VPN & Proxy Detection in 2026: What's New

VPN and proxy detection used to be easy. You had a list of known VPN provider IPs, you blocked them. Done.

Then residential proxy networks happened. Bright Data, Oxylabs, IPRoyal — they sell access to real consumer ISPs (often unwittingly resold from sketchy SDKs in apps). Suddenly the request comes from a Comcast Maryland IP. Real residential. Looks like a normal user.

Detection had to adapt.

The 2026 detection toolkit

We use four signals together:

1. 1ASN reputation — even residential ASNs have measurable bot ratios. Comcast has high human traffic. Some smaller ISPs have unusually high bot traffic and we score them down.
2. 2GeoIP city density — residential proxies tend to cluster IPs around their farm locations. If we see 50 requests in 10 minutes all from the same neighborhood-level IP block, that's suspicious.
3. 3WebRTC leak — even when a request is proxied, WebRTC can leak the local IP. If the local IP is in a datacenter range and the public IP is residential, classic proxy setup.
4. 4Behavioral inconsistency — a residential proxy farm running 100 reviews/hour has identical mouse movements across requests. Behavioral fingerprint clustering catches this.

What ip-api.com gives us

Overcloak uses ip-api.com as the primary IP intelligence source. It returns: country, city, ISP, ASN organization, and three flags: proxy, hosting, mobile. The proxy flag catches commercial VPNs and known proxy IPs. The hosting flag catches datacenters. The mobile flag identifies cellular networks (low-bot-ratio, generally trusted).

We cache responses for 30 minutes per IP to keep latency low. Over the cache hit we add zero latency.

Tor specifically

Tor exit node IPs are public. The TorProject publishes the list, we ingest it into our blacklist. Zero false positives — if your visitor is on Tor, they're not buying your offer (different threat model than ad reviewers, but same conclusion: block them).