IP Enrichment: 5 Key Use Cases to Strengthen Security and Fraud Prevention

Learn how enrichment turns IPs into contextual signals that can drive automated decisions, improve accuracy, and reduce analyst workload.

Every security team knows the frustration of staring at raw IP logs: strings of numbers that may look ordinary but hide a bigger story. Was that login from a legitimate customer at home, or from an attacker bouncing through a proxy network? Without context, you’re guessing.

IP enrichment gives those numbers meaning. It reveals whether an address belongs to a VPN, a residential proxy, a cloud instance, or even mobile carrier infrastructure. That context is what transforms IPs from noise into insight.

This post examines:

• The risks of anonymized infrastructure
• Why getting better IP data is increasingly difficult
• What to look for in high-quality data
• Top ways to put IP enrichment to work in your organization to drive meaningful security results

Risks of Anonymized Infrastructure

Attackers don’t just rely on stolen credentials or malware — they cloak themselves in layers of infrastructure that disguise their true intent and make them look legitimate. Common techniques include:

• VPNs and other anonymizers to obscure geographic origin.
• Residential proxy services that route traffic through unsuspecting consumer devices.
• Cloud servers spun up on demand to launch attacks at scale.

Consider the following examples of attackers leveraging anonymizing infrastructure.

Credential Stuffing with Residential Proxies

Groups like Genesis Market (a now-disrupted cybercrime marketplace) relied heavily on residential proxy networks to run large-scale credential-stuffing campaigns. By rotating through “clean” IPs tied to unsuspecting home devices, attackers evaded IP-based blocking and looked like everyday users.

The U.S. Federal Bureau of Investigation (FBI) continually warns that credential stuffing attacks often use residential proxies, because their IPs are harder to distinguish from legitimate user traffic.

Account Takeover via VPN Services

Financial institutions are frequent targets of login attempts originating from consumer VPN services. Fraudsters use these services to mask their real locations and bypass geo-blocking or risk-based authentication controls.

Scraping & Botnets in E-commerce

Ticket scalpers and sneaker bots commonly route traffic through anonymizer services to avoid rate limits and bans. For instance, sneaker botting groups use mobile and residential IP pools to buy up limited-edition releases, making their traffic blend in with genuine buyers.

APT Actors Hiding Behind Commercial Proxy and VPN Services

Certain Chinese APT groups are increasingly using commercial proxy and VPN services to obscure their attack infrastructure. Tactics include embedding Trojan proxy agents to mimic standard HTTPS traffic, using VPN/proxy to mask C2 (command and control) infrastructure, and blending malicious traffic with legitimate traffic.

For example, the “OneClik” APT campaign used Microsoft ClickOnce technology and legitimate cloud services (Azure Blob Storage, AWS services such as CloudFront, API Gateway, Lambda) for malware distribution and C2 communication.

DDoS Attacks with Proxy Networks

Botnets often combine compromised IoT devices with proxy/anonymizer infrastructure. This mix enables attackers to flood targets with traffic that looks geographically diverse and difficult to block.

The common theme that runs through all of these examples is this: anonymized infrastructure makes malicious activity appear normal. Without enriched IP context, defenders can’t reliably tell the difference between a customer logging in from home Wi-Fi and an attacker rotating through a residential proxy network.

What High-Quality IP Enrichment Data Looks Like

IP enrichment data is raw IP addresses plus layers of context that make them meaningful. It typically includes some or all of the following elements.

Network Ownership & Routing

• ASN (Autonomous System Number): Identifies the ISP or organization that routes this IP range.
• Organization name: Who controls the IP range (e.g., Comcast, AWS, Verizon).

Infrastructure Type

• Mobile carrier (cellular networks).
• Datacenter / cloud (AWS, GCP, Azure, etc.).
• Enterprise network (universities, businesses).
• Anonymizers (VPN, proxy, Tor exit node, commercial anonymizer).

Anonymization & Abuse Signals

• Whether the IP belongs to a VPN provider, public proxy, or residential proxy network.
• Detection of botnet / malware C2 usage.
• Hosting vs. consumer IP distinctions.

Geolocation Context

• Country, region, city.
• Accuracy confidence level (geo often isn’t perfect).
• Known anomalies (e.g., mismatch between ASN and claimed country).

Enrichment Metadata

• Risk indicators
• Real-time insights that are applicable to a moment in time for the highest fidelity data to power their risk engines.

Sample IP Enrichment Output

The following JSON snippet shows how enrichment adds valuable context to a single IP address:

{
  "as": {
    "number": 30083,
    "organization": "AS-30083-GO-DADDY-COM-LLC"
  },
  "client": {
    "behaviors": ["TOR_PROXY_USER"],
    "concentration": {
      "city": "Weldon Spring",
      "country": "US",
      "density": 0.202,
      "geohash": "9yz",
      "skew": 45,
      "state": "Missouri"
    },
    "count": 14,
    "countries": 1,
    "proxies": ["LUMINATI_PROXY", "SHIFTER_PROXY"],
    "spread": 4941431,
    "types": ["MOBILE", "DESKTOP"]
  },
  "infrastructure": "DATACENTER",
  "ip": "148.72.164.186",
  "location": {
    "city": "St Louis",
    "country": "US",
    "state": "Missouri"
  },
  "risks": ["WEB_SCRAPING", "TUNNEL"],
  "services": ["IPSEC", "OPENVPN"],
  "tunnels": [
    {
      "anonymous": true,
      "entries": ["148.72.164.179"],
      "exits": ["148.72.164.177"],
      "operator": "NORD_VPN",
      "type": "VPN"
    }
  ]
}

Sample of data summarizing key information for an IP address.

