CTO and architect of large-scale iGaming platforms explains how to build systems resilient to DDoS attacks and fraud
In 2025, global high-load platforms processing millions of real-time transactions faced an unprecedented wave of
Designing fault-tolerant, secure, and scalable systems has become a critical factor for business survival. The focus today extends beyond technical infrastructure to include fraud prevention strategies, payment protection, and transparent observability models for monitoring real-time operations. High-load platforms are no longer perceived as merely a technological challenge — they have become the core of business ecosystems, where architects and CTOs define security strategies even before a product reaches the market.
Stepan Arakelian, a CTO with international experience across IoT, gaming, and iGaming high-load systems, has faced this reality firsthand. Starting his career as a software developer and later progressing through team leadership and architecture roles, he now designs systems capable of withstanding attacks, protecting data, and ensuring reliability from day one. His experience has shaped an approach to building platforms that not only handle extreme load but also resist targeted attacks, fraud, and exploitation of business logic. Among his projects are INUI Gaming and other platforms where every transaction and user action can become a potential target.
Where Money and Data Become Targets
High-load systems today are far more than websites or applications. They are complex infrastructures handling payments, identity verification, bonuses, balances, partner APIs, and telemetry. As automation and transaction volumes grow, so does the platform’s attractiveness to attackers. DDoS attacks directly threaten availability, while fraud and account compromise become sustainable revenue models for adversaries. Arakelian notes that “the commoditization of attack tools has made them cheaper and more widespread, while the use of AI by attackers significantly increases pressure on system resources.”
This dynamic is particularly evident in gaming and iGaming, where every millisecond of latency and every transaction has direct financial implications. Stepan has seen platforms with millions of active users turn into battlegrounds for low-and-slow DDoS attacks, bot farming, bonus abuse, and payment fraud. These attacks are designed to blend into legitimate traffic, aiming not to crash infrastructure but to bypass economic controls and exploit business mechanics — sometimes even pulling platforms into illicit activities such as money laundering.
“A high-load platform is not just a website — it’s a concentration of money, traffic, and data. The higher the turnover and automation, the higher the ROI of an attack,” Stepan explains. This understanding underpins his architectural approach: defending modern platforms requires anticipating not only technical failures but also the economic consequences of abuse scenarios.
Architecture Against Chaos
According to Arakelian, the idea of “launch first, secure later” is no longer viable. In modern high-load systems, security is an architectural property, not an add-on feature. Launching without limits, segmentation, and control points often means that adding protection later requires rewriting protocols, data schemas, authorization logic, and transactional flows. In the systems Stepan has led, every operation and payment flow is designed from the outset with resilience and risk in mind.
In one gaming startup, he built the system from scratch using an event-driven architecture with queues and buffers to absorb traffic spikes without compromising the core. Each transaction passed through strict limits and validation layers, idempotency mechanisms prevented duplicate operations, and real-time telemetry tracked user behavior and anomalies.
“Instead of a catastrophe, we end up with a localized incident that the team can actually handle,” Stepan emphasizes. This philosophy turns architecture into a survival mechanism, ensuring stability even under extreme conditions.
How to Turn AI into an Ally
In iGaming projects, Stepan actively applied machine learning to anomaly detection and fraud scoring. By analyzing large event streams, teams could identify behavioral patterns and suspicious sequences, while automated response mechanisms helped prioritize signals and cluster incidents. Arakelian stresses that AI cannot replace architectural fundamentals: “ML only delivers real value when you have high-quality events, proper labeling, and well-defined control points. Without that, models just generate noise.”
Rather than treating AI as an experiment, Stepan integrated it directly into operational architecture. One of his key achievements was embedding anomaly detection into the infrastructure layer, where ML signals fed into a broader risk engine alongside rules and limits. This ensured predictable responses to attacks and enabled teams to react faster than adversaries.
Defense in Practice
Stepan’s portfolio includes several telling examples.
