Abstract: Disclosed is a method for tracking a malicious user. The method receives a plurality of client-side attributes indicative of a first unique client-identifier, generates a first tampering signal confidence value based on the client-side attributes collected for the first unique client-identifier, and transmits the first unique client-identifier and one or more secondary attributes indicating a second unique client-identifier to a server. The processor combines the secondary attributes with additional client networking information, including one or more of an Internet Protocol (IP) address of a client device and a Transport Layer Security (TLS) fingerprint of a client device, to create a second unique client-identifier. The processor determines that a second unique client identifier signal strength value meets a predetermined threshold value.