Challenges in Getting Enriched IP Data

Security, threat hunting, and fraud teams know they need additional IP context, but they face real barriers, including:

• Fragmented coverage: Many datasets focus only on cloud IPs while ignoring anonymizers and mobile carriers. Security teams will often be forced to combine and deduplicate datasets, and that means time – precious time when an attacker could be already in the network.
• Staleness: Infrastructure shifts quickly, and some providers lag weeks or months behind.
• Oversimplified labels: Categories like “hosting” or “residential” are too broad to act on with confidence.

The result is teams making high-stakes decisions with incomplete maps of the terrain.

How to Make Sure You Are Getting the Most Out of Your IP Enrichment

Not all enrichment providers deliver the same value. A few key questions to ask:

• Does the coverage span VPNs, residential proxies, cloud, and mobile networks?
• How frequently is the data set updated? In real-time? Daily? Weekly?
• Is the methodology transparent, or just a “black box”?
• Does the data offer additional risk signals, or does it force a “score” that could be rigid and not applicable to your environment?
• Can it integrate easily with data lakes for further analysis or your SIEM, SOAR, or fraud prevention stack?

A provider that falls short on any of these fronts risks leaving critical blind spots.

Top 5 IP Enrichment Use Cases

1. Detect Anomalous Logins to Tighten Risk-Based Authentication

Raw login logs will only tell you “this user logged in from IP X.” With enrichment, you can ask, ”What does this IP really mean?”

For example, let’s say that a U.S.-based employee account suddenly logs in from an IP tied to a consumer VPN exit node in Eastern Europe. Without enrichment, that might look like an innocent international login. With enriched data, it stands out immediately as suspicious, and security teams can tighten risk-based authentication — enforcing MFA or blocking high-risk logins automatically.

2. Flag or Throttle Account Signups from Residential Proxy IPs to Prevent Fraud

Fraudsters frequently hide behind anonymizers to commit account takeovers, fake signups, or payment fraud. IP enrichment provides a defense layer before fraud happens.

For example, an online platform notices a spike in new accounts created from IPs classified as residential proxies. With enrichment, they can automatically flag or throttle these signups. Fraud detection systems can score transactions more accurately by adding IP context alongside device fingerprints, behavioral data, and payment metadata. Read how Spur helped a global tech company prevent fraudulent account signups.

3. Detect Bot Traffic to Protect Applications

APIs are increasingly targeted for abuse — scraping, credential stuffing, and inventory hoarding. Attackers often mask their traffic using cloud or proxy services.

For example, a ticketing platform sees thousands of requests per second from what looks like a diverse set of IPs. Enrichment reveals that 90% of those IPs belong to the same cloud provider, making it clear this is bot traffic rather than legitimate customers. Enrichment enables smarter rate-limiting, bot management, and firewall rules — protecting performance for real users.

4. Connect the Dots to Accelerate Threat Hunting & Attribution

When investigating campaigns, enriched IP context helps analysts connect dots between seemingly unrelated events.

For example, analysts notice multiple phishing campaigns with C2 servers hosted on different IPs. Enrichment shows all those IPs are linked to the same small hosting provider in Asia. This helps attribute activity to the same actor. Enriched data accelerates investigations, reduces noise, and builds stronger cases for threat intelligence reports.

5. Apply Adaptive Access Policies to Prevent User Friction

Not every login attempt from an unusual IP should be blocked outright. Enrichment enables nuanced policies that balance user experience with security.

For example, a bank might decide that logins from known residential ISPs is normal, but logins from mobile carriers could sometimes trigger MFA, and logins from VPN/proxy exit nodes would always require step-up authentication. In this scenario customers aren’t unfairly blocked, but suspicious sessions face more scrutiny. Security gets stronger without creating unnecessary friction.

The Benefits of Stronger IP Context

When you bring in high-quality enrichment, the payoff is immediate:

• Better blocking, fewer false positives — you stop attackers without hassling legitimate users.
• Faster investigations — analysts spend less time sifting through raw logs.
• Sharper access controls — policies adapt intelligently based on risk.
• Greater confidence — decisions are backed by clear, timely intelligence.

How Spur Delivers IP Enrichment

The challenges highlighted in this post—uncertain attribution, anonymized infrastructure, and the difficulty of identifying infrastructure—are the same issues our customers face daily. Spur addresses these challenges by:

• Unmatched Coverage and Fidelity: Spur tracks over 60 million+ active anonymous IPs and 1,000+ active VPN and proxy services, delivering the highest-fidelity IP intelligence available. Our data is transparent, fresh, and actionable — with a consistently low false-positive rate.
• Focusing on Blind Spots Others Miss: Unlike traditional providers, Spur delivers visibility into residential proxies, mobile IPs, malware-based proxy networks, and bot infrastructure, where attackers hide to evade detection.
• Actionable Enrichment for Attribution: By adding context such as proxy/VPN status, ASN, device type, and tunnel entry/exit details, Spur enables more effective attribution of adversary tradecraft.
• API-First and Analyst Friendly: Spur integrates directly into SIEM, SOAR, fraud detection, and threat intelligence platforms. Our real-time API and historical datasets support both inline prevention and forensic investigations.
• Business Outcomes that Matter: Customers reduce fraud losses, improve analyst efficiency, and lower infrastructure costs. For example, a leading bank has seen a 40%+ drop in account takeovers and a technology company has seen a 99.8% drop in fraudulent account creation by enriching authentication sessions with Spur data.

Through these capabilities, Spur empowers security, threat hunting, and fraud teams to see through anonymization, attribute activity more effectively, and disrupt attacker infrastructure before it can be leveraged at scale.

Get Started with Spur

The best way to understand how enriched IP data can improve your security, threat hunting and fraud prevention is to see it in action. Spur offers a free community dataset that enables you to explore anonymizer detection, infrastructure classification, and more.

Frequently Asked Questions