In one iGaming case, attackers attempted to trigger repeated bonus deductions and withdrawals. The architecture Arakelian designed handled peak request volumes without financial loss. Idempotency controls and queue-based processing turned a potentially devastating scenario into a contained incident: some requests were deferred, others rejected, while user balances remained intact.
In another project for MTS, the leading telecommunications operator in Russia, in the IoT domain, Stepan led the launch of enterprise-grade connected device solutions with no local market equivalents, including vehicle telematics, asset tracking, and remote monitoring systems. He architected scalable IoT infrastructure leveraging NB-IoT and LTE-M networks, introduced microservices-based backend systems with Kubernetes orchestration, and implemented comprehensive monitoring solutions using Prometheus and Grafana—all while navigating strict telecommunications regulations and ensuring GDPR-compliant data handling for cross-border deployments
“When idempotency, deduplication, and limits are built in from the start, an attack becomes a local incident rather than a catastrophe,” Stepan notes.
International Payments — New Challenges
International payment systems add a layer of architectural complexity. Multicurrency support, FX risks, sanctions screening, AML/KYC requirements, and chargeback handling demand platform-level solutions rather than external patches. Stepan designs isolated operational domains, integrates immutable event logs, and ensures full transaction traceability.
In one case, a platform supported dozens of currencies, performed real-time sanctions checks, and managed chargeback risks without introducing user-facing latency. These architectural decisions embed international compliance directly into the system, turning regulatory requirements into an inherent property rather than a legal afterthought. Arakelian emphasizes that this approach reduces financial risk while strengthening user trust and enabling growth without sacrificing performance.
The Human Factor in Architecture
Today’s CTO is not only a system builder but also a risk manager who defines critical assets, threats, and acceptable losses. Arakelian argues that architects must think beyond throughput and latency, considering degradation strategies, control points, and economic abuse models. “The CTO role is changing — it’s now an engineer, a strategist, and a risk manager at the same time.”
Serving as a jury member for Top-40 Digital Experts by URA.news and other prestigious national competitions gives Stepan visibility into industry best practices and recurring mistakes. “When you evaluate others’ solutions, you quickly notice patterns — where speed comes at the cost of technical debt, or complexity is chosen simply because it’s fashionable,” he explains.
From Stepan’s perspective, platform resilience depends as much on team maturity as on technology itself. “You can buy technology, but you can’t buy operational discipline.” Two teams using the same stack can achieve vastly different reliability outcomes. A modern CTO builds not only systems, but also release processes, incident management practices, SLOs, postmortems, and change management workflows.
Arakelian actively mentors young engineers, teaching programming and helping them take their first steps in tech, while also working with neurodivergent specialists to create a supportive environment where they can grow and contribute meaningfully. He builds inclusive, international teams with diverse backgrounds and experience, emphasizing that system resilience depends not only on code quality but also on team maturity — how teams manage incidents, releases, and change under pressure.
Architecture Learns from Mistakes
Stepan advocates a proactive approach to resilience: “A system must be ready for errors and attacks from day one.” He highlights key shifts in high-load architecture — security-by-design, anti-abuse as a product feature, automated response mechanisms, event sourcing, transaction traceability, and hybrid risk engines combining rules with ML. Regulatory compliance, he argues, must be supported from the outset rather than addressed after reputational or financial damage occurs.
“Design your system as if it’s already under attack and already making mistakes. If it survives spikes, errors, and abuse without catastrophe, you’ve done your job right,” Arakelian says. This mindset transforms anomalies into signals for improvement rather than crises. High load becomes not only a technical challenge, but also training for teams and processes.
The ultimate goal of Stepan Arakelian’s work is to build platforms that continue operating no matter what — where attacks and failures do not escalate into disasters, and security is embedded so deeply that it becomes part of the business itself. This, ultimately, defines the role of a modern security architect: every architectural decision, from queues and limits to observability and transaction control, serves as a shield against chaos and a practical instrument for business survival in the world of high-load, real-time platforms.
This story was distributed as a release by Jon Stojan under HackerNoon’s Business Blogging Program.