How Anti-Fraud Systems Detect VPNs

Mutt

Mutt

Professional
Messages
1,368
Reaction score
912
Points
113
Anti-fraud systems such as Stripe Radar, Adyen RevenueProtect or Sift use sophisticated methods to detect VPNs (virtual private networks), which are often used by carders to mask their location when using stolen card data. Detecting VPNs is critical, as a mismatch between the IP address and the card region is one of the key indicators of fraud. For educational purposes, I will describe in detail how anti-fraud systems detect VPNs, including the technical aspects, the tools used, and the limitations, and explain why this makes carding difficult.

1. Why are VPNs used in carding?​

Carders use VPNs to:
  • Geolocation masking: To make the IP address match the region of the map (e.g. US IP for a map from the US).
  • Bypass Blacklists: Hide the real IP associated with fraud.
  • Anonymization: Using a VPN or Tor to hide your identity and avoid tracking.

However, anti-fraud systems are designed to detect such attempts by analyzing a variety of signals associated with IP and network activity.

2. Technical methods for detecting VPN in antifraud systems​

Anti-fraud systems use a combination of technologies and data to identify VPNs. The main methods include:

a) IP analysis via geolocation databases​

  • Mechanism:
    • Anti-fraud systems integrate with geolocation databases such as MaxMind GeoIP , IP2Location or GeoLite , which contain information about IP address ranges, their geographic location and characteristics.
    • These databases classify IP addresses by type: residential (home), corporate, data center, VPN, proxy or anonymizer (for example, Tor).
  • How VPNs are detected:
    • IPs belonging to data centers (e.g. Amazon AWS, Google Cloud) are often associated with commercial VPN services (NordVPN, ExpressVPN).
    • Example: IP 104.28.12.45 may be flagged as belonging to Cloudflare (VPN provider), which increases the transaction risk rate.
    • Comparison of IP region with map region: if the map is from the USA, and the IP points to Russia or a data center, this is a flag for suspicious activity.
  • Technical details:
    • Databases contain attributes such as ASN (Autonomous System Number) , provider, and connection type.
    • Anti-fraud systems request data via API (for example, GET /geoip/104.28.12.45), receiving JSON with the following information:
      JSON: 
      {
"ip": "104.28.12.45",
"country": "US",
"asn": "AS13335",
"organization": "Cloudflare, Inc.",
"proxy_type": "VPN"
}
  • Impact on carding:
    • Carders using popular VPNs (NordVPN, Surfshark) are easily identified as their IP addresses are marked as data centers.
    • Even "clean" VPNs (residential IPs) can be detected if the database is updated regularly.

b) ASN (Autonomous System Number) analysis​

  • Mechanism:
    • ASN is a unique identifier of the network that manages a range of IP addresses. VPN providers (e.g. NordVPN, ExpressVPN) use well-known ASNs that anti-fraud systems track.
    • Example: ASN AS13335 (Cloudflare) or AS16276 (OVH) are often associated with VPN or hosting providers.
  • How VPNs are detected:
    • Anti-fraud systems compare the ASN of an IP address with databases to determine whether it belongs to a known VPN provider.
    • If the ASN is associated with a data center or cloud provider rather than a residential ISP (e.g. Comcast, Verizon), this increases the risk score.
  • Technical details:
    • Database queries (e.g. MaxMind) return ASN and organization:
      JSON: 
      {
"ip": "192.168.1.1",
"asn": "AS16276",
"organization": "OVH SAS",
"type": "hosting"
}
    • Anti-fraud systems use blacklists of ASNs associated with VPNs.
  • Impact on carding:
    • Carders using VPNs with known ASNs (e.g. NordVPN - AS208877) are automatically marked as suspicious.
    • Even residential proxies (simulating home IPs) can be linked to data center ASNs, which is detected by systems.

c) Behavioral analysis of network activity​

  • Mechanism:
    • Anti-fraud systems analyze network activity patterns typical for VPNs:
      • Frequent IP changes: A user switching IP addresses between transactions may indicate the use of a VPN.
      • Time zone mismatch: The device's time zone (determined via JavaScript) does not match the IP region.
      • Multiple Attempts: Repeated transactions from different IPs but the same device (Device Fingerprinting).
  • How VPNs are detected:
    • If a user uses an IP from the US, but the device's time zone is set to Asia, this is a flag for suspicious activity.
    • Multiple attempts with IPs belonging to the same VPN provider increase the risk rate.
  • Technical details:
    • JavaScript SDKs (such as stripe.js) collect data about the time zone, browser language, and other characteristics.
    • Anti-fraud systems compare this data with IP via the geolocation API.
  • Impact on carding:
    • Carders using VPNs to disguise themselves often fail to spoof the time zone or other device settings, resulting in the transaction being blocked.

d) Device Fingerprinting​

  • Mechanism:
    • Anti-fraud systems collect unique device characteristics (browser, OS version, screen resolution, fonts, plugins) via JavaScript SDK.
    • This data creates a "fingerprint" of the device, which is matched against IP and transaction history.
  • How VPNs are detected:
    • If a device is using an IP associated with a VPN but has previously been seen with a different IP (such as a real one), this increases the risk.
    • Devices that use VPNs often have non-standard configurations (e.g. disabled plugins, minimalist browsers), which makes them stand out.
  • Technical details:
    • Example of device fingerprint:
      JSON: 
      {
"device_id": "device_123456",
"browser": "Chrome 120",
"os": "Windows 10",
"screen_resolution": "1920x1080",
"timezone": "UTC+3",
"ip": "104.28.12.45"
}
    • If the IP is flagged as VPN and the device fingerprint does not match the card owner's history, the transaction is flagged as suspicious.
  • Impact on carding:
    • Carders using VPNs through virtual machines or Tor Browser create fingerprints that are different from typical user devices, which is easily detected.

