The Gap Between What Geolocation Promises and What It Delivers
Every week, security operations teams make decisions based on IP geolocation data. They block traffic from certain countries, flag logins from unexpected regions, and build fraud detection rules around geographic assumptions. The problem is that IP geolocation is frequently wrong, and the degree of error varies enormously depending on the data source, the type of IP address, and the specific use case.
This is not a theoretical concern. When the 0ktapus threat group compromised over 130 organizations through credential phishing, investigators found that attackers routinely used IP addresses that geolocated to countries other than where the actual operators were working. The 911 S5 botnet, one of the largest residential proxy networks ever dismantled, gave threat actors access to IP addresses geolocated in virtually every country on earth, making geographic filtering nearly useless for detecting malicious sessions that looked like legitimate local traffic.
If your team is relying on geolocation data as a primary control rather than one signal among many, this article is for you. Let's look at how the data actually works, where it breaks down, and how to build more realistic defenses around its limitations.
How IP Geolocation Actually Works
IP geolocation services build their databases through several complementary methods. The most authoritative source is Regional Internet Registry (RIR) data, where organizations register IP blocks and declare their country or region. Alongside this, providers use BGP routing table analysis to infer geographic locations from network topology. Active probing techniques, latency measurements, and DNS reverse lookups add additional data points. Commercial providers also aggregate user-submitted corrections and licensing agreements with ISPs to sharpen their records.
Each of these methods introduces its own error characteristics. RIR registration data reflects where an organization is legally headquartered, not necessarily where its servers are physically hosted. A company registered in the Netherlands may run infrastructure in Singapore. BGP routing paths can be deliberately manipulated. Active probing measures network latency, which correlates loosely with physical distance but is heavily influenced by routing efficiency rather than geography alone.
The end result is a patchwork database where country-level accuracy for residential broadband typically sits around 95 to 99 percent, city-level accuracy drops to 55 to 75 percent, and accuracy for mobile, cloud, and VPN IP addresses can fall well below 50 percent depending on the provider and the specific block.
Where the Errors Concentrate
Cloud and Hosting Providers
Cloud infrastructure creates systematic geolocation problems. Major providers like AWS, Azure, and Google Cloud assign IP addresses from pools registered to their corporate addresses in the United States, even when instances run in data centers in São Paulo, Mumbai, or Frankfurt. Geolocation databases have improved at mapping these allocations, but lag is inevitable because cloud providers rotate and reassign IP ranges frequently. When JanelaRAT operators targeted financial users in Latin America, command-and-control infrastructure sat on cloud servers whose IP geolocation pointed to regions entirely inconsistent with the attack's actual origin and target geography.
Mobile Carrier Networks
Mobile networks aggregate traffic through centralized gateway infrastructure that often geolocates to a carrier's headquarters city rather than the device's physical location. A user in a rural area connects through a regional hub that may geolocate hundreds of kilometers away. Carrier-grade NAT further complicates matters by placing thousands of mobile users behind a single public IP address, making per-IP behavioral analysis unreliable and geographic attribution nearly impossible at the device level.
Residential Proxy Networks
The 911 S5 botnet's infrastructure illustrated the most dangerous geolocation accuracy problem for defenders. Residential proxies route traffic through IP addresses legitimately assigned to home internet subscribers. These addresses geolocate accurately to real residential locations in real countries. The threat actor sitting behind them may be halfway around the world. Any security control that treats geolocation as a proxy for user legitimacy will fail completely against residential proxy infrastructure, because the geolocation data is technically correct while being operationally meaningless for detecting the actual threat.
VPN and Anonymization Services
Commercial VPN services maintain exit node infrastructure across dozens of countries. Geolocation databases increasingly identify known VPN ranges, but the cat-and-mouse dynamic means new ranges appear faster than databases update. The accuracy problem here runs in reverse: an IP that geolocates to Germany may correctly identify a VPN exit node in Germany while the actual user is in a country your team considers high-risk.
