VPN and Proxy Detection for Shopify: Why IP Blocking Isn’t Enough

Your fraud dashboard shows an attack originating from 200 different IP addresses across 30 countries. You block every single one. The next morning, the same attacker is back — 200 new IPs, same stolen credit cards, same checkout pattern. You block those too. A week later, your blocklist has 4,000 entries and the attacks have not slowed down by a single request.

This is not a failure of execution. It is a failure of strategy. IP blocking does not work against attackers who use VPNs, proxies, and TOR — and in 2026, that describes virtually every fraud operation targeting Shopify stores.

Approximately 40% of fraudulent traffic reaching e-commerce checkouts now routes through some form of anonymization layer — residential proxies, datacenter VPNs, or TOR exit nodes. The attackers are not hiding. They are operating through infrastructure specifically designed to make IP-based defenses useless.

This guide covers why fraudsters rely on VPNs and proxies, the different types of anonymization you need to detect, why naive IP blocking causes more harm than good, and how to build a detection strategy that catches masked fraud without turning away legitimate customers.

Why Fraudsters Use VPNs and Proxies

Understanding the attacker’s motivation clarifies why IP blocking fails so completely.

Identity Concealment

The most obvious reason. A fraudster testing stolen credit cards against your checkout does not want their real IP address in your server logs, in law enforcement requests, or in Shopify’s fraud analysis system. A VPN or proxy creates a layer of separation between the attacker’s physical location and the activity they are conducting.

This is not paranoia on their part — it is operational security. Fraud rings that operate at scale treat IP concealment as a baseline requirement, not an optional precaution.

Geographic Bypass

Many Shopify stores restrict checkout to specific countries or flag orders where the billing address country does not match the IP geolocation. Fraudsters use proxies to align their apparent location with the stolen card’s billing address.

A card stolen in Dallas produces a checkout attempt that appears to originate from a Texas residential IP. The billing address matches. The IP geolocation matches. Shopify’s native fraud analysis gives it a lower risk score. The attacker has effectively neutralized one of the most common fraud signals by spending $0.02 on a residential proxy.

IP Rotation at Scale

Card testing requires volume. A single attacker may need to test 10,000 stolen card numbers against your checkout in a single session. Without proxies, 10,000 requests from one IP would trigger even the most basic rate limiting.

With a residential proxy network, each request comes from a different IP. Your rate limiter sees 10,000 unique visitors making one request each — indistinguishable from a normal day of traffic. The velocity signal that should catch this attack is completely invisible at the IP level.

Evading Blocklists

Once a merchant blocks an IP, that IP is burned for future attacks against that store. Fraudsters who operate across thousands of stores simultaneously cannot afford to have their infrastructure accumulate blocklist entries. Rotating proxies ensure that no IP is ever used more than once per target, making historical blocklists permanently stale.

Types of Anonymization Infrastructure

Not all VPNs and proxies are created equal. Each type carries a different risk profile and requires a different detection approach.

Residential Proxies

The most dangerous category for fraud prevention. Residential proxies route traffic through real consumer IP addresses — actual Comcast, Verizon, BT, and Vodafone subscribers. The IPs are acquired through SDK integrations in free apps (users unknowingly opt in to share their connection), compromised IoT devices, or direct payment to willing participants.

The numbers are staggering:

Major residential proxy networks like Bright Data and SOAX offer access to 72+ million residential IPs worldwide
Per-request rotation means an attacker can use a unique IP for every single checkout attempt
The cost has dropped to $0.50-$3.00 per GB, making massive attacks economically viable
These IPs are indistinguishable from legitimate customers by IP reputation alone — because they are legitimate customer IPs

This is the core challenge. When a card testing bot sends a request through a residential proxy in suburban Chicago, the IP belongs to a real person’s home internet connection. Blocking that IP means blocking a real household. There is no IP-level signal that differentiates the two.

Datacenter Proxies

These originate from cloud providers — AWS, Google Cloud, DigitalOcean, OVH, Hetzner, and hundreds of smaller hosts. Unlike residential proxies, datacenter IPs are relatively easy to identify because they belong to known ASN (Autonomous System Number) ranges registered to hosting companies.

Datacenter proxies are cheaper ($0.10-$0.50 per GB) and faster, but they carry a higher detection risk. No legitimate shopper browses from an AWS IP address. A checkout attempt originating from a known datacenter range is inherently suspicious.

However, there is a critical caveat: many legitimate services route traffic through cloud infrastructure. Corporate VPNs, content delivery networks, and some mobile carriers use datacenter IPs. Blind blocking of all datacenter IPs will catch fraud — and also block real customers.

