How Anti-Fraud Systems Detect VPNs

[Security]

1. Why are VPNs used in carding?​

Carders use VPNs to:

• Geolocation masking: To make the IP address match the region of the map (e.g. US IP for a map from the US).
• Bypass Blacklists: Hide the real IP associated with fraud.
• Anonymization: Using a VPN or Tor to hide your identity and avoid tracking.

However, anti-fraud systems are designed to detect such attempts by analyzing a variety of signals associated with IP and network activity.
Anti-fraud systems use a combination of technologies and data to identify VPNs. The main methods include:

• Mechanism:
  
  • Anti-fraud systems integrate with geolocation databases such as MaxMind GeoIP , IP2Location or GeoLite , which contain information about IP address ranges, their geographic location and characteristics.
  • These databases classify IP addresses by type: residential (home), corporate, data center, VPN, proxy or anonymizer (for example, Tor).
    
• How VPNs are detected:
  
  • IPs belonging to data centers (e.g. Amazon AWS, Google Cloud) are often associated with commercial VPN services (NordVPN, ExpressVPN).
  • Example: IP 104.28.12.45 may be flagged as belonging to Cloudflare (VPN provider), which increases the transaction risk rate.
  • Comparison of IP region with map region: if the map is from the USA, and the IP points to Russia or a data center, this is a flag for suspicious activity.
    
• Technical details:
  
  • Databases contain attributes such as ASN (Autonomous System Number) , provider, and connection type.
  • Anti-fraud systems request data via API (for example, GET /geoip/104.28.12.45), receiving JSON with the following information:
    JSON:
    "104.28.12.45"
    "US"
    "AS13335"
    "Cloudflare, Inc."
    "VPN"
    
• Impact on carding:
  
  • Carders using popular VPNs (NordVPN, Surfshark) are easily identified as their IP addresses are marked as data centers.
  • Even "clean" VPNs (residential IPs) can be detected if the database is updated regularly.

• Mechanism:
  
  • ASN is a unique identifier of the network that manages a range of IP addresses. VPN providers (e.g. NordV
  • PN, ExpressVPN) use well-known ASNs that anti-fraud systems track.
  • Example: ASN AS13335 (Cloudflare) or AS16276 (OVH) are often associated with VPN or hosting providers.
    
• How VPNs are detected:
  
  • Anti-fraud systems compare the ASN of an IP address with databases to determine whether it belongs to a known VPN provider.
  • If the ASN is associated with a data center or cloud provider rather than a residential ISP (e.g. Comcast, Verizon), this increases the risk score.
    
• Technical details:
  
  • Database queries (e.g. MaxMind) return ASN and organization:
    JSON:
    "ip"
    "192.168.1.1"
    "asn"
    "AS16276"
    "organization"
    "OVH SAS"
    "type"
    "hosting"
  • Anti-fraud systems use blacklists of ASNs associated with VPNs.
    
• Impact on carding:
  
  • Carders using VPNs with known ASNs (e.g. NordVPN - AS208877) are automatically marked as suspicious.
  • Even residential proxies (simulating home IPs) can be linked to data center ASNs, which is detected by systems.

• Mechanism:
  
  • Anti-fraud systems analyze network activity patterns typical for VPNs:
    
    • Frequent IP changes: A user switching IP addresses between transactions may indicate the use of a VPN.
    • Time zone mismatch: The device's time zone (determined via JavaScript) does not match the IP region.
    • Multiple Attempts: Repeated transactions from different IPs but the same device (Device Fingerprinting).
      
• How VPNs are detected:
  
  • If a user uses an IP from the US, but the device's time zone is set to Asia, this is a flag for suspicious activity.
  • Multiple attempts with IPs belonging to the same VPN provider increase the risk rate.
    
• Technical details:
  
  • JavaScript SDKs (such as stripe.js) collect data about the time zone, browser language, and other characteristics.
  • Anti-fraud systems compare this data with IP via the geolocation API.
    
• Impact on carding:
  
  • Carders using VPNs to disguise themselves often fail to spoof the time zone or other device settings, resulting in the transaction being blocked.

• Mechanism:
  
  • Anti-fraud systems collect unique device characteristics (browser, OS version, screen resolution, fonts, plugins) via JavaScript SDK.
  • This data creates a "fingerprint" of the device, which is matched against IP and transaction history.
    
• How VPNs are detected:
  
  • If a device is using an IP associated with a VPN but has previously been seen with a different IP (such as a real one), this increases the risk.
  • Devices that use VPNs often have non-standard configurations (e.g. disabled plugins, minimalist browsers), which makes them stand out.
    
• Technical details:
  
  • Example of device fingerprint:
    JSON:
    "device_id"
    "device_123456"
    "browser"
    "Chrome 120"
    "os"
    "Windows 10"
    "screen_resolution"
    "1920x1080"
    "timezone"
    "UTC+3"
    "ip"
    "104.28.12.45"</span>
  • If the IP is flagged as VPN and the device fingerprint does not match the card owner's history, the transaction is flagged as suspicious.
    
