Skip to main content
Emerging ThreatsMalware & Ransomware

Carders Seek 'Clean' Residential Proxies to Evade Fraud Controls

Cluttered, dimly lit room with laptop on worn desk, surrounded by papers and household items.

Flare researchers analyzed 2,889 unique underground posts across roughly 545 discussion threads published over the past two years to map how criminals now buy and test residential proxies for payment fraud and carding.

From “residential” to “clean”: how carders reclassified proxies

The conversations sampled by Flare show a shift in language and practice: actors no longer treat any IP assigned to a household ISP as equivalent. Instead, underground guides and forum threads distinguish “clean” pools from “dirty” ones and emphasize an IP’s usage history. A widely reposted guide titled “Getting the Cleanest Possible IPs for Carding” argues that residential pools “deteriorate” as addresses are repeatedly used for abuse, and other posts stress that the key question is whether an IP has been used against “banks, payment processors, or other fraud-sensitive services.”

The operational implication is simple: carders now evaluate a proxy by its past, not just by its ISP label. Reputation scores for the same address can diverge between services, and an address that appears low-risk one day may be flagged a short time later after other customers have abused it.

Geoconsistency: matching IPs to city, ZIP, time zone and more

Older trading advice focused on country-level matching. Forum threads and a January 2026 discussion about “geoconsistency” show a much narrower standard: carders seek alignment between an IP’s reported location and billing ZIP code, device time zone, operating-system and browser language, and browser characteristics. One user complained that major residential proxy providers had removed ZIP-code targeting, leaving only country, state, and city selection — a change the actor feared would make it harder to evade merchant fraud controls.

The underlying goal in these posts is to build a coherent digital identity around a stolen card: not merely to hide a real IP but to present a session whose geographic and linguistic signals agree with the victim data and the merchant’s expectations.

Proxies as one layer in a broader identity stack

The dataset repeatedly links residential proxies with antidetect browsers, isolated devices, cookie history, WebRTC settings, Canvas and WebGL fingerprint manipulation, and user-agent consistency. An April 2026 guide warned that a “perfect residential proxy” could still fail if the browser profile exposed contradictions. Another setup guide advised that copying a fixed configuration was ineffective because the device, proxy, account history, payment information, and target merchant must all be evaluated together.

Flare notes that this mirrors modern fraud-detection logic described in Stripe’s documentation, which combines transaction, identity, card, and historical signals and highlights velocity, repeated declines, inconsistent billing information, and the reuse of cards or customer details. For carders, a residential IP is useful only when it sits inside a believable, end-to-end identity construct.

Provider restrictions, secondary markets, and law-enforcement disruptions

Forum posts complain that established proxy providers now restrict access to banks, payment processors, and government portals, producing a practical problem: an IP may appear residential and have a low fraud score yet still be blocked from the intended target. That restriction has created demand for services advertised as “finance enabled” or “bank compatible,” and a secondary market for purportedly “clean” IPs capable of reaching specific payment platforms.

At the same time, recent disruptions have reshaped the ecosystem. In July 2026 the FBI and industry partners seized hundreds of domains tied to the NetNut residential proxy platform and the Popa botnet; researchers connected that infrastructure to at least two million compromised devices converted into proxy nodes. A March 2026 FBI alert warned that criminals can select residential proxy addresses down to the state and city level and cited their use for account takeover, including matching an IP to a victim’s city to avoid geolocation controls.

What this means for defenders, financial services, and law enforcement

  • Defenders and security teams should treat residential IP addresses as context, not proof of legitimacy. The stronger signals are session-wide: device history, account age, browser fingerprint, payment instrument, billing information, transaction velocity, and post-checkout behavior. Look also for patterns proxies struggle to hide — repeated identity creation, multiple cards tied to similar device fingerprints, abrupt geography changes, mismatched time zones, and clusters of low-value authorization attempts.
  • Banks and payment processors will face growing pressure from a contested proxy market. Provider restrictions that limit access to financial endpoints are reshaping attacker tradecraft and creating demand for “finance-compatible” offerings; merchants and issuers should watch for claims about such services while testing the signals that actually indicate legitimacy.
  • Law enforcement interventions and industry domain seizures are already changing supply. The NetNut/Popa takedown and the FBI’s March 2026 advisory demonstrate that infrastructure seizures and public warnings can disrupt node availability and the provenance of residential pools — but underground posts show that carders respond by seeking new providers, trading connection-testing methods, and refining their identity stacks.

Residential proxies remain valuable to carders, but Flare’s dataset frames them as a fragile, contested commodity: useful only when their history, geography, and technical signals can be made to align with a victim’s identity and the target merchant’s expectations. As defenders raise the bar by evaluating cross-session consistency, the proxy itself is no longer a universal bypass — it is one ingredient in a problem that grows harder and costlier for criminals to solve.

https://www.bleepingcomputer.com/news/security/inside-the-search-for-clean-residential-proxies-for-carding/