What are common threats from malicious actors online?

Malicious actors engage in activities like payment fraud, account takeover, and content abuse, often using tools like VPNs, proxies, and Tor to hide their identities.

Why is identifying cloaked users important for businesses?

It's a critical component of a robust security strategy to protect platforms and customers from fraud and abuse.

What is IP location intelligence?

It provides context about an IP address, such as geolocation, to help determine if a user's location matches other data like billing addresses.

What is ASN in network intelligence?

ASN (Autonomous System Number) identifies the organization that owns an IP address, such as a residential ISP, cloud provider, or known VPN provider.

How can IP reputation help in detection?

It indicates if an IP address has been associated with past malicious activity, aiding in risk assessment.

What is a VPN and how does it work?

A VPN creates an encrypted tunnel between a user's device and a remote server, masking the true IP address, often used for privacy or by fraudsters.

How to detect a VPN connection?

Methods include checking against known VPN provider databases, port analysis for specific protocols like OpenVPN on UDP port 1194, and inconsistent geolocation data.

What are inconsistent geolocation signals?

For example, an IP from one country with browser settings or timezone from another, indicating potential VPN use.

What are traffic characteristics of VPNs?

VPN traffic may have different packet sizes and timing compared to standard web traffic, detectable through deep packet inspection.

What are proxies and their types?

Proxies act as intermediaries; types include datacenter proxies (from commercial data centers), residential proxies (from real residential IPs), and mobile proxies (from mobile devices).

What is Tor and how is it used?

Tor (The Onion Router) routes traffic through a volunteer network for high anonymity, used for privacy or abuse, and can be detected via public lists of exit nodes.

How to identify Tor users?

Check the user's IP against the public list of Tor exit nodes, which requires regular updates to stay current.

Why is a multi-layered defense important?

No single method is foolproof; combining VPN/proxy/Tor detection, IP reputation, geolocation, behavioral analysis, and device fingerprinting provides a comprehensive risk score.

What is behavioral analysis in fraud detection?

It involves monitoring user actions, such as high login attempts or unusual request patterns, to identify bots or fraudsters.

What is device fingerprinting?

It gathers information from a user's browser and device to help identify and track users, enhancing detection capabilities.

How do specialized services help in detection?

They provide up-to-date databases and tools for VPN, proxy, and Tor detection, allowing businesses to focus on core operations while staying ahead of threats.

What are the benefits of investing in detection strategies?

It protects revenue, reputation, and platform integrity by reducing exposure to fraud and abuse from malicious users.

Published on Sep 19, 2025

Ghadeer Al-Mashhadi

Read time: 6m

4 viewer

Detecting Bots and Malicious Users: A Technical Guide to Fingerprinting VPNs, Proxies, and Tor

Q: What percentage of website traffic is bad bots?

A 2021 study by Imperva found that bad bots accounted for nearly 26% of all website traffic, with advanced persistent bots making up over 15%.

Businesses can identify users hiding behind VPNs, proxies, or Tor by analyzing IP addresses, geolocation, and network ownership, cross-referencing data with known provider databases, and monitoring behavioral patterns to detect inconsistencies or suspicious activity.

Introduction

In today's interconnected digital world, businesses face a constant barrage of threats from malicious actors. These individuals and automated bots can engage in a wide range of harmful activities, including payment fraud, account takeover, and content abuse. To carry out these actions while obscuring their true identities, they often rely on tools like Virtual Private Networks (VPNs), proxies, and the Tor network.

For any online business, from e-commerce stores to financial institutions, the ability to accurately identify these cloaked users is not just a defensive measure—it's a critical component of a robust security strategy. This guide provides a technical deep-dive into the methods used to fingerprint and detect users who are hiding behind VPNs, proxies, and Tor, helping you protect your platform and your customers.

A 2021 study by Imperva revealed that bad bots accounted for nearly 26% of all website traffic, with advanced persistent bots making up over 15%. These bots are increasingly sophisticated, mimicking human behavior to evade simple detection methods. This highlights the growing need for advanced detection techniques that go beyond basic IP blacklisting.
Click to Tweet

The Foundations: IP and Network Intelligence

Before diving into specific detection methods, it's essential to understand the foundational data points that power these techniques. At the core of any detection system is the analysis of the user's IP address and the network it belongs to.

Services like IP Location Intelligence and Network Intelligence (ASN) provide crucial context about an IP address, such as:

Geolocation: Where is the user physically located? Does the location match other user data (e.g: billing address)?
ASN (Autonomous System Number): What organization owns the IP address? Is it a residential ISP, a cloud hosting provider, or a known VPN provider?
IP Reputation: Has this IP address been associated with malicious activity in the past?

With this foundational knowledge, you can begin to build a more sophisticated fingerprinting strategy.

Detecting VPNs

VPNs create an encrypted tunnel between the user's device and a remote server, masking the user's true IP address. While many people use VPNs for legitimate privacy reasons, they are also a common tool for fraudsters.