• Impact on carding:
  
  • Carders using VPNs through virtual machines or Tor Browser create fingerprints that are different from typical user devices, which is easily detected.

• Mechanism:
  
  • Anti-fraud systems support updated lists of IP addresses associated with popular VPN providers (NordVPN, ExpressVPN, Surfshark) and anonymizers (Tor, I2P).
  • These lists are obtained from specialized services such as IPQualityScore , IPinfo or AbuseIPDB .
    
• How VPNs are detected:
  
  • IP is checked for affiliation with known VPN providers via API:
    JSON:
    "ip"
    "104.28.12.45"
    "vpn"
    "provider"
    "NordVPN"
    "risk_score"
  • IPs associated with Tor (exit nodes) are automatically marked as high risk.
    
• Impact on carding:
  
  • Popular VPN services are easily detected due to their widely known IP ranges.
  • Tor exit nodes (about 1000–2000 IP) are completely blocked by most anti-fraud systems.

• Mechanism:
  
  • Anti-fraud systems analyze HTTP headers transmitted by the browser to detect signs of VPN:
    
    • X-Forwarded-For: May indicate the use of a proxy.
    • Via: Indicates proxy servers.
    • MTU/MSS: TCP packet size may vary for VPN.
      
• How VPNs are detected:
  
  • The presence of proxy-specific headers (e.g. X-Forwarded-For: 192.168.1.1) indicates the use of a VPN.
  • Anomalies in network parameters (e.g. low latency for a data center) raise suspicions.
    
• Impact on carding:
  
  • Carders using cheap or improperly configured VPNs often leave traces in the headers, which leads to blocking.

• Mechanism:
  
  • Anti-fraud systems analyze the history of transactions associated with an IP or device.
  • If the IP is used for multiple cards or transactions from different regions, this indicates a VPN.
    
• How VPNs are detected:
  
  • Example: IP 104.28.12.45 is used for card transactions from the US, Russia and Nigeria in a short period of time - a clear sign of a VPN.
  • Multiple refusals or chargebacks from one IP add it to the blacklist.
    
• Impact on carding:
  
  • Carders using one VPN for multiple transactions are quickly identified due to activity patterns.

• Scenario 1: Popular VPN:
  
  • Carder uses NordVPN (IP 104.28.12.45, ASN AS208877) to purchase with Non-VBV bin.
  • Stripe Radar checks the IP via MaxMind and finds that it belongs to a VPN. The transaction gets a high risk score (>80) and is blocked or requires 3DS.
    
• Scenario 2: Residential Proxy:
  
  • The carder purchases a residential proxy that imitates a home IP (for example, 192.168.1.1).
  • Radar matches the ASN (e.g. OVH) and notices a time zone mismatch (device in UTC+3, IP in UTC-5). The transaction is flagged as suspicious.
    
• Scenario 3: Tor:
  
  • The carder uses Tor exit node (IP 185.220.101.10) for the transaction.
  • The anti-fraud system immediately blocks the IP, since Tor exit nodes are blacklisted.
    
• Scenario 4: Frequent IP changes:
  
  • The carder changes IP via VPN for each transaction, but uses one device.
  • Device Fingerprinting identifies the same device fingerprint, and changing IP increases the risk score, causing blocking.

• Residential proxies:
  
  • Some providers (e.g. Luminati, Oxylabs) offer residential IPs, which are harder to identify as VPNs. However, they are expensive, and anti-fraud systems can detect them through behavioral analysis or ASN mismatch.
    
• Updating databases:
  
  • GeoIP databases may lag behind new VPN services, but major platforms (Stripe, Adyen) update them daily.
    
• False positives:
  
  • Legitimate users using VPN for privacy may be flagged as suspicious, which requires balancing in the configuration of anti-fraud systems.

• Daily database updates: MaxMind and IPQualityScore regularly add new IP VPN providers.
• Machine learning: Algorithms identify new VPNs by analyzing patterns (e.g. multiple transactions from the same ASN).
• Integration with payment systems: Data from Visa (TC40), MasterCard (SAFE reports) helps identify IPs associated with fraud.
• Behavioral analysis: Even if a VPN masks the IP, unnatural behavior (bots, lack of navigation) raises suspicions.

VPN detection makes carding much more difficult, especially with Non-VBV, Auto-VBV and Non-MCSC bins. Anti-fraud systems detect VPNs through IP analysis (GeoIP, ASN), Device Fingerprinting, behavioral analysis, network headers and transaction correlation. These methods make the use of VPNs in carding extremely risky, as popular VPNs (NordVPN, ExpressVPN) are easily detected, and residential proxies require significant costs and do not guarantee success due to additional checks (behavior, device). In Europe, PSD2 strengthens protection through mandatory 3DS, and outside the EEA, anti-fraud systems such as Stripe Radar block suspicious transactions with VPNs. This significantly increases the costs and risks for carders, reducing the profitability of fraud.