How does IPLogs detect VPNs?

IPLogs combines seven detection layers: IP intelligence (known VPN servers, ASN classification, Tor exit lists), TCP/IP stack fingerprinting, TLS/JA3 fingerprinting, round-trip-time analysis (SNITCH and cross-layer RTT, NDSS 2025), active protocol probing (OpenVPN HARD_RESET, WireGuard, IKEv2, REALITY cert-switch), client-side signals (timezone, language, WebRTC leak), and port or network sanity checks. Results are scored and returned in under 2 seconds.

Is the IPLogs API really free?

Yes. The public API at https://iplogs.com/v1/check accepts POST requests with a JSON body containing an IP address and returns a full detection verdict. No signup, no API key, no rate limit for reasonable use. The source code is open on GitHub.

Can IPLogs detect residential proxies?

Partially. Residential-proxy IPs that originate from known hosting backbones (Leaseweb, CoLoCrossing, HostPapa) are flagged by the datacenter-ASN layer. True peer-to-peer residential proxies that tunnel through real ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching.

What databases does IPLogs use for IP geolocation?

IPLogs uses MaxMind GeoLite2 City and ASN databases as the primary source, with ip-api.com as a free fallback for any IPs the local database does not cover. Tor exit nodes are refreshed hourly from check.torproject.org. Mullvad WireGuard relays are refreshed every 6 hours from the public Mullvad API.

Does IPLogs store my IP address?

Only in transient request logs for rate-limiting and abuse detection. No persistent database of individual lookups, no tracking cookies, no ads. See the privacy page for full detail.

How accurate is VPN detection?

Against ground-truth datasets of known VPN endpoints (NordVPN, Mullvad, SoftEther, PIA, ProtonVPN) the 7-layer pipeline achieves over 95% true-positive rate with under 1% false-positive rate for residential ISPs, trusted infrastructure (public DNS), and major CDNs (Cloudflare, Google, Fastly) which are allowlisted to prevent false alarms.

FBI vs SocksEscort: The 369,000-IP Residential Proxy Botnet Takedown (March 2026)

FBI + Europol dismantled SocksEscort: 369,000 compromised routers across 163 countries. What AVrecon did, how the botnet ran, and why detection matters.

2026-04-22·12 min readFBIresidential proxybotnetAVrecon

On March 12, 2026 the FBI released a TLP:CLEAR FLASH bulletin (number 20260312-001) describing the coordinated takedown of SocksEscort — a residential proxy service that had, since 2020, compromised approximately 369,000 devices across 163 countriesand sold access to those devices as "residential" proxies to paying customers. This post walks through what happened, how AVrecon malware built the botnet, what it was used for, and why this takedown is a turning point in how detectors should think about residential proxies.

What SocksEscort was

SocksEscort was a residential proxy service that marketed itself to e-commerce scrapers, sneaker-bot operators, ad-fraud rings, and credential-stuffing attackers. The selling point: IPs that look exactly like residential broadband users, because they were residential broadband users — specifically their compromised home routers.

The underlying malware was called AVrecon. AVrecon infected consumer routers and IoT devices (primarily small-office and home-office models) by exploiting unpatched firmware vulnerabilities and default credentials. Once resident, AVrecon turned the router into a SOCKS5 proxy endpoint — its external IP, the victim's residential broadband IP, became an inventory item in the SocksEscort portal.

Scale and geography

369,000 devices compromised and sold between 2020 and March 2026.
163 countries represented in the proxy pool.
United States, Western Europe, and Latin America most heavily represented in the compromised-device geography.
Monthly revenue estimated in the low millions of dollars at peak.

What the proxies were used for

The FBI bulletin catalogs the abuse: ad fraud, website vulnerability scanning (pre-attack reconnaissance), password spraying, digital marketplace fraud (sneaker-bot reselling), banking fraud, romance fraud, and general malicious automation. Because the exit IP was a real residential broadband connection, conventional datacenter-ASN filtering did not flag the traffic. Fraud prevention systems that relied exclusively on IP lists missed SocksEscort traffic completely.

Why this is a detection problem

The core issue with residential proxies like SocksEscort is that the IP itself is legitimate. The ASN is a real consumer ISP. The reverse DNS, if any, is a real cable-modem PTR record. The geolocation is plausible. Every signal that normally fires on datacenter or VPN traffic stays quiet.

What does remain detectable:

Behavioral velocity. A single residential IP making 400 requests per minute to a login endpoint is not a real consumer. Rate anomalies correlate with abuse tightly enough to be the primary signal for many fraud teams.
Session fingerprint drift. SocksEscort customers typically rotated exit IPs every few requests while keeping the same client session cookies, TLS fingerprint, and browser canvas signature. A session that appears to roam across five residential ASNs in three countries within an hour while never logging out is a strong abuse signal.
Provider fingerprints. Spur, IPinfo, and several other IP intelligence vendors maintain proxy-service fingerprint databases that can attribute a given IP to a specific residential proxy vendor. Detection systems can consume these lists as a supplementary signal.
Compromised-router bulletins. The FBI FLASH bulletin itself published indicators of compromise (IOCs) for AVrecon-affiliated IPs — feeding those IOCs into a blocklist reliably flags historical SocksEscort traffic.

How IPLogs handles residential proxies

IPLogs is explicit in its positioning: we reliably catch hosting-backed residential proxies (Leaseweb, CoLoCrossing, HostPapa, Ace Data Centers, Colocation America) via the datacenter-ASN layer. We do not yet have a peer-to-peer residential proxy detection layer at parity with Spur's commercial service — because truly peer-to-peer residential proxies running on compromised consumer routers cannot be flagged by ASN alone.

Our in-progress work for this category:

Consume publicly-released FBI IOCs as a signal source (planned).
Publish a velocity-based sibling signal for callers that pass session state (planned).
Partner integrations with Spur and IPinfo data feeds for customers that need parity-with-paid detection (planned).

Three takeaways for defenders

IP-list-only detection is dead for residential proxies. If your fraud stack relies solely on categorizing incoming IPs, you are invisible to SocksEscort- class threats.
Session behavior beats IP reputation for this category. Invest in session-fingerprint stability tracking, not just per-IP flags.
Law enforcement bulletins are an under-used signal source. The FBI and Europol publish IOCs for every major takedown. Most fraud stacks never consume them.

References

FBI FLASH TLP:CLEAR, number 20260312-001, "AVrecon malware and SocksEscort residential proxy service", March 12, 2026.
FBI IC3, "Evading Residential Proxy Networks: Protecting Your Devices from Becoming a Tool for Criminals", March 2026.
The Hacker News, "Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs", March 2026.
Trend Micro, "The Rise of Residential Proxies as a Cybercrime Enabler", 2024.

Check any IP against the 7-layer pipeline

The detection methods described above are all available through the IPLogs public API, free, no signup required.

Try the IP checker →