For a decade the fraud rule was simple: hidden IP, higher risk. Flag the VPNs, block the proxies, move on. In 2026 that rule quietly bleeds revenue, because the population hiding behind anonymized IPs has changed. A growing share of it is your best customers — iPhone users with Private Relay on by default, privacy-conscious shoppers on a VPN, and mobile buyers sharing one carrier address with thousands of neighbors.
Meanwhile the traffic you actually need to stop has gone the other way: the most dangerous attackers no longer come from obvious datacenter ranges at all. They come through residential IPs that look exactly like a real customer. So the binary "block anonymized traffic" instinct now fails twice — it punishes real users and misses the real threats. Here is how to tell them apart.
The legitimate side: who is really behind a "hidden" IP
Start with the uncomfortable truth for any block-it-all policy: a large slice of anonymized traffic is legitimate, paying, non-fraud users.
- Consumer VPNs are mainstream. Around a third of U.S. adults use a VPN (32% as of mid-2025 per security.org, a figure that fluctuates year to year), and the top reasons are general privacy (60%) and security (57%) — not a single fraud-related motive in the list. Block all VPN traffic and you are turning away privacy-conscious customers by design.
- Corporate VPNs and travelers. Employees routed through a company VPN, or customers connecting from abroad, legitimately surface on "foreign" or datacenter-adjacent IPs every day.
- Mobile users behind CGNAT. Carriers ran out of IPv4 long ago, so mobile networks place huge numbers of real subscribers behind a handful of shared addresses via Carrier-Grade NAT. One mobile IP can front thousands of genuine customers — block it on one bad session and you block a city block's worth of real buyers.
- Cloudflare WARP / 1.1.1.1. A consumer privacy service, not an anonymizing fraud proxy — ordinary people improving their connection's privacy.
And then there is the case that breaks naive detection completely: Apple iCloud Private Relay.
Apple Private Relay: the privacy tool you must not treat as a VPN
Private Relay ships to every iCloud+ subscriber, so it is enormous — and it is constantly misclassified. The facts, straight from Apple's own documentation and Cloudflare, one of its egress operators:
- It is explicitly not a VPN. It uses a dual-hop design: Apple's ingress proxy sees the user's real IP but not the destination; a separate CDN partner (Cloudflare, Akamai, or Fastly) sees the destination and assigns the public Relay IP but never the user's identity. No single party sees both.
- It does not spoof location. Unlike a VPN, Private Relay "does not allow users to represent themselves as connecting from a different country or region." Relay IPs are representative addresses that map to the user's real country and approximate city (down to a ~800 km² geohash).
- It is paying-customer-only. Apple validates every connection at the device and account level and restricts the service to valid Apple devices and iCloud+ accounts in good standing.
- Apple tells you not to block it. Apple publishes the complete egress IP list publicly and registers it with the major geo-IP databases, specifically so you can geolocate the traffic instead of treating it as anonymous. Apple and Cloudflare both recommend you allowlist Private Relay and enforce anti-fraud rules with user-level signals (cookies, account, geography) rather than IP blocks.
That egress list is a real, machine-readable file you can fetch right now:
Apple Private Relay egress ranges (mask-api.icloud.com/egress-ip-ranges.csv)
172.224.226.0/27,GB,GB-EN,London,
146.75.253.246/31,US,US-MA,BOSTON,
Each row maps a CIDR range to country, region, and city. As of mid-June 2026 the published file carries roughly 287,000 rows across 235 countries — Apple doing the geolocation work for you. Treating that traffic as "anonymous proxy" doesn't make you safer; it just declines a few hundred thousand ranges of verified Apple customers.
The malicious side: residential proxies are the real threat
So what should set off alarms? The category that was built to defeat exactly the "trust residential IPs" instinct: residential proxy networks.
A residential proxy routes an attacker's traffic through an IP owned by an ISP and assigned to a real home or small business — usually harvested by trojanized apps and SDKs silently enrolling consumer devices as exit nodes. To your server it looks like an ordinary customer on a consumer ISP. That is the whole point, and it is why Google's Threat Intelligence Group calls them a serious challenge for defenders: when GTIG disrupted the IPIDEA network in January 2026, it found over 550 distinct tracked threat groups — including state-linked actors from China, North Korea, Iran, and Russia — using IPIDEA exit nodes in a single seven-day window for SaaS intrusions, on-prem access, and password-spray attacks.
This is the inversion that breaks legacy rules: the datacenter VPN is mostly your customer; the "residential" IP may be the attacker. And the volume pressure is real — automated bots now exceed human web traffic, at more than 53% of all requests in 2025, with AI agents emerging as a new category that blurs legitimate automation and abuse even further.
