Identifying anonymous IP address to detect online fraud

BigDataCloud April 27, 2021

Detecting anonymous IP addresses is essential for protecting online platforms from fraud. Rather than using a home internet connection, fraudsters typically route traffic through VPNs, proxies, or hosting providers to conceal their identity. While privacy tools have legitimate uses, they complicate efforts to distinguish between genuine customers and bad actors. That’s why we invest heavily in robust IP geolocation and risk assessment capabilities.

Why Anonymous IP Detection Matters

Anonymous IP detection is a powerful safeguard for e-commerce, fintech, SaaS and community platforms. For example, when a customer’s billing address, delivery address, and IP-derived location do not align—and the IP is linked to a VPN, proxy or hosting origin—it’s a clear signal to trigger additional verification.

Threats are evolving. Some attackers hijack residential routers so malicious traffic appears to come from a home connection. Others leverage “residential” IP pools provisioned via intermediaries. Effective defence therefore requires more than static blocklists; it demands a dynamic, data-driven approach that balances security with customer experience.

Our multi-layered approach to IP-based fraud detection

We combine reactive intelligence with proactive signals to identify high-risk traffic while minimising friction for legitimate users:

IP Geolocation — Cross-check the IP’s location with billing and shipping addresses to spot mismatches and unusual travel patterns.
Proxy, VPN & hosting detection — Identify routes through anonymising networks or data centres to surface likely non-residential activity.
Hosting Likelihood — A 0–10 signal estimating whether an IP originates from hosting infrastructure rather than a typical “eyeball” (residential) network.
Reputation & behaviour — Blend historic abuse indicators with session behaviour (e.g., new device + new geo + high-value action) to reduce false positives.
Hazard Report API — Consolidates signals (blacklists, anonymiser detection, hosting likelihood and more) into a structured, machine-readable risk profile for real-time decisions.
IP Geolocation with Confidence Area — Returns location plus a polygonal confidence boundary to validate user-reported locations and support risk scoring.
User Risk API — Simple Low/Moderate/High categorisation for adaptive challenges (e.g., step-up verification or CAPTCHA) without heavy integration.

How our Hazard Report works with geolocation

Our Hazard Report blends two complementary layers:

Reactive intelligence — Matches against reputable blocklists and detects anonymisers (VPN, proxy, Tor) to catch known bad sources quickly.
Proactive indicators — Uses hostingLikelihood and infrastructure classification to flag data-centre-originated traffic even when no prior abuse is recorded—crucial for zero-day defence.

Paired with Confidence Area, the Hazard Report helps you:

Identify suspicious traffic before it initiates fraud.
Label sessions with consistent, machine-friendly scores for downstream rules and automation.
Apply real-time actions: allow, challenge, rate-limit, or block.

Summary: why our approach works

Strategy / Tool	What it offers	Why it matters
Blacklists & anonymiser detection	Known threat identification	Proven historic signals for rapid triage
Hosting Likelihood (0–10)	Assesses hosting vs residential origin	Proactive signal for unseen threats
Hazard Report API	Structured, machine-readable risk profile	Speeds up automation and reduces manual review
Geolocation with Confidence Area	Location plus precision boundary	Validates user location and informs scoring
User Risk API	Low/Moderate/High classification	Enables adaptive, low-friction security

Get started

See these signals in action with our free IP Address Lookup, powered by the same Hazard Report and Confidence Area technologies. When you’re ready to integrate, explore the full IP Geolocation API suite and choose the endpoints that best fit your risk strategy.