How do they know that fraudsters with fresh cookies and no referrer history aren't just in private browser mode? Sounds like the server would view them as the same in most cases.
On Firefox, IndexDB throws an InvalidStateError only on private mode, I'm sure there are equivalents for Chrome.
You can try that in the console of Firefox:
var request = window.indexedDB.open("MyTestDatabase", 3);request.onerror = function (event) { if (event.target.error.name === 'InvalidStateError') alert('private mode')}
I've actually found a few online stores which now check for this and redirect you to a "turn off private browsing to browse our site" message. It's moderately annoying that they refuse to even let me see what they have for sale until I agree to let them use my hard drive.
You can try that in the console of Firefox: