When the Attacker Looks Like a Normal User
In mid-2022, the threat group tracked as 0ktapus compromised over 130 organizations by routing phishing infrastructure and credential harvesting traffic through a rotating network of residential proxies and commercial VPN endpoints. Defenders at several affected firms later confirmed that their detection systems had flagged none of the initial access attempts as suspicious because the source IPs carried clean reputations, matched expected geographies, and blended seamlessly into legitimate user traffic. The breach was silent until downstream identity alerts fired weeks after initial compromise.
That case is a precise illustration of why VPN abuse and proxy detection deserve treatment as a distinct operational discipline rather than a feature baked into a firewall or handled by a single threat feed. The infrastructure attackers use to anonymize themselves today is sophisticated, commercially available, and actively maintained to stay ahead of blocklists. Defending against it requires layered signals, behavioral context, and an honest accounting of what your current stack actually sees versus what it does not.
The Infrastructure Attackers Actually Use
Understanding the detection problem starts with understanding what defenders are actually trying to find. Threat actors operating in 2026 draw from several categories of anonymization infrastructure, and each category has a different detection fingerprint.
Commercial VPN Services
Consumer-facing VPN providers such as Mullvad, ExpressVPN, and NordVPN maintain large pools of shared IP addresses. These addresses are widely known, and most IP reputation databases flag them as VPN-associated. Detection here is relatively straightforward: maintain an updated list of known VPN provider ASNs and exit node IP ranges, and apply appropriate risk scoring. The challenge is that blocking all commercial VPN traffic sweeps up legitimate users, including your own employees working remotely.
Residential Proxy Networks
Residential proxy services route traffic through IP addresses assigned to real consumer ISP accounts, often without those consumers knowing their bandwidth is being sold. Services like Bright Data, Oxylabs, and a long tail of grey-market providers offer millions of residential IPs. These addresses carry no VPN flag in most databases, originate from clean ASNs, and match expected geolocation for their region. Detection requires behavioral analysis rather than simple IP reputation lookups. The 0ktapus campaign leaned heavily on this infrastructure, and the Iranian threat actors who targeted South Korean electronics firms in recent operations used similar residential proxy rotation to evade perimeter controls during the reconnaissance phase.
Datacenter Proxies and Bulletproof Hosting
Datacenter proxies are easier to detect because their ASNs are well-documented as hosting providers. Bulletproof hosting operators are more persistent adversaries. They cycle IP ranges, register new ASNs, and shift hosting registrars frequently. Groups like FamousSparrow, which was recently observed operating against an energy firm in the South Caucasus, have used bulletproof infrastructure that was clean in commercial threat feeds at the time of initial access. The detection gap here is the latency between when new infrastructure goes live and when it appears in blocklists, which can range from days to weeks.
Compromised Infrastructure
Some of the hardest traffic to detect originates from legitimately owned servers, routers, and network devices that have been compromised and enrolled in a botnet or proxy mesh without the owner's knowledge. Watering hole campaigns pushing payloads like the ScanBox keylogger have used compromised small business web servers as staging and relay nodes. These IPs are clean, have long histories, and sit in ASNs associated with legitimate businesses. No reputation database flags them until after the compromise is investigated and reported.
What Detection Signals Actually Work
Because no single signal reliably catches all proxy and VPN abuse, effective detection stacks layer multiple independent signals. Each signal has known limitations, and those limitations need to be understood before deploying.
ASN and Hosting Provider Classification
Classifying traffic by ASN type is the foundation of proxy detection. Requests from ASNs operated by known VPN providers, datacenter hosting companies, and cloud providers should carry elevated risk scores by default. This classification is available from commercial IP intelligence providers and from open datasets like the one maintained by the RIPE NCC and regional internet registries.
The practical limitation is that attacker infrastructure migrates. An ASN that was clean last quarter may now host bulletproof services. Integrate an ASN reputation feed that updates at least daily, and build alerting for sudden spikes in traffic from any single ASN that has not historically sent significant traffic to your environment.