TOR (The Onion Router)

TOR routes traffic through a series of volunteer-operated relays, encrypting it at each hop. The final relay — the exit node — is the IP address that your server sees. TOR provides the strongest anonymization available, making it impossible to trace the original source.

For fraud detection, TOR has a useful property: exit node IP addresses are publicly known. The TOR Project publishes a regularly updated list of all active exit nodes. This makes TOR traffic straightforward to identify — if you maintain an up-to-date list of exit node IPs.

The fraud risk from TOR is significant but nuanced:

Only ~2% of TOR traffic is e-commerce related, but fraud rates from TOR exit nodes are 5-8x higher than baseline
TOR is slow (multiple relay hops add latency), making it less useful for high-volume card testing
Some legitimate customers use TOR for privacy — particularly in regions with internet censorship

Commercial VPN Services

NordVPN, ExpressVPN, Surfshark, and dozens of other consumer VPN services route millions of users through shared IP addresses. A single VPN server IP might serve thousands of simultaneous users — some shopping legitimately, some conducting fraud.

This is the false positive minefield. Over 1.6 billion people worldwide use VPN services, and that number is growing. Many use VPNs for entirely legitimate reasons: privacy, accessing content while traveling, or connecting to corporate networks. Blocking all VPN IPs would alienate a massive portion of your potential customer base.

The challenge is that commercial VPN IPs are partially known (services like IPinfo and MaxMind maintain databases of VPN server ranges), but the lists are never complete, and new servers come online constantly.

Why IP Blocking Fails

If the types of anonymization above did not make it clear enough, here is why IP blocking is fundamentally broken as a fraud prevention strategy.

The Scale Problem

There are roughly 4.3 billion IPv4 addresses. Residential proxy networks alone give attackers access to 72+ million of them. Even if you could identify and block every proxy IP (you cannot), the attacker would simply acquire new ones. You are playing whack-a-mole with an infinite number of moles.

With IPv6, the problem becomes mathematically absurd. A single subnet can contain 18 quintillion addresses. An attacker can generate a new IPv6 address for every request and never reuse one.

The Collateral Damage Problem

IP addresses are not unique identifiers for individuals. They are shared, reused, and reassigned constantly:

Carrier-grade NAT: A single mobile carrier IP can be shared by tens of thousands of users simultaneously. Block one fraudster on T-Mobile and you block thousands of legitimate customers.
Corporate networks: Entire companies route through one or a handful of external IPs. One bot operator in a coworking space means every business in the building is blocked.
Dynamic assignment: ISPs reassign residential IPs regularly. The IP a fraudster used yesterday might belong to a legitimate customer today.
Shared VPN IPs: Thousands of legitimate VPN users share a single IP. Blocking it blocks all of them.

The Stale Data Problem

IP blocklists are retrospective. By the time you identify and block a malicious IP, the attacker has already moved on to a new one. A blocklist of 10,000 IPs from last month’s attack provides zero protection against this month’s attack using 10,000 completely different IPs.

Some merchants subscribe to third-party IP threat feeds. These are better than nothing, but they suffer from the same staleness problem at a larger scale. The lag between an IP being used maliciously and appearing on a threat feed can be days or weeks — an eternity in fraud operations that rotate IPs every few seconds.

The False Confidence Problem

Perhaps the most insidious failure mode. A merchant sees a growing blocklist and feels protected. “We blocked 5,000 IPs this month” sounds like progress. In reality, it means 5,000 individual IPs were each used once and discarded. The actual attacker — identified by their device, behavior, and patterns — was never impacted.

Meanwhile, legitimate customers behind shared or VPN IPs encounter checkout errors, cannot complete purchases, and leave without the merchant ever knowing they were falsely blocked.

Three-Layer VPN and Proxy Detection

Effective detection does not rely on a single signal. It combines multiple data sources, each covering different types of anonymization.

Layer 1: TOR Exit Node Detection

This is the most straightforward layer because TOR exit nodes are publicly documented.

The TOR Project maintains a list of all active exit nodes, updated every few hours. By cross-referencing incoming IP addresses against this list, you can identify TOR traffic with high confidence and near-zero false positives.

