The Infrastructure Behind the Evasion
When analysts examine the traffic patterns behind recent threat campaigns, one theme emerges consistently: attackers are not arriving from easily attributable IPs. They are routing through commercial VPN providers, datacenter proxies, residential proxy networks, and Tor-adjacent infrastructure specifically because most detection stacks treat these signals as low-priority noise rather than active threat indicators.
The maritime sanctions evasion activity documented in recent threat intelligence reporting illustrates this clearly. State-linked actors and financially motivated groups alike are using layered proxy chains to obscure the origin of transactions, communications, and intrusion activity. The OceanLotus campaign, which has evolved from external espionage targeting to domestic surveillance operations, relies heavily on VPN and proxy infrastructure to make attribution difficult and detection unreliable. These are not edge cases. They represent standard operational practice for sophisticated threat actors.
Understanding VPN abuse and proxy detection is no longer an optional capability for security teams. It is a foundational requirement for any organization that needs to make accurate decisions about who is actually connecting to its systems.
What VPN Abuse Actually Looks Like in Practice
The term VPN abuse covers several distinct behaviors that require different detection approaches. Commercial VPN services allow users to exit traffic through shared IP addresses owned by VPN providers. Residential proxy networks route traffic through compromised or consenting consumer devices, making the traffic appear to originate from legitimate household connections. Datacenter proxies use IP ranges associated with cloud and hosting providers to mask the true origin of requests. Each category has a different detection signature and a different risk profile.
In the context of the Popa botnet, which has been linked to a publicly-traded Israeli firm, residential proxy infrastructure played a central role in the operation. Compromised consumer devices became exit nodes for traffic that, from the destination's perspective, looked entirely legitimate. Standard IP reputation checks would not flag a residential IP from a major ISP as suspicious, which is precisely why this infrastructure is commercially valuable to both cybercriminal and nation-state operators.
Cybercriminals selling access to Chinese surveillance cameras have used similar techniques to obscure the control channels for those devices and to make the origin of commands harder to trace. The pattern is consistent: proxy and VPN infrastructure exists in the threat actor toolkit to defeat origin-based detection, and it works reliably against teams that have not built detection logic specifically designed to counter it.
The Detection Problem in Layered Terms
Proxy and VPN detection is not a single technical problem. It is a stack of overlapping challenges, each of which requires a different data source and a different analytical approach.
At the IP layer, the challenge is identifying whether a given IP address is associated with proxy or VPN infrastructure. This requires access to IP metadata beyond basic geolocation, including ASN ownership, hosting provider classification, IP type categorization, and historical abuse signals. An IP that resolves to a datacenter ASN but is presenting as a residential connection is an immediate signal worth investigating.
At the behavioral layer, the challenge is identifying patterns that are inconsistent with legitimate user activity regardless of what the IP claims to be. Impossible travel events, where the same account authenticates from geographically distant locations within a short time window, are a classic indicator. Velocity anomalies, where an account performs actions at a rate inconsistent with human behavior, are another. These behavioral signals matter because they catch proxy abuse even when the proxy IP itself looks clean.
At the session layer, the challenge is identifying technical inconsistencies between what the connection claims and what it actually demonstrates. A user connecting through a VPN will often show mismatches between their declared browser timezone, their IP geolocation, their operating system locale settings, and the language preferences embedded in their HTTP headers. These mismatches are difficult to spoof comprehensively and represent a reliable detection signal when analyzed together.
IP Type Classification as a First-Pass Filter
One of the most practical tools available to security teams is IP type classification, which categorizes IP addresses into groups such as residential, datacenter, mobile, satellite, and known proxy or VPN infrastructure. This classification is not foolproof, but it provides a meaningful first-pass filter that changes how subsequent analysis should proceed.
When an authentication request arrives from a datacenter IP, the appropriate response is not automatic blocking but elevated scrutiny. The risk profile of that connection is materially different from a connection arriving from a residential IP associated with the user's usual ISP. Layering IP type classification into authentication flows, API access controls, and session validation logic allows security teams to apply different friction levels based on the actual risk characteristics of each connection.
The Novo Nordisk breach, which exposed risks in the software development pipeline, highlights how attackers can leverage cloud-hosted infrastructure and datacenter IPs to interact with development environments in ways that look routine from a surface-level analysis. IP type classification would have flagged the anomalous origin of those connections earlier in the investigation timeline.
