The Fraud Signal Everyone Knows but Few Use

I've attended three major fintech events this season (MRC Vegas, PAY360, and Money20/20 Amsterdam) and the same conversation kept surfacing across all three: traditional transaction monitoring is becoming obsolete.

The fintech industry is scaling fast and removing barriers by design: real-time payments, frictionless onboarding, agentic commerce. But while friction is coming down on one side, the complexity available to fraudsters is going up on the other: stolen personal data at scale, AI models that mimic human behavior, residential proxies spoofing the connection-level signals most stacks still rely on.

Of all of these, residential proxies represent the most direct attack on how transaction monitoring actually works, targeting the network-level trust signal that sits at the very top of the decisioning chain. And while they aren't a new topic, they remain arguably the most underleveraged signal in fraud detection today.

The reason that conversation kept surfacing across all three events is that most fraud teams already sense the problem, even if they haven’t fully mapped it yet. The mechanics of why are worth understanding, because the gap isn’t in the tooling or the headcount. It's a foundational assumption built into how transaction monitoring was designed.

The Assumption Built Into Every Transaction Monitoring Stack

Transaction monitoring was designed around a world where infrastructure and identity were loosely correlated. Fraudsters operated from datacenters while legitimate customers connected from home broadband. That separation made IP type a reliable enough indicator to build rules around. VPNs use stable datacenter IPs consistently associated with the VPN service, making them detectable.

Residential proxy services are a different problem entirely. They use individual IP addresses registered to real people, rotating in and out of service and mixing proxy traffic with the normal traffic of the device owner. There is no stable infrastructure to blocklist, no ASN range to flag, and no registration pattern to match against.

The consequences run deeper than a detection gap. IP intelligence feeds directly into the risk scoring that determines when step-up authentication is triggered, from SCA exemption logic to  geo-mismatch thresholds to AML typology flags. All of it sits downstream of a trust signal that residential proxies are specifically engineered to spoof.

“Good” Fraud Signals Are Already Being Undermined

Residential proxies are specifically effective against the signals fraud teams have built their detection logic around.

Geo-mismatch triggers are one of the most widely used friction controls in cross-border payments. Travel velocity checks, unusual country alerts, and SCA step-up rules all depend on IP-to-location accuracy. Residential proxies spoof that down to the city or carrier level. A fraudster outside the EU can present a Dutch or Irish residential IP, pass the geo-check cleanly, and never trigger the step-up that would have caught them.

Device and session plausibility compounds the problem. A residential IP combined with a matching device fingerprint and normal session behavior clears most rule-based fraud checks simultaneously. There is no single anomalous signal to catch because the transaction profile looks clean at every layer. That’s precisely why these attacks are effective and why they tend to surface in chargebacks rather than pre-authorization flags.

Step-up and new account logic faces the same problem. SCA triggers built around "new country" or "unusual location" assume that a verified residential IP reflects the user's actual location. When it does not, the trigger never fires, and the additional authentication layer that PSD2's risk-based approach depends on is bypassed without the system registering anything unusual.

The attack patterns that follow are predictable. Among residential proxy IPs observed in our abuse research, the top categories were web application attacks, credential stuffing, and authentication and access attacks — the exact sequence that precedes account takeover and fraudulent payment initiation. By the time those patterns are visible in transaction data, the residential proxy has often already rotated out of the pool.

The Threat Surface Keeps Growing

In a single month, we observed over 75 million confirmed residential proxy exit nodes. Roughly a third of IPv4 residential proxies were active for only a single day, and another 43% lasted less than a week, for an average lifespan of approximately 7.8 days. IPv6 proxies were even more ephemeral. Nearly 88% lasted just one day.

That churn is the product of how these networks recruit and cycle their infrastructure. Node recruitment happens through proxyware marketed as bandwidth-sharing, free VPN utilities that route third-party traffic through users, and outright malware — the SOCKS5Systemz botnet, active for over a decade, converted home devices into proxy nodes resold through commercial proxy services. The supply of new residential IPs is effectively continuous, drawn from consumer devices whose owners have no idea they are part of a proxy network.

For transaction monitoring teams, the implications are direct: the threat surface is not a known set of bad IPs that can be blocklisted and monitored. It is a continuously rotating pool of otherwise-legitimate residential addresses, most of which will cycle through proxy infrastructure and back out again without ever appearing on an abuse list, which brings us to the core of the problem.