Implementation considerations:

Update frequency matters. Exit nodes change regularly. A stale list (updated daily) will miss new nodes and continue flagging decommissioned ones. Hourly updates are the minimum; real-time feeds from services like the TOR Bulk Exit List or OnionOO are better.
Do not auto-block TOR. While fraud rates from TOR are elevated, some legitimate customers use it. Treat TOR detection as a risk signal that increases the fraud score, not as an automatic rejection. A TOR user with a valid device fingerprint, natural browsing behavior, and a non-disposable email is likely legitimate. A TOR user with no fingerprint, instant form completion, and a disposable email is almost certainly not.

Layer 2: Datacenter and Hosting IP Ranges

Cloud providers and hosting companies publish their IP ranges. AWS, Google Cloud, Azure, DigitalOcean, and others maintain official lists of their IP allocations. Third-party databases (MaxMind GeoIP, IPinfo, IP2Location) aggregate this information and add ASN-level classification.

By checking whether an incoming IP belongs to a known hosting provider, you can flag traffic that originates from infrastructure rather than from consumer internet connections.

Key nuances:

ASN classification is more reliable than IP ranges alone. IP ranges change as cloud providers expand, but ASN ownership is relatively stable. Checking whether an IP’s ASN is registered to a hosting company is a durable signal.
Not all datacenter traffic is malicious. Corporate VPNs, some mobile carriers, and content delivery networks use datacenter IPs. This layer should increase the fraud score, not trigger an automatic block.
Coverage is imperfect for smaller providers. While AWS and Google Cloud are well-documented, hundreds of smaller hosting providers exist worldwide. Third-party IP intelligence services provide broader coverage but are never 100% complete.

Layer 3: API-Based VPN and Proxy Detection

For residential proxies and commercial VPNs that do not fall into the first two categories, API-based detection services provide the deepest coverage. Services like IPinfo, ipapi, Spur, and IPQualityScore maintain extensive databases of known VPN, proxy, and residential proxy IPs.

These services combine multiple detection methods:

IP reputation databases built from observed behavior across millions of sites
Timing analysis that detects the latency patterns characteristic of proxy connections
Connection metadata such as open ports, HTTP header anomalies, and protocol fingerprinting
Machine learning models trained on known VPN/proxy traffic patterns

API-based detection catches what the first two layers miss — particularly residential proxies, which are the hardest to identify because they use legitimate ISP IPs.

Implementation considerations:

Latency matters. Every API call adds time to the checkout flow. Look for services with edge deployments and sub-50ms response times. Cache results aggressively — the same IP can be checked once and the result reused for subsequent requests within a reasonable window.
Cost scales with traffic. API-based services charge per lookup. At 100,000 checkouts per month, costs can range from $50 to $500 depending on the provider. Batch checks and caching reduce costs significantly.
No service is 100% accurate. Residential proxy detection, in particular, has inherent limitations because the IPs are genuine residential connections. Expect detection rates of 70-85% for residential proxies — good, but not sufficient on its own.

The False Positive Problem

VPN and proxy detection is only useful if it does not alienate legitimate customers. This is the single most important consideration in your detection strategy.

Who Uses VPNs Legitimately?

The answer is: a lot of people.

Travelers: A customer from New York shopping from a hotel in Tokyo will appear on a Japanese VPN or their corporate VPN routing through a US datacenter. Their billing address says New York. Their IP says Tokyo or Virginia. This is not fraud — it is a business trip.
Privacy-conscious users: Post-GDPR, a growing segment of consumers use VPNs for everyday browsing. These are often high-value customers who care about security — exactly the demographic you want to keep.
Corporate VPN users: Employees shopping during lunch breaks while connected to their company’s VPN. The traffic originates from a datacenter IP because that is where the corporate VPN server sits.
Students on campus networks: University networks often route through centralized gateways that can appear as datacenter or VPN IPs.
Users in restrictive regions: Customers in countries with internet censorship use VPNs to access global e-commerce. Blocking VPN traffic means losing these markets entirely.

The Revenue Impact of False Positives

Research from the Baymard Institute indicates that overly aggressive fraud prevention causes 2-5% of legitimate orders to be falsely declined — often without the customer knowing why their purchase failed. They simply see a vague error message, assume your store is broken, and shop elsewhere.

For a Shopify store doing $500,000 in annual revenue, a 3% false positive rate translates to $15,000 in lost sales per year — likely more than the fraud it prevented.

The lesson is clear: a detection system that blocks VPN traffic outright is not a fraud prevention tool. It is a revenue reduction tool.

Score, Don’t Block: The Right Approach

The correct strategy is to treat VPN and proxy detection as one input into a broader risk scoring system, not as a binary block/allow decision.