A simple way to think about it
Not every anonymizer carries the same risk. A useful first cut:
| Anonymized traffic | Typical risk | Default action |
|---|---|---|
| Apple iCloud Private Relay | Low — verified Apple customers | Allow, geolocate via egress list |
| Cloudflare WARP / consumer privacy | Low–medium | Allow, score on behavior |
| Mobile / CGNAT shared IPs | Low–medium (shared) | Never hard-block the IP; use user-level signals |
| Corporate / consumer VPN | Medium, mixed-use | Score, challenge if other signals stack |
| Residential proxy | High — built to evade | Challenge or block on strong evidence |
| Abusive datacenter proxy / known botnet | High | Block |
The lesson isn't "trust everything" or "block everything." It's that the type of anonymizer, plus corroborating evidence, should drive the decision.
The hidden cost of getting it wrong
Over-blocking has a price tag. When you decline a legitimate customer because their IP looked anonymized, that is a false decline — and 47% of merchants report that false declines cost them sales. Every wrongly blocked Private Relay user, mobile shopper, or VPN-using buyer is lost revenue, a support ticket, and often a customer who doesn't come back. Fraud you can measure; the sale you never made because you blocked a real person is invisible — which is exactly why blanket blocking feels safe and quietly isn't.
The playbook: score on evidence, not on a single flag
The way out is detection that answers "what does the evidence say about this IP, and how confident are we?" rather than "is any anonymizer flag set?" In practice:
This is exactly how GeoIPHub's 0–100 fraud score is built. Exonerating signals are first-class: a residential ISP subtracts points, a verified crawler subtracts more, and CGNAT ranges are capped, so legitimate privacy traffic stays low. Every lookup returns the connection type, provider attribution, the is_residential_proxy flag with a last_seen recency, and the detection_methods that fired — so you can act and explain the decision. A blocked checkout should never be a black box.
A graduated response, not a wall
{
"detection": { "is_vpn": false, "is_residential_proxy": true, "last_seen": "2026-06-13T09:50:11Z" },
"asn": { "connection_type": "residential", "isp": "Comcast" },
"scoring": { "fraud_score": 86, "recommended_action": "challenge",
"detection_methods": ["residential_proxy_pool", "recent_abuse"] }
}
A residential-proxy hit with recent evidence earns a challenge or block. An Apple Private Relay IP, a corporate VPN, or a mobile CGNAT address with no other risk signal should sail through. Same lookup, opposite outcomes — because the evidence is different.
You can see how any address scores, including Private Relay and VPN endpoints, with the free VPN & proxy detection test and the IP fraud score checker, or read exactly how the score is built in the detection methodology and full API reference.
The bottom line
The anonymized internet is no longer a fraud signal by itself. Apple Private Relay, WARP, corporate VPNs, and mobile CGNAT put millions of real customers behind "hidden" IPs, while the actual attackers hide inside residential ranges designed to look legitimate. Detection that still works in 2026 doesn't ask whether an IP is anonymized — it asks which kind, how recently, and with what corroboration, then responds in proportion. Catch the residential-proxy fraud. Let the iPhone customer check out.
Start Scoring Every IP in Real Time
GeoIPHub gives fraud, security, and engineering teams a single API for IP geolocation, VPN & proxy detection, threat intelligence, and an explainable 0–100 risk score.
Get Your Free API Key
Sign up in minutes — no credit card required. Upgrade only when you need more volume.
Frequently Asked Questions
Is iCloud Private Relay a VPN, and should I block it?
No, it is not a VPN, and you should not block it by default. Apple's own documentation states Private Relay's dual-hop design means no single party sees both the user and the destination, and — unlike a VPN — it does not let users appear to connect from a different country. Apple gates it to valid Apple devices and paid iCloud+ accounts and recommends sites allowlist it, enforcing fraud rules with user-level signals (cookies, account, geography) instead of IP blocks.
How do I know an IP is Apple Private Relay?
Apple publishes the complete list of Private Relay egress IP ranges as a public CSV at mask-api.icloud.com/egress-ip-ranges.csv, mapping each range to country, region, and city, and registers it with major geo-IP databases. A good IP intelligence provider already identifies Private Relay egress IPs and preserves their approximate location instead of flagging them as anonymous or foreign.
What anonymized traffic is actually dangerous?
Residential proxy networks are the genuinely high-risk category. They route attacker traffic through millions of real ISP-owned home IPs harvested via trojanized apps, so it blends in with legitimate users. Google's January 2026 disruption of the IPIDEA network found 550+ tracked threat groups using its exit nodes in a single week. Commercial VPNs and Private Relay are mostly legitimate; residential proxies rarely are.
Why is blocking all VPN and proxy traffic a bad idea?
Because a large share of it is real customers. Roughly a third of U.S. adults use a VPN, overwhelmingly for privacy and security rather than fraud, and mobile users routinely share one carrier IP via CGNAT. Hard-blocking those IPs produces false declines — and 47% of merchants report that false declines cost them sales. The goal is graduated risk scoring, not a blanket block.
How does GeoIPHub avoid false positives?
By scoring on evidence, not on the mere presence of a flag. The 0–100 fraud score includes exonerating signals — a residential ISP subtracts points, a verified crawler subtracts more, and CGNAT ranges are capped — and every lookup returns the connection type, provider attribution, detection recency (last_seen), and the detection_methods that fired, so you can challenge the genuinely risky and let real customers through.