Skip to main content
5 days ago by Paul Heywood & Fernanda Donnini 5 min read

Residential Proxy Detection, Now Self-Serve

Residential Proxy Detection, Now Self-Serve

Get Unlimited Access to IPinfo Lite

Start using accurate IP data for cybersecurity, compliance, and personalization—no limits, no cost.

Sign up for free

Until now, getting IPinfo's residential proxy data meant an enterprise agreement: either a bulk database file or an enterprise API contract. That put one of the most useful fraud-and-abuse signals out of reach for a lot of the teams who need it most.

That's no longer the case. Residential proxy detection is available self-serve through IPinfo Max, in the same API call and with the same token you already use, starting at $78/month on an annual plan. There's no sales call and no enterprise minimum. You can turn it on and start checking IPs against the residential proxy dataset immediately.

The detection lives right inside the anonymous object in the API response, so adding it to your existing decisioning is a field lookup, not an integration project.

Why Residential Proxy Detection Matters

Residential proxies route traffic through real consumer devices and connections, so requests arrive looking like an ordinary home broadband or mobile user. That's exactly what makes them the tool of choice for credential stuffing, fake account creation, scraping, ad fraud, and payment abuse, because the traffic blends in with your legitimate users.

The scale of the underlying networks is the part most teams underestimate. Our IPIDEA research dug into how these provider networks are built and just how many endpoints they rotate through.

What's less understood is where all those residential IPs actually come from. Proxy networks rarely "own" their endpoints. Instead they recruit them from ordinary consumer devices, most often through a proxy SDK bundled into everyday software: free mobile apps, browser extensions, media and streaming clients on smart TVs and Android TV boxes, VPN and torrent applications. 

Once installed, that software can quietly register the device with a backend and relay third-party internet traffic through the user's home connection, often with little or no meaningful disclosure to the device owner. The same pools are then repackaged by a long chain of resellers and white-label brands, many of which perform little to no vetting of who's buying access.

Recent security research has made the harm concrete. Investigations have traced large-scale scraping and fraud campaigns back to these networks, and found that some endpoints are conscripted through outright malware rather than a buried consent checkbox, turning everyday devices into exit nodes without their owners' knowledge. For the device owner, that means their home connection can end up implicated in someone else's abuse. For the businesses on the receiving end, it means a constant supply of fresh, legitimate-looking residential IPs fueling automated attacks.

The result is a constantly shifting population of genuinely residential IP addresses (real homes, real ISPs, real devices) that traditional datacenter and VPN detection simply doesn't catch. If you can't see which of your incoming IPs belong to these networks, you're flying blind on a large and growing share of automated abuse.

A Growing, Reliable Dataset

Residential proxy detection is one of our newest datasets, and it has scaled fast. Over the past twelve months alone, it has grown roughly 2.3x, from about 47 million IPs in mid-2025 to over 107 million today.

Our growth means we're keeping pace with a fast-expanding market (provider coverage is up about 45% over the same period, now spanning 126 distinct proxy providers), while consistently tracking more than 100 million IPs. That means coverage stays deep enough to rely on for production decisioning, even as individual IPs rotate in and out.

These are genuine residential connections. The dataset spans roughly 35,000 autonomous systems and effectively every country, led by the United States, Australia, Brazil, and India, with a long global tail behind them. And the data changes constantly: we see hundreds of thousands of IPs entering and leaving the active set every day.

The market is concentrated at the top. A handful of providers account for a large share of all the residential proxy IPs we track. The five largest by IP count:

Provider

Share of dataset

NetNut

~20%

711Proxy

~8%

ProxyScrape

~7%

Proxy-Seller

~6%

FlashProxy

~5%

The remaining ~120 providers make up the rest, a long tail that's exactly where coverage breadth matters, since abuse doesn't only flow through the biggest names.

Our Approach: Directly Observed, Never Inferred

Here's what makes this dataset different from a typical proxy flag.

Zero inference. Every IP we include was directly observed operating inside a residential proxy network. We don't label IPs as proxies because of their ASN, their hostname, or a "this looks residential" heuristic. If it's in the dataset, we saw it acting as a residential proxy exit. We also hold a deliberately strict definition of what qualifies as genuinely residential, so what you get is the real thing rather than a broad catch-all of anything vaguely anonymizing.

You get behavior, not just a yes/no. Many providers, MaxMind among them, give you a single true/false flag. A boolean can't distinguish an IP that showed up once three months ago from one that's active every single day. We ship two signals with every IP:

  • last_seen: the most recent date we observed the IP in a proxy network
  • percent_days_seen: how consistently it appears over time

And you see what kind of connection it is. Each IP is attributed to the specific provider operating it. Many of these services route more than residential traffic, so when a provider also offers mobile or datacenter connections, we identify that as a suffix on the provider name. You can tell a genuine residential exit from the same operator's mobile or datacenter pool and weigh them differently in your own logic.

Why that translates into fewer false positives. Together, last_seen and percent_days_seen let you tune detection to your own risk tolerance instead of blocking on a blunt flag. You might act only on IPs seen in the last seven days, or only on those seen on more than half of recent days, and treat a long-dormant IP differently. The payoff is the thing fraud and security teams actually care about: you catch the active abuse without blocking the legitimate customer whose home IP briefly passed through a proxy network months ago. Combined with the zero-inference foundation, where every IP was directly observed rather than guessed at, that gives you a high-confidence signal you can wire into automated decisioning and act on, not one you have to constantly second-guess.

Seeing a lot of residential proxies in your own traffic? Read why that happens and how to interpret it.

Residential Proxy Detection Use Cases

  • Fraud and payments: flag high-risk transactions originating from residential proxy networks.
  • Account protection: catch credential stuffing and fake-account creation that hides behind real residential IPs.
  • Adtech: filter proxy-driven impressions and clicks out of your traffic quality models.

Get Started

Residential proxy detection is live now in the Max tier from $78/month (annual).

See pricing and sign up · Read the docs

Share this article

About the authors

Paul Heywood

Paul Heywood

As Co-CEO of IPinfo, Paul has spent two decades at the intersection of internet infrastructure and enterprise technology. He's previously held executive positions at Puppet, Dyn & Oracle, helping build and democratize access to the modern internet.

Fernanda Donnini

Fernanda Donnini

As the product marketing manager, Fernanda helps customers better understand how IPinfo products can serve their needs.