Risk Scoring Model

Each detection layer contributes a risk score component:

Signal	Risk Score Impact
TOR exit node detected	+25 points
Datacenter/hosting IP	+15 points
Known VPN service IP	+10 points
Residential proxy suspected	+20 points
IP country mismatches billing address	+15 points
IP geolocation mismatches browser timezone	+10 points

These VPN/proxy signals are combined with other fraud indicators:

Signal	Risk Score Impact
Missing or spoofed device fingerprint	+30 points
Bot automation flags detected	+40 points
Disposable email address	+20 points
High checkout velocity (many attempts in short window)	+25 points
Form filled in under 3 seconds	+15 points
No mouse movement or scroll events	+20 points

A threshold determines the verdict:

0-30 points: ALLOW — proceed normally
31-60 points: WARN — flag for review, allow checkout to complete
61+ points: BLOCK — prevent checkout submission

Under this model, a customer on a VPN (+10) with a valid fingerprint (+0), natural browsing behavior (+0), and a legitimate email (+0) scores 10 — well within the ALLOW range. The same VPN IP used by a bot with no fingerprint (+30), instant form fill (+15), and a disposable email (+20) scores 75 — blocked.

Combining VPN Detection with Other Signals

VPN/proxy detection is most powerful when combined with signals that VPNs cannot mask:

Device fingerprinting: A VPN hides the IP but not the device. Canvas rendering, WebGL output, audio processing, and screen properties remain constant regardless of which VPN or proxy the attacker uses. Read our full fingerprinting guide to understand how 20+ device signals create an identity that persists across IP changes.
Behavioral analysis: Mouse movements, scroll patterns, typing cadence, and form-fill timing reveal whether a human or a bot is behind the request. A VPN does not change how a bot moves a mouse (or fails to move one at all).
Email quality: Disposable email domains, recently created addresses, and addresses that fail SMTP verification are fraud signals independent of IP anonymization.
Checkout velocity: Multiple checkout attempts in rapid succession from the same device fingerprint — even across different IPs — indicate card testing.

The key insight: VPN detection tells you the visitor is hiding something. The other signals tell you whether what they are hiding is malicious.

How ShieldFlow Detects VPN, Proxy, and TOR Traffic

ShieldFlow integrates VPN and proxy detection as one layer of its three-layer fraud prevention architecture. Here is how it works in practice.

Real-Time IP Intelligence

When a visitor reaches your storefront, ShieldFlow’s backend receives the request IP and performs three checks in parallel:

TOR exit node lookup against a continuously updated list of active exit nodes (refreshed every 30 minutes)
ASN classification to determine if the IP belongs to a known hosting provider, cloud platform, or datacenter
VPN/proxy classification using IP intelligence data that covers commercial VPN services and known residential proxy networks

These checks execute in under 20ms and produce a set of IP risk signals that feed into the fraud scoring engine.

Correlation with Device Fingerprint

The IP intelligence signals are never evaluated in isolation. ShieldFlow correlates them with the device fingerprint collected on the storefront:

A VPN IP + unique, consistent fingerprint + natural behavior = low risk
A VPN IP + missing fingerprint + automation flags = high risk
A datacenter IP + fingerprint matching a known bot cluster = critical risk
A TOR exit node + disposable email + instant form fill = blocked

This correlation is what prevents false positives. The VPN itself is not the problem — it is the combination of VPN usage with other suspicious signals that indicates fraud.

Fail-Open Design

If the IP intelligence lookup fails (API timeout, service outage), ShieldFlow proceeds with the other available signals — fingerprint, behavior, email quality, velocity. The checkout is never blocked solely because an IP check timed out. This fail-open principle ensures that infrastructure issues never cost you legitimate sales.

Merchant Controls

ShieldFlow gives merchants control over how aggressively VPN traffic is scored:

Sensitivity slider: Adjust the weight of VPN/proxy detection in the overall fraud score. Stores with a high percentage of international customers may want to lower the VPN weight. Stores that sell primarily domestically may want to increase it.
Allowlisted IP ranges: Corporate customers who always connect through a specific VPN can be allowlisted to bypass IP-level scoring entirely.
TOR policy: Merchants can choose to block TOR traffic outright, score it as a risk factor, or allow it entirely — depending on their risk tolerance and customer base.

Frequently Asked Questions

What percentage of Shopify fraud comes through VPNs and proxies?

Based on industry data from 2025-2026, approximately 40% of fraudulent e-commerce traffic routes through some form of anonymization — VPNs, proxies, or TOR. For card testing attacks specifically, the figure is higher: over 65% of sophisticated card testing operations use residential proxies to rotate IPs and evade rate limiting. The percentage continues to climb as proxy services become cheaper and more accessible.