Abuse Data Shares What Already Happened

Most transaction monitoring teams already use some form of IP reputation data. The problem is what that data is, and what it cannot tell you.

Abuse feeds and IP reputation lists are built from observed bad behavior: reported botnet activity, confirmed account takeovers, DDoS participation, credential stuffing campaigns. They are a record of what has already happened. An IP earns a place on a reputation list by being caught, reported, validated, and ingested. That process takes time, and assumes the IP will still be in use by the time the flag is actionable.

Against residential proxy infrastructure, that assumption fails. Residential proxy infrastructure rotates quickly, shifts continuously, and abuse signals emerge and disappear in short windows. The moment an IP appears on an abuse list, the probability it has already cycled out of active proxy use is high. You are blocking yesterday's infrastructure while today's is already in the pool. 

Our research bears this out. 53% of actively abusive IPs are associated with VPNs or residential proxies, and 41% of known botnet IPs overlap with residential proxy infrastructure. But that overlap is only visible after abuse has been reported and validated, which in fast-rotating residential proxy ecosystems can lag by days or weeks. By the time a fraudulent transaction surfaces in a chargeback, the IP that carried it is long gone.

No amount of faster blocklist updates closes the gap because the gap is not about speed. It is about the fundamental difference between a reactive signal and a predictive one.

Infrastructure Intelligence as a Forward-Looking Signal

The answer to a backward-looking problem is a different category of data entirely: infrastructure classification.

Abuse data answers the question "what has this IP done?" Infrastructure intelligence answers the question "what is this IP part of?" — and can flag IPs based on infrastructure classification before they ever appear in abuse databases. They are fundamentally different inputs that belong at different points in your decisioning chain.

A residential proxy IP that has not yet been used for fraud still carries elevated risk by virtue of what it is: an address actively rotating through a commercial proxy network, whose geo-location cannot be trusted, and whose session cannot be attributed to a specific user. The absence of a prior abuse record is not an indicator of legitimacy. It simply means the IP is new to the pool.

Tracking recency (when an IP was last observed as a proxy exit node) and persistence (how frequently it appears over time) lets teams distinguish sustained proxy infrastructure from occasional or rotating IPs and respond proportionately.

In practice, this means residential proxy signals feeding step-up authentication thresholds and manual review queuing before fraud occurs. That shift, from reactive flagging to proactive risk context, is where infrastructure intelligence changes the economics of transaction monitoring.

Combining Both Signals for the Complete Picture

Neither signal alone is sufficient. The advantage comes from combining them.

When infrastructure context and abuse reputation are combined, they create a stronger signal that supports earlier detection, better prioritization, and more effective automation, particularly for fast-rotating residential proxy infrastructure where historical blocklists alone cannot keep up. 

The operational logic for transaction monitoring teams is straightforward:

• An IP carrying both a residential proxy classification and a prior abuse association represents a materially higher risk tier than either signal alone — a strong candidate for hard intervention. 
• An IP carrying only a proxy classification but no abuse history represents elevated but unconfirmed risk — one to apply friction to, or route to manual review, rather than block outright.

Abuse represents just over 6% of residential proxy IPs. Blanket proxy blocking would create significant friction for the vast majority of proxy traffic that is not actively malicious — a meaningful conversion and customer experience problem for any European payments platform operating under competitive pressure. The layered approach lets fraud teams apply proportionate responses: step-up authentication for unconfirmed proxy risk, harder blocks reserved for IPs where both signals align.

This is also the architecture that holds up under regulatory scrutiny. Graduated, evidence-based intervention is far easier to defend in an EBA audit than a blanket IP block with no documented risk rationale behind it.

Closing the Gap 

Fraud detection, by its very nature, is a predominantly reactive endeavor. You can only flag what you've already observed. Residential proxies, however, pose a different problem. The scale at which these networks now operate, combined with how quickly they rotate, means reactive detection will always be a step behind. The only way to close the gap is to go beyond asking what an IP has done, and start asking what it could be used for — probabilistic, infrastructure-level intelligence that identifies risk before it shows up in your abuse data. The fraud products that get there first will be best-positioned to lead the market.