How to Fingerprint a VPN Connection

Known VPN Provider Databases: The most straightforward method is to check the user's IP address against a database of known VPN providers. Companies that specialize in VPN & Proxy Detection maintain and regularly update these lists. When an IP matches an entry in this database, it's a strong indicator that the user is on a VPN.
Port Analysis: Certain ports are commonly used by VPN protocols. For example, OpenVPN, a popular protocol, often uses UDP port 1194. While port scanning can be complex and may not always be feasible, a high volume of traffic from a single IP on these characteristic ports can be a red flag.
Inconsistent Geolocation Data: A user's IP address might indicate they are in one country, while their browser's language settings or timezone point to another. For example, an IP address from the Netherlands combined with a browser set to "e;en-US"e; and a Pacific Standard Timezone is suspicious. This is where a reliable IP Location Intelligence service is invaluable.
Traffic Characteristics: The nature of VPN traffic can sometimes betray its presence. For example, the packet sizes and timing can differ from standard web traffic. However, this type of analysis is highly technical and typically requires deep packet inspection, which is often beyond the scope of most web applications.

Unmasking Proxies

Proxies act as intermediaries between a user and the internet. A user sends a request to the proxy server, which then forwards the request to the destination server. Like VPNs, proxies are used for both legitimate and malicious purposes. There are several types of proxies to be aware of:

Datacenter Proxies: These are the most common and cheapest type of proxy. The IP addresses belong to commercial data centers and are easily identifiable as non-residential.
Residential Proxies: These proxies route traffic through real residential IP addresses, making them much harder to detect.
Mobile Proxies: Similar to residential proxies, but the traffic is routed through mobile devices.

How to Fingerprint a Proxy Connection

ASN and IP Ownership: One of the most effective ways to detect proxies is by examining the IP address's ASN. If the ASN belongs to a hosting provider or a data center (like AWS, Google Cloud, or a smaller hosting company), there is a high probability that the IP is a Datacenter Proxy. You can use an ASN Lookup Online Tool to investigate suspicious IPs.
HTTP Headers: Some (mostly older or misconfigured) proxies add specific headers to the requests they forward. Look for headers like X-Forwarded-For, Via, or Forwarded. The presence of these headers is a clear sign of a proxy.
Behavioral Analysis: Proxies are often used for automated tasks, like web scraping or credential stuffing. A single IP address making an unusually high number of requests, or attempting to log in to multiple accounts in a short period, is a strong indicator of a bot operating through a proxy.

For a deeper look into evaluating IP data for fraud detection, check out our guide: Beyond API Accuracy: 5 Steps to Evaluate IP Data for Fraud Detection.

Identifying Tor Users

Tor (The Onion Router) provides a high degree of anonymity by routing traffic through a volunteer-operated network of servers. While a powerful tool for privacy and circumventing censorship, Tor is also frequently abused for illegal activities and fraud.

How to Fingerprint a Tor Connection

Detecting Tor is more straightforward than detecting many VPNs or proxies. The Tor Project publishes a public list of all its exit nodes—the servers that send traffic to the public internet.

To detect a Tor user, you simply need to check the user's IP address against this list. If the IP is a known Tor exit node, you can be highly confident that the user is on the Tor network.

The challenge with this method is keeping your list of exit nodes up-to-date, as they change frequently. A professional VPN & Proxy Detection service will handle this for you, ensuring your data is always current.

Building a Multi-Layered Defense

No single detection method is foolproof. A sophisticated fraudster might use a residential proxy that hasn't been flagged yet, or a new, unknown VPN service. This is why a multi-layered approach is essential.

Your fingerprinting system should combine multiple signals to create a comprehensive risk score. This might include:

VPN/Proxy/Tor Detection: Is the IP from a known anonymizing service?
IP Reputation: Has the IP been seen in botnets or other attacks?
Geolocation Analysis: Does the user's location seem plausible?
Behavioral Analysis: Is the user's behavior consistent with that of a legitimate customer?
Device Fingerprinting: What can you tell from the user's browser and device?

By combining these different data points, you can build a much more accurate picture of the user's true identity and intentions. For more insights on this, our blog post 5 Reasons Why Smart Businesses Use VPN/Proxy Detection offers further reading.

Conclusion

Detecting malicious users who hide behind VPNs, proxies, and Tor is a complex but essential task for any online business. By using a combination of techniques—from analyzing IP ownership and geolocation to monitoring user behavior—you can significantly reduce your exposure to fraud and abuse.

While it's possible to build some of these detection capabilities in-house, the landscape is constantly changing. New VPN providers emerge, proxy networks evolve, and botnets find new ways to evade detection. For this reason, many businesses choose to rely on specialized services that are dedicated to staying ahead of these threats, allowing them to focus on their core products and customers. By investing in a robust detection strategy, you can protect your revenue, your reputation, and the integrity of your platform.

Did you find this article helpful?

😍 0

😕 0

Subscribe RSS

Share this article

Stay in the Loop: Join Our Newsletter!

Stay up-to-date with our newsletter. Be the first to know about new releases, exciting events, and insider news. Subscribe today and never miss a thing!

By subscribing to our Newsletter, you give your consent to our Privacy Policy.

Have a different use case?

Need Brand Assets?