Book Demo
Risk Tools

The investigation desk for prop firm ops.

Catch multi-account abuse, hedging across accounts, copy trading rings, news exploits, HFT patterns. Investigate flagged accounts, review evidence, take action with full audit trail. The tools your ops team needs to actually run a prop firm.

See investigation demo See detection suite

An investigation desk, not a CSV export.

Live alert feed. Full account context one click away. Take action without bouncing between five different tools or six different spreadsheets.

propforge_admin / risk / investigations 12 OPEN
Active alerts 12 NEW
HIGH 2m ago
Multi-account: 4 accts, same KYC
james_k → 4 accounts
HIGH 8m ago
Hedging: opposite trades, EURUSD
2 accts, 0.7s apart
MED 14m ago
News abuse: NFP entry +3min
3 accounts flagged
MED 22m ago
Copy trading: 5 accts, 94% match
Last 7 days
LOW 31m ago
HFT pattern detected
avg 0.4s holding
JK
[email protected] ACC #28492 + 3 LINKED
Risk score: 87 / 100
Same KYC docs 4 accounts
Same IP / device All 4 accts
Hedge pairs EURUSD opposite
Trade timing 0.7s separation
7
Detection patterns
24/7
Always running
1-click
From alert to action
100%
Audit trail coverage
The Problem

Investigating abuse with spreadsheets and gut feel.

Most prop firm ops teams have no purpose-built investigation tooling. They export trade data to CSV, paste IP logs into a separate sheet, manually cross-reference KYC docs. Hours per case. Cases get missed.

investigation_q3.xlsx, manual abuse review
~ 4 hours per case
# Account IP last login KYC ref Suspect? Notes
1 acct_28492 81.196.x.x RO_82731 SAME? need to cross-check...
2 acct_31044 81.196.x.x RO_82731 SAME? looks same...
3 acct_31562 81.196.x.x RO_82731 YES? but trades different?
4 acct_32891 ??? VPN? ??? blank UNCLEAR missing data
2 days into investigation. Still cross-referencing. Trader paid out yesterday before review finished.

Hours per case

Each suspected case requires data from 3-5 systems: trading platform exports, KYC vendor logs, IP logs, internal CRM. Manual cross-referencing burns the entire ops team's day.

Cases slip through

When investigation takes 2-3 days, traders complete payouts before reviews finish. The money is gone. Manual review can't keep up with abuse patterns evolving weekly.

No audit trail

When investigation lives in spreadsheets and Slack DMs, you can't reconstruct what your ops team decided and why. Compliance asks questions you can't answer.

Detection Suite

Seven abuse patterns. All running 24/7.

PropForge constantly scans every account, every trade, every login for known abuse patterns. Alerts fire instantly when thresholds hit. Your ops team reviews, decides, acts.

01

Multi-account detection

Same trader running 5 accounts under different names to multiply payouts or skip drawdown limits. Detected via behavioral fingerprinting across accounts.

Signal: behavioral pattern overlap
02

KYC duplication

Same passport, ID, or utility bill submitted across multiple signups under different email addresses. Caught at KYC ingest, before account creation.

Signal: identical KYC document hash
03

IP & device fingerprint

Multiple accounts logging in from the same IP, same browser fingerprint, or same hardware ID. Detects shared accounts even when traders try to mask via VPN.

Signal: device fingerprint match
04

Hedge across accounts

Two opposite trades on the same instrument, opened seconds apart from different accounts. Classic exploit, one account passes, one breaches, payout collected on winner.

Signal: opposite trades, same symbol
05

Copy trading rings

Multiple accounts placing identical trades within seconds of each other. Detected via trade timing correlation and entry/exit pattern matching across accounts.

Signal: 90%+ trade match score
06

News trading abuse

Position opened seconds before high-impact news (NFP, FOMC, CPI). Cross-references trade timestamps with economic calendar events to flag suspicious entries.

Signal: entry within X min of event
07

HFT pattern detection

High-frequency trading patterns inconsistent with retail trader behavior. Sub-second holding times, hundreds of trades per session, latency-sensitive execution.

Signal: avg hold time, trade volume
Investigation Panel

All the evidence in one screen.

Click any flagged account, get the full picture. Linked accounts, IP/device history, KYC docs, trade samples that triggered the alert. All cross-referenced, all time-stamped.

Back propforge_admin / risk / case_28492 FLAGGED HIGH
Evidence Trades Devices & IPs KYC Linked accounts Timeline
Linked accounts (4)
acct_28492
Phase 2 / funded PRIMARY
acct_31044
Phase 1 / passed LINKED
acct_31562
Phase 1 / failed LINKED
acct_32891
New / waiting KYC LINKED
Identity signals
IP address 4 / 4 match
81.196.142.x
Device fingerprint 4 / 4 match
fp_a8c2e9d1
KYC document 3 / 4 match
RO_ID_82731
Browser timezone 4 / 4 match
Europe/Bucharest
Trade evidence
14:23:18.412 UTC
BUY EURUSD 2.5 lots acct_28492
Hedge pair detected
14:23:19.101 UTC
SELL EURUSD 2.5 lots acct_31044
Hedge pair detected
0.7s separation
Identical position size, opposite direction
Suspicious
Risk score: 87 / 100. 4 accounts share IP, device fingerprint, and 3 of 4 share KYC documents. Hedge pair on EURUSD with 0.7s separation across accounts. Recommended action: suspend all 4 pending review.
Manual Review

Take action. Log everything automatically.