Residential Proxy Networks: The Detection Challenge Most Teams Underestimate
Residential proxy networks deserve specific attention because they defeat the detection approaches that work well against datacenter proxies. When traffic arrives from a legitimate residential ISP IP in a plausible geographic location, IP-based detection provides very little signal. The detection burden shifts almost entirely to behavioral and session-layer analysis.
Several threat intelligence providers maintain databases of known residential proxy exit nodes built from passive DNS observation, honeypot interactions, and collaborative sharing. These databases are imperfect because residential proxy networks rotate exit nodes frequently, but they provide coverage for a meaningful portion of known infrastructure. Integrating these feeds into real-time access decisions is significantly more effective than relying on static blocklists updated on a weekly or monthly cycle.
Beyond feed-based detection, behavioral baselines are the primary defense against residential proxy abuse. If a user account has an established pattern of authenticating from a specific geographic region during specific hours, a sudden authentication from a residential IP in a different country at an unusual time warrants investigation even if that IP has no negative reputation history. The 72-minute average detection window that characterizes modern SOC performance is compressed even further when behavioral baselines are generating early signals rather than waiting for definitive IP reputation matches.
Practical Detection Checklist for Security and IT Teams
The following checklist covers the key detection capabilities that security teams should have in place to address VPN and proxy abuse. This is not an exhaustive list, but it represents the baseline required to make meaningful progress against this threat category.
- IP type classification integration: Ensure that authentication systems, API gateways, and access control systems receive IP type metadata in real time, distinguishing between residential, datacenter, mobile, and known proxy or VPN IPs.
- Impossible travel detection: Implement logic that flags accounts authenticating from geographically distant locations within a timeframe that makes physical travel impossible. Tune the thresholds based on your user population's actual travel patterns.
- Velocity and rate anomaly detection: Monitor for authentication attempts, API calls, and resource access patterns that exceed baselines established for normal human behavior. Automated proxy-routed attacks frequently exhibit velocity signatures that human users do not.
- Timezone and locale mismatch analysis: Compare the timezone declared by the browser or application against the geolocation of the connecting IP. Significant mismatches are a reliable indicator of proxy use.
- ASN reputation scoring: Maintain and apply ASN-level risk scores that reflect the historical abuse rate, hosting provider classification, and known association with proxy services. Route high-ASN-risk connections through additional verification steps.
- Residential proxy feed integration: Subscribe to threat intelligence feeds that specifically track residential proxy exit nodes and update your detection logic on a cycle that matches the rotation speed of these networks, ideally hourly or better.
- TLS fingerprinting: Use JA3 or JA4 fingerprinting to identify connections where the TLS signature is inconsistent with the declared client. Many proxy tools and VPN clients present distinctive TLS fingerprints that differ from legitimate browser or application traffic.
- DNS leak detection: In environments where users should be connecting through corporate infrastructure, monitor for DNS query patterns that indicate traffic is being routed through external resolvers associated with VPN or proxy services.
- User agent and header consistency checks: Validate that the combination of user agent, accepted language headers, and connection metadata is internally consistent. Proxy configurations frequently introduce inconsistencies that are difficult to eliminate entirely.
- Session continuity monitoring: Track whether session characteristics remain consistent across a single authenticated session. Proxy rotation mid-session, where the exit node changes during an active session, is an indicator of automated tooling or active evasion behavior.
Integrating Detection Into Access Control Workflows
Detection signals only produce value when they are integrated into workflows that generate a response. For VPN and proxy detection, the most effective integration points are authentication flows, step-up authentication triggers, and session risk scoring systems.
In authentication flows, IP type and reputation data should influence the authentication path in real time. A user connecting from a known residential IP in their established geographic region requires standard authentication. A user connecting from a datacenter IP in an unexpected location should be routed through a step-up authentication challenge. A user connecting from a known Tor exit node or a flagged residential proxy node should face the highest friction level appropriate to your security policy.
Step-up authentication triggers should be sensitive to the combination of signals rather than any single indicator. A datacenter IP alone may not justify a challenge if the user has a history of legitimate remote work from cloud infrastructure. But a datacenter IP combined with an impossible travel event and a timezone mismatch is a strong composite signal that warrants immediate friction regardless of the individual signal strengths.
Session risk scoring systems that recalculate risk continuously during an authenticated session provide coverage against mid-session proxy rotation. If the IP type or geolocation changes materially during a session, the risk score should reflect that change and potentially trigger re-authentication or session termination. This is particularly relevant for long-lived sessions in enterprise applications and development environments where the Novo Nordisk-style pipeline risks are most acute.