e) Lists of known VPNs and proxies​

  • Mechanism:
    • Anti-fraud systems support updated lists of IP addresses associated with popular VPN providers (NordVPN, ExpressVPN, Surfshark) and anonymizers (Tor, I2P).
    • These lists are obtained from specialized services such as IPQualityScore , IPinfo or AbuseIPDB .
  • How VPNs are detected:
    • IP is checked for affiliation with known VPN providers via API:
      JSON: 
      {
"ip": "104.28.12.45",
"vpn": true,
"provider": "NordVPN",
"risk_score": 85
}
    • IPs associated with Tor (exit nodes) are automatically marked as high risk.
  • Impact on carding:
    • Popular VPN services are easily detected due to their widely known IP ranges.
    • Tor exit nodes (about 1000–2000 IP) are completely blocked by most anti-fraud systems.

f) Network Header Analysis​

  • Mechanism:
    • Anti-fraud systems analyze HTTP headers transmitted by the browser to detect signs of VPN:
      • X-Forwarded-For: May indicate the use of a proxy.
      • Via: Indicates proxy servers.
      • MTU/MSS: TCP packet size may vary for VPN.
  • How VPNs are detected:
    • The presence of proxy-specific headers (e.g. X-Forwarded-For: 192.168.1.1) indicates the use of a VPN.
    • Anomalies in network parameters (e.g. low latency for a data center) raise suspicions.
  • Impact on carding:
    • Carders using cheap or improperly configured VPNs often leave traces in the headers, which leads to blocking.

g) Transaction behavior and correlation​

  • Mechanism:
    • Anti-fraud systems analyze the history of transactions associated with an IP or device.
    • If the IP is used for multiple cards or transactions from different regions, this indicates a VPN.
  • How VPNs are detected:
    • Example: IP 104.28.12.45 is used for card transactions from the US, Russia and Nigeria in a short period of time - a clear sign of a VPN.
    • Multiple refusals or chargebacks from one IP add it to the blacklist.
  • Impact on carding:
    • Carders using one VPN for multiple transactions are quickly identified due to activity patterns.

3. Practical examples​

  • Scenario 1: Popular VPN:
    • Carder uses NordVPN (IP 104.28.12.45, ASN AS208877) to purchase with Non-VBV bin.
    • Stripe Radar checks the IP via MaxMind and finds that it belongs to a VPN. The transaction gets a high risk score (>80) and is blocked or requires 3DS.
  • Scenario 2: Residential Proxy:
    • The carder purchases a residential proxy that imitates a home IP (for example, 192.168.1.1).
    • Radar matches the ASN (e.g. OVH) and notices a time zone mismatch (device in UTC+3, IP in UTC-5). The transaction is flagged as suspicious.
  • Scenario 3: Tor:
    • The carder uses Tor exit node (IP 185.220.101.10) for the transaction.
    • The anti-fraud system immediately blocks the IP, since Tor exit nodes are blacklisted.
  • Scenario 4: Frequent IP changes:
    • The carder changes IP via VPN for each transaction, but uses one device.
    • Device Fingerprinting identifies the same device fingerprint, and changing IP increases the risk score, causing blocking.

4. Limitations of VPN detection methods​

  • Residential proxies:
    • Some providers (e.g. Luminati, Oxylabs) offer residential IPs, which are harder to identify as VPNs. However, they are expensive, and anti-fraud systems can detect them through behavioral analysis or ASN mismatch.
  • Updating databases:
    • GeoIP databases may lag behind new VPN services, but major platforms (Stripe, Adyen) update them daily.
  • False positives:
    • Legitimate users using VPN for privacy may be flagged as suspicious, which requires balancing in the configuration of anti-fraud systems.

5. Countermeasures from antifraud systems​

  • Daily database updates: MaxMind and IPQualityScore regularly add new IP VPN providers.
  • Machine learning: Algorithms identify new VPNs by analyzing patterns (e.g. multiple transactions from the same ASN).
  • Integration with payment systems: Data from Visa (TC40), MasterCard (SAFE reports) helps identify IPs associated with fraud.
  • Behavioral analysis: Even if a VPN masks the IP, unnatural behavior (bots, lack of navigation) raises suspicions.

6. Conclusion​

VPN detection makes carding much more difficult, especially with Non-VBV, Auto-VBV and Non-MCSC bins. Anti-fraud systems detect VPNs through IP analysis (GeoIP, ASN), Device Fingerprinting, behavioral analysis, network headers and transaction correlation. These methods make the use of VPNs in carding extremely risky, as popular VPNs (NordVPN, ExpressVPN) are easily detected, and residential proxies require significant costs and do not guarantee success due to additional checks (behavior, device). In Europe, PSD2 strengthens protection through mandatory 3DS, and outside the EEA, anti-fraud systems such as Stripe Radar block suspicious transactions with VPNs. This significantly increases the costs and risks for carders, reducing the profitability of fraud.

If you want to delve into a specific aspect, such as how GeoIP databases work or how to set up custom rules for blocking VPNs in Stripe Radar, let me know!
 
You must log in or register to reply here.

Similar threads

Mutt
How AntiFraud Systems Analyze IP and Device Fingerprinting
Replies
0
Views
63
Mutt
Mutt
Mutt
How HTTP Headers Are Parsed
Replies
0
Views
57
Mutt
Mutt
Mutt
How IP Leaks via WebRTC
Replies
0
Views
75
Mutt
Mutt
Mutt
How Machine Learning Detects Anomalies
Replies
0
Views
68
Mutt
Mutt
Mutt
How User-Agent Spoofing Is Detected via JavaScript
Replies
0
Views
70
Mutt
Mutt
Back
Top