What This Means for Common Security Controls
Authentication and Access Management
Impossible travel detection is one of the most practical applications of geolocation in security operations. If a user authenticates from New York and then from Tokyo three hours later, something is wrong. This use case is relatively robust because it relies on the implausibility of the geographic change rather than the absolute accuracy of the location. Even with moderate geolocation error, the physics of human travel make this signal useful.
Where authentication geolocation breaks down is in first-login country matching, where systems compare a login's geolocated country against a user's registered or expected country and block mismatches. The student loan breach exposing 2.5 million records is a reminder of how credential stuffing attacks work: attackers use credential lists and distributed infrastructure to make authentication attempts look local. If your geolocation blocking can be bypassed by purchasing residential proxy access, it is functioning as a minor speed bump rather than a meaningful control.
Fraud Detection
E-commerce and financial platforms use geolocation to flag transactions where the billing address country and the IP geolocation country do not match. This signal has genuine value for catching unsophisticated fraud. Sophisticated attackers, including those behind financially motivated campaigns like JanelaRAT, specifically select proxy infrastructure that matches their target's country to avoid triggering these checks. Treating geolocation country matching as a reliable fraud signal means catching low-skill fraud while missing the attacks that cause the most damage.
Incident Response and Threat Attribution
During active incidents, geolocation data gets used to understand attacker infrastructure and prioritize response. The accuracy limitations here carry the highest stakes. Attributing an attack to the wrong country based on inaccurate geolocation data can misdirect investigation effort and lead to incorrect conclusions about threat actor identity. Industrial automation system attacks documented in threat landscape research consistently show command infrastructure distributed across jurisdictions specifically to obscure origin through geolocation misdirection.
Practical Steps You Can Take Today
The immediate priority is auditing how your team currently uses geolocation data in decision-making. Walk through each security control that incorporates geographic signals and document whether it treats geolocation as a definitive fact or as a probabilistic signal. Controls that make hard block or allow decisions based solely on country-level geolocation need flagging for review.
Add ASN context alongside country geolocation for every IP you evaluate. An IP geolocating to Germany assigned to a known hosting provider ASN tells a different story than one assigned to a Deutsche Telekom residential block. The combination of country, ASN type, and organization name dramatically improves signal quality with minimal additional effort. Most threat intelligence platforms and geolocation APIs return this data in the same query.
Identify which geolocation provider you are currently using and check when their database was last updated. Providers vary enormously in update frequency. Some commercial databases update daily for major cloud provider ranges, while others update monthly. For cloud and hosting IP ranges specifically, freshness matters more than for residential blocks, because cloud provider IP inventory changes continuously.
What to Do This Week
Run a sample of your recent geolocation-based blocks or flags through a second geolocation provider to measure disagreement rate. A disagreement rate above 5 percent for country-level data or 20 percent for city-level data suggests your primary source has meaningful gaps. This cross-referencing exercise also gives you a baseline for evaluating database quality over time.
Build a reference list of IP ranges for cloud providers your organization uses and your major business partners. For these ranges, suppress or weight down geolocation-based alerts because the geolocation data is systematically unreliable for cloud infrastructure. Treat traffic from these ranges as requiring additional behavioral signals rather than geographic signals for risk assessment.
If your SIEM or SOAR platform correlates geolocation data in alerts, add a confidence field that reflects IP type. Residential broadband IPs with stable long-term assignment histories warrant higher geolocation confidence than mobile, cloud, or VPN-associated IPs. Analysts reviewing alerts should see this confidence context so they calibrate their response accordingly.
Structural Improvements to Plan This Quarter
Layering Signals Instead of Depending on Geography Alone
The most durable approach to geolocation limitations is building risk scoring models that treat geographic data as one input among many. Combine geolocation with user agent analysis, behavioral baselines, time-of-day patterns, device fingerprints, and authentication history. A login that geolocates to an unexpected country becomes significantly more actionable when it also involves a new device, an unusual hour, and a behavioral pattern inconsistent with the user's history. Any one of these signals alone is weak; their combination is substantially stronger.