Where Proxy Detection Connects to Broader Threat Campaigns
Proxy and VPN detection is not an isolated capability. It connects directly to threat campaigns across multiple categories.
In the ransomware context, recent activity from groups like those behind the Prinz Eugen ransomware, which prioritizes encrypting recently accessed files to maximize operational disruption, relies on initial access techniques that frequently involve credential abuse routed through proxy infrastructure. Detecting the proxy use at the access stage provides an opportunity to interrupt the kill chain before the ransomware payload reaches the file system.
In the credential stuffing context, large-scale stuffing operations almost universally rely on residential proxy networks to distribute authentication attempts across many source IPs, defeating per-IP rate limiting. The detection approaches described in this article, particularly velocity analysis, behavioral baselines, and residential proxy feed integration, directly address this threat vector.
In the API abuse context, automated scraping, data exfiltration, and account enumeration campaigns frequently use rotating proxy infrastructure to stay below per-IP detection thresholds. IP type classification and session fingerprinting are the most effective tools against this pattern because they identify the automated nature of the traffic rather than relying on the reputation of any specific IP.
Implementation Pitfalls That Undermine Detection Effectiveness
Security teams that have invested in VPN and proxy detection capability frequently encounter implementation problems that reduce its effectiveness in practice. Understanding these pitfalls before deployment saves significant time and avoids false confidence in detection coverage.
Treating IP type data as static. IP addresses change hands, get reassigned between residential and datacenter use, and get added to or removed from proxy networks continuously. Detection systems that consume IP type data through infrequent batch updates will have significant coverage gaps. The update frequency of your IP intelligence data should match the rate at which the threat actors you face rotate their infrastructure.
Applying detection logic uniformly across user populations. A rule that works well for a consumer-facing application will generate significant false positives in an enterprise environment where remote workers routinely use corporate VPNs that present as datacenter IPs. Tuning detection thresholds to reflect the actual connection patterns of your user population is essential. Allow-listing known corporate VPN exit ranges while maintaining scrutiny on unknown datacenter IPs is a practical starting point.
Relying on single-signal decisions. Blocking or challenging access based on a single signal, such as IP type alone, generates both false positives and false negatives. Proxy detection works best as a composite scoring system where multiple weak signals combine into a high-confidence decision. Building the analytical layer to combine signals effectively is more valuable than improving the quality of any single input signal.
Failing to account for legitimate privacy tool use. A meaningful portion of legitimate users employ commercial VPNs for personal privacy reasons. A detection system that treats all VPN use as malicious will generate friction for a significant portion of your legitimate user base. The goal is to detect anomalous VPN use, specifically use that is inconsistent with the user's established behavior pattern, rather than to block VPN use categorically.
Skipping the logging infrastructure investment. Proxy and VPN detection generates actionable value only when the signals it produces are logged in sufficient detail to support retrospective investigation. Teams that implement detection logic without ensuring that the relevant metadata is captured and retained lose the ability to reconstruct attack timelines, identify compromised accounts, or improve detection models based on confirmed incidents.
Underestimating the operational cost of feed management. Residential proxy feed data, ASN reputation scores, and IP type classification all require ongoing maintenance. Feeds expire, providers change their data formats, and coverage gaps emerge as new proxy infrastructure comes online. Assigning clear ownership for feed quality and establishing a regular review cadence prevents the gradual degradation of detection effectiveness that occurs when feed management is treated as a one-time implementation task.
Building Toward Reliable Attribution in Contested Environments
The fundamental challenge of VPN and proxy detection is that it operates in an environment where attackers are specifically trying to defeat it. The detection approaches described here are not permanent solutions. They are capabilities that require continuous investment, tuning, and adaptation as threat actors evolve their infrastructure and techniques.
The most resilient detection postures combine IP-layer signals with behavioral analysis and session-layer forensics, applying each layer to catch the evasion techniques that defeat the others. No single layer is sufficient against a determined adversary who understands how each detection mechanism works. The combination of layers, each independently generating signal, produces coverage that is significantly harder to defeat comprehensively than any individual technique.
For cybersecurity professionals and IT administrators, the practical priority is identifying which layers are currently absent or immature in your detection stack and addressing those gaps systematically. Start with IP type classification integrated into authentication flows, add behavioral baselines for impossible travel and velocity anomalies, and build toward session-layer consistency checking as your data collection infrastructure matures. Each layer added improves your ability to detect the proxy and VPN abuse that threat actors across every campaign category are currently relying on to stay undetected.