IP History and Age
Newly registered or recently reassigned IP addresses carry higher risk than IPs with long, clean histories. Threat actors who spin up new infrastructure for a campaign rarely have the luxury of aging it for credibility. Check the allocation date of incoming IPs against WHOIS and RIR data. An IP that has existed for three days and is sending authentication requests to your identity provider deserves escalated scrutiny regardless of its current reputation score.
Connection Characteristics and Protocol Fingerprinting
VPN and proxy services leave detectable marks in how connections behave. Look for mismatches between declared browser user agents and TLS fingerprints, which is a signal that a tool like Burp Suite or a scripted client is masquerading as a standard browser. Tools like JA3 and JA4 fingerprint TLS client hellos and can surface automated tooling even when it is routing through a clean residential IP. HTTP header ordering inconsistencies and missing or malformed headers common in browser traffic are additional signals.
This approach has a meaningful false positive rate in environments where custom enterprise software, mobile apps, or API clients generate non-standard TLS signatures. Build a baseline of expected fingerprints from your legitimate traffic before treating anomalous fingerprints as high-confidence indicators.
Behavioral Velocity and Session Patterns
Human users behave differently from scripted access, even when both are routing through the same proxy infrastructure. Measure request velocity, session duration, navigation patterns, and timing between actions. A session that completes a login and immediately issues API calls with millisecond precision across a sequence of endpoints is scripted regardless of the source IP's reputation.
Apply this analysis in real time at the application layer. Web application firewalls with behavioral analysis capabilities, API gateways with session tracking, and SIEM rules that correlate authentication events with downstream activity are practical implementation points.
Geolocation Consistency Checks
Proxy and VPN use frequently produces geolocation inconsistencies. A user who logged in from Berlin two hours ago and is now authenticating from Singapore has either traveled faster than any aircraft or is routing through proxy infrastructure. Implement impossible travel detection and ensure it feeds into your risk scoring engine rather than sitting as an isolated alert that nobody reviews.
Extend this to language and locale signals. If a user's browser is configured for Korean locale but the session originates from a Romanian IP, that combination warrants inspection even if neither signal alone would trigger an alert.
Implementation Architecture
Theory is useful but implementation details determine whether detection actually works under load. The following architecture reflects how mature security operations teams are structuring proxy detection in production environments.
Enrichment at the Edge
Perform IP classification at the point of ingress before requests reach application logic. Reverse proxies, load balancers, and API gateways can call an IP intelligence API synchronously and attach enrichment metadata to the request as a header. This metadata then flows through your application stack and into your SIEM without requiring post-hoc log enrichment.
Latency is the primary constraint. A synchronous IP intelligence API call adds round-trip time to every request. Use caching aggressively: cache results for IPs by their TTL, typically one to four hours for dynamic residential ranges, and longer for stable datacenter IP classifications. Aim for a cache hit rate above 90 percent to keep added latency under five milliseconds at the 99th percentile.
Risk Scoring Rather Than Binary Blocking
Binary blocking of all VPN and proxy traffic creates two problems. First, legitimate users including privacy-conscious individuals, employees on corporate VPNs, and users in regions with restricted internet access are blocked. Second, adversaries quickly learn your blocking threshold and route around it. A risk scoring model is more durable.
Assign numeric scores to each signal: known VPN ASN adds 30 points, datacenter hosting adds 20 points, new IP age under seven days adds 25 points, anomalous TLS fingerprint adds 15 points, impossible travel adds 40 points. Set thresholds for step-up authentication challenges at a moderate score and for session termination or blocking at a higher score. Tune these thresholds against your actual traffic distribution rather than accepting vendor defaults.
Integration with Identity and Access Management
Proxy detection signals should feed directly into your identity platform's adaptive authentication engine. Modern identity providers support risk-based authentication policies that accept external signals via API. When a login attempt arrives from a high-risk IP, the identity platform can require a hardware token, send a push notification, or gate the session to read-only access pending review. This approach reduces friction for clean sessions while raising the cost of attacks that route through anonymizing infrastructure.
Specific Scenarios and Response Postures
Credential Stuffing via Rotating Proxies
An attacker purchases a credential list from a marketplace and runs it against your authentication endpoint using a rotating residential proxy pool. Each attempt originates from a different clean IP. Standard rate limiting per IP fails because each attempt uses a new source address.