Will detecting VPN traffic block legitimate customers who use VPNs for privacy?

Not if you implement detection correctly. Over 1.6 billion people use VPN services worldwide, and the vast majority are legitimate. The correct approach is to treat VPN detection as one risk signal among many — not as an automatic block. A VPN user with a consistent device fingerprint, natural browsing behavior, and a legitimate email address should pass through without friction. ShieldFlow’s scoring model ensures that VPN usage alone never triggers a block.

How accurate is TOR exit node detection?

Very accurate. The TOR Project publishes a list of all active exit nodes, making identification straightforward. With a list updated every 30-60 minutes, detection accuracy exceeds 99% for active exit nodes. The small gap comes from nodes that were recently activated and have not yet appeared on the published list. False positives are essentially zero — if an IP is on the TOR exit node list, it is a TOR exit node.

Can residential proxies be detected reliably?

Residential proxy detection is the hardest category because the IPs are genuine consumer connections. Current detection rates range from 70-85% depending on the intelligence provider and the proxy network being used. Newer, smaller proxy networks are harder to detect than established ones. This is precisely why VPN/proxy detection should never be your only fraud signal — combining it with device fingerprinting and behavioral analysis catches what IP-level detection misses.

Does VPN detection add latency to the checkout flow?

It depends on implementation. A naive approach that makes a synchronous API call for every checkout attempt can add 50-200ms. ShieldFlow minimizes this by performing IP intelligence lookups asynchronously when the visitor first reaches the storefront — before they even reach checkout. By the time the checkout fraud check executes, the IP classification is already cached. The net impact on checkout latency is effectively zero.

Should I block all traffic from datacenter IPs?

No. While legitimate shoppers rarely browse from AWS or Google Cloud IPs, datacenter traffic includes corporate VPNs, some mobile carrier gateways, and certain privacy services used by real customers. Blocking all datacenter IPs would eliminate a measurable percentage of legitimate traffic. Instead, treat datacenter origin as a moderate risk signal (+15 points in ShieldFlow’s scoring model) and let the overall score determine the verdict.

How often do VPN and proxy IP databases need to be updated?

Frequently. VPN services add and rotate servers regularly. Residential proxy networks acquire and lose IPs constantly. TOR exit nodes change every few hours. For TOR detection, hourly updates are sufficient. For VPN and proxy databases, daily updates are the minimum — real-time feeds are ideal. Stale databases degrade rapidly: a proxy IP list that is one week old may have a 15-20% miss rate compared to a real-time feed.

Is VPN detection alone enough to prevent fraud on my Shopify store?

No. VPN detection is one layer of a comprehensive fraud prevention strategy. It identifies visitors who are masking their network identity, but it cannot determine intent on its own. Many VPN users are legitimate customers. Many fraudsters do not use VPNs (particularly those using residential proxies that are harder to detect). Effective fraud prevention requires combining IP intelligence with device fingerprinting, behavioral analysis, email validation, and velocity monitoring. VPN detection strengthens each of these signals but cannot replace them.

The Bottom Line

VPN and proxy detection is an essential component of modern fraud prevention — but it is not a solution by itself. IP blocking was a reasonable strategy when fraudsters had limited access to proxy infrastructure. That era ended years ago. Today, residential proxy networks offer 72+ million IPs at commodity pricing, commercial VPN usage exceeds 1.6 billion people, and TOR provides free anonymization to anyone who wants it.

The merchants who effectively combat VPN-masked fraud are the ones who stopped trying to block IPs and started scoring behavior. VPN detection provides a valuable signal — this visitor is masking their network identity. The question is what the other signals say about why.

A VPN with a real device, real behavior, and a real email is a privacy-conscious customer. A VPN with no fingerprint, bot-like behavior, and a disposable email is a fraud attempt. The difference is not in the IP — it is in everything else.

ShieldFlow brings this multi-signal approach to Shopify. VPN, proxy, and TOR detection runs alongside device fingerprinting, behavioral analysis, and email validation to produce a fraud score that catches masked attacks without punishing legitimate customers. No IP blocklists to maintain. No legitimate customers falsely blocked. No false confidence from a growing list of stale IPs.

The fraudsters are behind VPNs. Your fraud prevention needs to see through them — not just block the pipe they came through.

Detect VPN, proxy, and TOR traffic without blocking real customers. See how ShieldFlow scores anonymized traffic with multi-layer fraud detection built for Shopify.