How do you block a threat that looks, for all practical checks, like an ordinary home user? Researchers warn that the answer may be slipping through defenders’ fingers: in an analysis of 4 billion sessions, residential proxies evaded IP reputation checks in 78% of cases, blurring the line between attacker and legitimate user.
What the researchers found
The study examined 4 billion sessions and concluded that residential proxies—services that route traffic through residential IP addresses—bypassed IP reputation checks in 78% of those sessions. Researchers warn that these proxies used to route malicious traffic are a big problem for IP reputation systems, because there is no clear distinction between attackers and legitimate users.
Background: why IP reputation matters and where it breaks down
IP reputation checks are a common defensive tool that flags connections based on the perceived history or character of an IP address. The researchers’ findings highlight a breakdown in that approach: when traffic is routed through residential proxies in bulk, reputation signals tied to IP addresses become unreliable. According to the researchers, the inability to distinguish malicious use from legitimate activity undermines the value of IP-based reputation alone.
Who this affects and how
- Technologists: Security teams that rely heavily on IP reputation lists face a growing blind spot. If the majority of proxy-routed sessions evade checks, defenders may need to re-evaluate reliance on address-based indicators and consider additional signals to detect abuse.
- Policymakers and regulators: The finding raises questions about how effective current defensive frameworks are when adversaries can appear as ordinary users. Policymakers must weigh the trade-offs between broad defensive measures and preserving legitimate access—an issue the researchers’ results make more urgent.
- Users: The mingling of malicious and legitimate traffic at residential addresses creates two risks for users: the potential for misattribution and blocking of benign users, and the persistence of successful malicious activity that is harder to detect and stop.
- Adversaries: The high evasion rate documented by researchers suggests an incentive for attackers to continue using residential proxies as a means of hiding malicious operations behind seemingly legitimate network identities.
Why this matters and what to watch next
The central problem exposed by the researchers is conceptual as much as technical: when the identity of a connection is effectively decoupled from the behavior attached to it, defenders lose a reliable signal. The study’s headline statistic—78% evasion across 4 billion sessions—underscores the scale of the challenge. That reality forces a choice for defenders and policy stakeholders: double down on richer behavioral and contextual signals beyond IP, or accept growing uncertainty in flagging malicious traffic based on address alone.
The researchers’ warning is clear: residential proxies routing malicious traffic are a significant complication for IP reputation systems because attackers and legitimate users can no longer be easily separated. If reputation checks can be so frequently evaded, what will it take to restore meaningful distinction between friend and foe?