The effective countermeasure stack here combines device fingerprinting, CAPTCHA challenges triggered by failure patterns rather than IP thresholds, and rate limiting applied at the username level rather than the IP level. A single username receiving three failed authentication attempts in ten minutes is suspicious regardless of how many source IPs were involved. Log the attempt count per username separately from per-IP metrics and alert on username-level velocity.
Reconnaissance from Bulletproof Hosting
A threat actor performing pre-attack reconnaissance on your public-facing infrastructure routes scanning traffic through a bulletproof hosting ASN that has not yet appeared in commercial blocklists. This is consistent with how groups like FamousSparrow operate during initial target profiling.
Detection relies on behavioral signals rather than reputation. Scanners produce characteristic request patterns: sequential port sweeps, URL enumeration, repeated requests for non-existent resources, and spider-like link traversal. Build SIEM rules that detect these patterns independent of source IP reputation and alert on them as a precursor indicator. Cross-reference newly detected scanner IPs against your IP intelligence platform and submit them as abuse reports to accelerate their appearance in shared blocklists.
Supply Chain Delivery via Compromised Relays
The ScarCruft supply chain attack against a gaming platform delivered payloads through compromised third-party update infrastructure. In a similar scenario, an attacker could use compromised servers as proxy relays for command and control traffic, making C2 communications appear to originate from a trusted business network.
Outbound traffic analysis is the appropriate control here. Monitor for connections from internal hosts to IP ranges or domains that have no prior relationship with your environment. Apply egress filtering and DNS sinkholing for known malicious infrastructure. When entirely new external IPs start receiving connections from internal systems, investigate regardless of the reputation of those IPs.
Operational Challenges and Honest Tradeoffs
Proxy detection carries real operational costs that security teams need to account for before deployment.
False positive rates on residential proxy detection can be substantial in consumer-facing applications where privacy tool usage is common. In markets like Germany or Switzerland where VPN adoption is high among general users, aggressive proxy blocking can meaningfully degrade the user experience for a significant fraction of legitimate traffic. Calibrate your deployment context before setting detection thresholds.
Detection latency is a real constraint when using external IP intelligence APIs. Build circuit breakers so that if your IP intelligence provider experiences an outage, your application fails open to a degraded detection mode rather than blocking all traffic or crashing. Define your acceptable degradation posture before deployment rather than during an incident.
Data freshness matters more than completeness. A threat feed that updates hourly with high-confidence new indicators is more operationally useful than a comprehensive feed that updates weekly. Evaluate your intelligence providers on update frequency and the lag between infrastructure deployment and flag appearance, not just on the size of their database.
Metrics Worth Tracking
Proxy and VPN detection programs benefit from specific, tracked metrics rather than generic security posture scores. Consider instrumenting the following.
- Proxy-origin authentication rate: What percentage of your authentication attempts originate from classified proxy or VPN infrastructure? A sudden increase is an early indicator of a credential stuffing campaign warming up.
- Step-up authentication trigger rate by risk score band: Validate that your risk scoring thresholds are working as designed. If the high-risk band rarely triggers step-up authentication, either your scoring is miscalibrated or attackers are staying below the threshold deliberately.
- New ASN appearance rate: Track how many previously unseen ASNs appear in your traffic each week. A spike correlates with attackers rotating infrastructure.
- Detection-to-block latency for confirmed malicious IPs: Measure how long after a malicious IP first touches your environment it takes for that IP to be blocked. Reduce this latency by automating the path from SIEM alert to WAF block rule.
Putting It Together
The 0ktapus campaign, the Iranian targeting of South Korean firms, and the FamousSparrow operations in Eastern Europe share a common thread: attackers invested in anonymization infrastructure that stayed below detection thresholds long enough to establish footholds. The detection gap these cases exposed is not a technology problem that a single product purchase closes. It is an architecture problem that requires combining IP classification, behavioral analysis, identity integration, and continuously updated intelligence into a system that degrades gracefully and adapts as attacker infrastructure evolves.
Start with a baseline measurement of how much of your current inbound traffic originates from classified proxy and VPN infrastructure. That number, whatever it is, tells you the scale of the problem your current stack is making decisions about, and gives you a foundation to measure improvement against as you build out detection depth.