Every operator action lands in an immutable log: who took it, when, against which account, with what reason. Export anytime for compliance or internal review.

Suspend account

Pause all trading and platform access. Trader notified, ops team holds investigation, no payouts can leave.

Refund or partial refund

Issue full or partial fee refund through the original payment processor. Reason field required, attached to audit log.

Extend phase / lift breach

Manual override for legitimate edge cases (broker outage, news spike). Requires reason, fully traceable.

Approve / clear flag

After review, mark a flagged account as cleared. Account resumes normal status, alert closed with reasoning logged.

Audit log, last 30 days
Export CSV
Today 14:32
maria.s suspended 4 linked accounts (case #28492) Reason: Hedge abuse + multi-account pattern
Today 11:08
alex.r approved payout $8,420 on acct_29104 Reason: All checks passed, manual review clear
Yesterday 18:44
maria.s lifted drawdown breach on acct_27553 Reason: Broker spread spike during NFP, legitimate
Yesterday 16:12
alex.r issued partial refund $249 on acct_30887 Reason: Goodwill, broker outage 2hr
3d ago 09:21
diana.m cleared flag on acct_25198 Reason: Copy trading false positive, brother account
Real Investigation

How a firm caught a 12-account abuse ring in 8 minutes.

A real timeline of what investigation looks like with PropForge Risk Tools, vs hours of manual cross-referencing.

00:00
Alert fires: "Multi-account, 12 accts, same KYC reference" PropForge detected 12 trader accounts sharing the same passport hash, all signed up over the past 3 weeks under different email aliases.
02:14
Ops opens investigation panel, sees full network map All 12 accounts share IP range, device fingerprints cluster into 3 hardware IDs, KYC documents identical. Two accounts already approaching payout thresholds.
04:42
Trade history reveals coordinated hedge pattern Across the 12 accounts, opposing positions on EURUSD opened within 2 seconds. Pattern repeated 47 times across 3 weeks. Designed to guarantee one passing account per cluster.
06:18
Ops drafts decision, attaches evidence package Suspend all 12 accounts, refund 0 (terms breach), no payouts to be released. Evidence: device match, KYC match, trade pattern. Logged in audit trail.
08:00
Decision executed. 12 accounts suspended atomically All 12 accounts suspended in one bulk action. Notifications sent. Audit log updated. Total time from alert to action: 8 minutes.
Outcome: ~$31,000 in payouts saved, full audit package ready for any compliance review. Same investigation, manual: ops lead estimated 2-3 days of cross-referencing, with high chance of false negatives.
Common Questions

Risk Tools FAQ

The questions every ops/compliance lead asks before trusting their abuse detection to a vendor.

What's the difference between Risk Engine and Risk Tools?

Risk Engine is the automated rule enforcer: catches drawdown breaches, daily loss limits, news/weekend rule violations, in real time, autonomously. Risk Tools is the investigation desk for your ops team: alert feed, account context, manual review actions, audit log. Risk Engine catches automatic violations. Risk Tools helps you investigate suspicious patterns that need human judgment.

How are abuse patterns detected, rules-based or ML?

Mostly rules-based with statistical thresholds, designed by working with real prop firm operators. Patterns like KYC duplication, IP/device matching, hedge timing, and copy trading correlation are deterministic. Some patterns (HFT detection, behavioral fingerprinting) use statistical baselines that adapt to your firm's typical trader profile.

Can my ops team override automatic rule enforcement?

Yes. Operators can lift drawdown breaches, extend phases, issue partial refunds, suspend or unsuspend accounts. Every override is logged with operator name, timestamp, target account, and required reason field. Audit log is exportable for internal review or compliance.

What about false positives? Won't this catch legitimate traders?

Detection alerts are signals for investigation, not automatic punishments. Brothers using the same household IP, traders on shared devices, or new accounts with similar trade strategies will get flagged. Your ops team reviews the full picture, not just the trigger. Most firms tune thresholds in the first 30 days based on their actual trader population.

Can we export data from Risk Tools?

Yes, exports are available across the system: audit logs, alert history, individual investigation packages, account histories, trade evidence. CSV format for spreadsheet review, or PDF packages for sharing with auditors / payment processors / regulators.

Do you ever look at trader data yourselves?

No. PropForge runs as your platform, your data sits in your environment, and detection runs against your traders for your ops team. We don't use trader data for any other purpose, don't share it across clients, and don't profile traders across firms.

Explore the rest of the platform

Risk Tools is half the picture. Here's the other half.

Detection works because the engine catches violations the moment they happen, and the rules behind it are configurable by your team.

Risk Engine

The automatic rule enforcer underneath. Sub-second violation detection across drawdown, news, daily limits, weekend trading.

Learn more

Challenge Builder

Configure rules that the engine will then enforce. Consistency rules, trailing drawdown, per-phase limits, news restrictions.

Learn more

Full Automation

Hands-off ops for the cases that don't need human review. KYC, account creation, certificates, payouts.

Learn more

Stop investigating in spreadsheets. Catch what should be caught.

Get a live walkthrough of an investigation panel, with a real abuse case from one of our partner firms.

Book a demo About PropForge