Identifying anonymous IP address to detect online fraud

Detecting anonymous IP addresses is essential for protecting online platforms from fraud. Rather than using a home internet connection, fraudsters typically route traffic through VPNs, proxies, or hosting providers to conceal their identity. While privacy tools have legitimate uses, they complicate efforts to distinguish between genuine customers and bad actors. That's why we invest heavily in robust IP geolocation and risk assessment capabilities.

Why Anonymous IP Detection Matters

Anonymous IP detection is a powerful safeguard for e-commerce, fintech, SaaS and community platforms. For example, when a customer's billing address, delivery address, and IP-derived location do not align—and the IP is linked to a VPN, proxy or hosting origin—it's a clear signal to trigger additional verification.

Threats are evolving. Some attackers hijack residential routers so malicious traffic appears to come from a home connection. Others leverage "residential" IP pools provisioned via intermediaries. Effective defence therefore requires more than static blocklists; it demands a dynamic, data-driven approach that balances security with customer experience.

Our multi-layered approach to IP-based fraud detection

We combine reactive intelligence with proactive signals to identify high-risk traffic while minimising friction for legitimate users:

• IP Geolocation — Cross-check the IP's location with billing and shipping addresses to spot mismatches and unusual travel patterns.
• Proxy, VPN & hosting detection — Identify routes through anonymising networks or data centres to surface likely non-residential activity.
• Hosting Likelihood — A 0–10 signal estimating whether an IP originates from hosting infrastructure rather than a typical "eyeball" (residential) network.
• Reputation & behaviour — Blend historic abuse indicators with session behaviour (e.g., new device + new geo + high-value action) to reduce false positives.
• Hazard Report API — Consolidates signals (blacklists, anonymiser detection, hosting likelihood and more) into a structured, machine-readable risk profile for real-time decisions.
• IP Geolocation with Confidence Area — Returns location plus a polygonal confidence boundary to validate user-reported locations and support risk scoring.
• User Risk API — Simple Low/Moderate/High categorisation for adaptive challenges (e.g., step-up verification or CAPTCHA) without heavy integration.

How our Hazard Report works with geolocation

Our Hazard Report blends two complementary layers:

• Reactive intelligence — Matches against reputable blocklists and detects anonymisers (VPN, proxy, Tor) to catch known bad sources quickly.
• Proactive indicators — Uses hostingLikelihood and infrastructure classification to flag data-centre-originated traffic even when no prior abuse is recorded—crucial for zero-day defence.

Paired with Confidence Area, the Hazard Report helps you:

• Identify suspicious traffic before it initiates fraud.
• Label sessions with consistent, machine-friendly scores for downstream rules and automation.
• Apply real-time actions: allow, challenge, rate-limit, or block.

Summary: why our approach works