: leave it in manual review while you gather more evidence
• Reverse: reject the earning and record the fraud decision

Use the review note when the case may need later explanation during withdrawal review or support follow-up.

Recent releases tightened the relationship between:

• the parent earning for the uploader
• any child referral earning created from that parent

In practice, that means:

• if the parent earning is held, the referral earning should also be held
• if the parent clears, the referral child should clear with it
• if the parent is cancelled or reversed, the referral child should also be cancelled or reversed

If a pentest or support report shows those states drifting apart, treat it as a payout-integrity issue, not just a reporting bug.

Current fraud scoring can use intelligence stored on:

• the download session when that flow exists
• the reward receipt itself when the earning path does not have a normal session-backed flow

That matters for faster or more direct reward paths, because fraud scoring should not lose proxy intelligence just because the earning came through a different internal route.

• do not treat fraud signals as only a one-time setup
• review holds and patterns regularly
• combine fraud review with withdrawals review for suspicious accounts
• check Intelligence Health before trusting country or ASN signals
• use ProxyCheck Intelligence mode when you want stronger scoring signals without hard-blocking visitors
• test one real PPD reward and one real PPS reward after changing monetization logic so you can confirm that fraud hold and release behavior still matches expectations

Fraud review depends heavily on:

• Config Hub > Security > Identity & VPN for ProxyCheck mode
• Config Hub > Security > Cloudflare for real visitor IP restoration
• Config Hub > Cron for fraud scoring, cleanup, and clearance jobs