Ransomware operators documented in recent campaigns, including cases like VECT where ransomware functionality overlapped with wiper behavior, frequently establish footholds through initial access that geolocates plausibly. The network access itself looks geographic unremarkable. Lateral movement, privilege escalation attempts like the PhantomRPC technique, and data staging behavior are what distinguish malicious sessions from legitimate ones regardless of where the IP geolocates.
Maintaining Dynamic Block and Allow Lists
Static geolocation-based block lists become outdated rapidly. IP address allocations shift, cloud providers expand into new regions, and residential proxy networks recruit new devices. A quarterly refresh cycle for country-based block lists is the minimum; monthly is better for cloud and hosting ranges. Automate the update process wherever possible using feeds from your geolocation provider's IP range change notifications.
For high-value targets like administrative interfaces and privileged authentication endpoints, consider inverting the default and building explicit allow lists based on known-good IP ranges combined with strong authentication requirements. This approach is less dependent on geolocation accuracy because it relies on positive identification rather than geographic exclusion.
Testing Your Geolocation Stack Against Real Threat Scenarios
Schedule a red team exercise specifically focused on geolocation bypass. Use commercially available residential proxy services to simulate how threat actors in campaigns like 0ktapus access target organizations through geolocation-transparent infrastructure. Measure how many of your geolocation-dependent controls trigger compared to controls based on behavioral analysis. The results will give you data to make resource allocation decisions about where to invest in improving detection capability.
Document the results and use them to set organizational expectations about geolocation's role in your security architecture. When stakeholders ask why a specific attack was not caught by country blocking, having empirical data about geolocation bypass rates helps frame the conversation around what additional controls are actually needed.
Choosing and Evaluating Geolocation Providers
Not all geolocation databases are equal, and the differences matter operationally. When evaluating providers, request accuracy statistics broken down by IP type: residential broadband, mobile, cloud hosting, and VPN. A provider quoting 99 percent country-level accuracy may be averaging across predominantly residential traffic where accuracy is highest while performing poorly on the cloud and hosting ranges most relevant to your threat environment.
Look for providers that offer proxy and VPN detection as a separate signal layer. This is distinct from geolocation accuracy: knowing that an IP is a known VPN exit node or datacenter proxy tells you something about the session that country attribution alone cannot. Some commercial APIs return this classification alongside geolocation data, which significantly improves your ability to contextualize geographic signals.
Update frequency is a practical differentiator for security use cases. Providers that sign data sharing agreements with major cloud providers and ISPs directly receive IP allocation change notifications, giving them measurably faster database updates for the ranges that change most frequently. For security operations where stale data creates real risk, this operational characteristic deserves weight alongside raw accuracy metrics in your provider selection process.
Calibrating Organizational Expectations
Geolocation is a useful tool with real limitations, and the gap between expectation and reality creates operational risk when security teams treat it as authoritative. The goal is not to stop using geolocation data; the goal is to use it accurately calibrated to what it can reliably tell you.
Country-level geolocation for residential broadband IP addresses is reliable enough to use as a meaningful risk signal. City-level geolocation for any IP type warrants skepticism. Geolocation for cloud, mobile, and proxy infrastructure requires additional corroboration before acting on it. Impossible travel detection built on geolocation is robust. Hard blocks based on country-level filtering alone are porous against any threat actor with access to proxy infrastructure.
Building these calibrations into your team's standard operating procedures, your alert triage workflows, and your risk scoring models is the practical work that converts an understanding of geolocation limitations into measurably better security outcomes. The technology will continue to improve, but the structural limitations of mapping a logical address space to physical geography mean that geolocation will remain a probabilistic signal requiring thoughtful interpretation rather than a deterministic fact requiring simple action.
