Residential proxy and VPN detection

Updated on 28.09.23
7 minutes to read
Copy link


Thanks to the combination of our advanced Device Fingerprinting technology and low-level network data from transactions, we created an industry-leading Residential proxy and VPN detection. Our intelligent algorithm is based on the network fingerprint of web-based transactions and discovers whether the device is accessing the website through a VPN or a residential proxy provider with one of the highest accuracy on the market.


Proxies and VPNs explained

A proxy is like a middleman helping you access websites indirectly, hiding your actual location. A VPN (Virtual Private Network) creates a tunnel between your device and a VPN server, sending all internet traffic through that server. They can be used to bypass restrictions or to stay anonymous online.

Both proxies and VPNs allow users to conceal their true IP addresses, making it challenging for fraud detection systems to trace and identify malicious actors. This anonymity can enable fraudsters to engage in activities like account takeovers, carding, and phishing, with a reduced risk of being caught.

There are also legitimate users who rely on proxies and VPNs for privacy and security reasons, especially when accessing sensitive information over public networks. It is important that fraud prevention teams find a delicate balance between respecting user privacy and safeguarding against fraudulent activities.


How SEON can detect proxies and VPNs

You can use SEON to detect proxies and VPNs in two ways: through the IP API and with Device Fingerprinting.

How VPN, web and datacenter proxies can be detected

Sending the client’s IP address to our IP API can reveal a lot of information, including whether it is a known VPN or proxy address, which ports are open, and whether this address is included in a spam list or not. The drawback is that these checks are based on IP reputation and, as such, are not adequate for the detection of residential or mobile proxies.

How VPN and residential proxies can be detected with Device Fingerprinting

Integrating the SEON’sJavaScript SDK can help you detect users who are trying to hide their real IP addresses on your website. The module collects multiple data points from the browser using JavaScript and the TCP/IP and TLS fingerprints. By analyzing this information, we can accurately identify whether the user uses a proxy or VPN connection to access the website. This feature can detect residential and mobile proxies since it doesn’t rely on IP reputation; it actively checks data collected from a browser visit.



Integrating SEON’s Device Fingerprinting allows the collection of a range of information about the user’s client device. SEON’s unique Residential Proxy and VPN detection is available with our Device Fingerprinting Javascript SDK and our Fraud API. 

It is important to mention that Residential proxy detection is based on the low-level signals of network data, and connection characteristics highly affect its accuracy. There is a possibility that, in some cases, the default time frame for network fingerprinting is not enough, which could lead to incomplete detection. 

This is especially true for users who are using a proxy, as it slows down their effective network speed. To avoid this, an additional configuration parameter in the JavaScript SDK can increase the maximum timeout for this detection.

 session_id: “[session_id]”,
 max_proxy_delay: 1000,

If the device widget is not active/no data is being shown, please make sure you have set up your integration correctly. Our API Reference can help you understand what may have gone wrong, and our support team is ready to help with any troubleshooting.

We collect more than 50 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of user devices; you can find a full list of these in our API Reference.


Default rules for VPN and Proxy detection

Many default rules are based on previous detection mechanisms and analysis of large sets of transactions. 

  • Customer is using a Web proxy  - P105
  • Customer is using a datacenter ISP - P106
  • Customer is using a public proxy - P112
  • There are more than 2 different IP addresses detected using WebRTC* - HC101
  • Customer is from Nordic country and using VPN - HC107

If you would like to use our latest developments for detecting residential proxies and VPNs to identify suspicious user activities, you need to set up custom rules utilizing cutting-edge Device Fingerprinting technology.


Tailor-fit VPN and proxy detection with advanced Device Fingerprinting custom rules

Custom rules in SEON empower you to tailor fraud prevention strategies to your business needs. There are three parameter types: Data Match, Compare, and Velocity. These allow you to spot inconsistencies, assess data against criteria, and analyze changes over time.

To create a custom rule:

  1. Go to the Custom Rules tab of the Scoring Engine and click Create new rule.
  2. Name your rule for easier identification something like: “Device Fingerprinting VPN and Proxy detection”.
  3. Select the parameter type Compare.
  4. Select the value Suspicious browser profile.
  5. Select the operator Contains.
  6. Type “proxy” or “vpn” in the compare field.
  7. Click Create rule.

Go to the Dashboard and scroll down to the Applied Rules Statistics widgets to check on the performance of your rules, and navigate to the Transactions page to find the transaction(s) where the given rule has been applied for detailed investigation.