No Fingerprints, No DNA: How VPNs Are Blinding Enterprise Security Teams

The IP Address Is Cybercrime’s Best Clue: Until It Isn’t

A new survey finds nearly 1 in 5 companies aren’t monitoring anonymous IP traffic in real time — and attackers are exploiting the gap.

DNA is the lifeblood of a CSI crime scene investigator. A “hit” in the FBI’s DNA database links the crook with the crime. An Internet Protocol address can do the same. It can help connect malicious online traffic to a device, network or service used in a cyberattack, giving cybercrime investigators a place to start.

The key difference is DNA can’t be “proxied” in same way IP addresses can be easily spoofed or masked. VPNs, Tor, proxies, and compromised machines (used as stepping stones in an attack) all sever the link between address and actor. For network defenders, when crooks use VPNs it’s as if the CSI crime scene was BleachBit of clues – no fingerprints, DNA or hair follicles to examine.     

Criminal use of VPNs to cloak, hide, confuse law enforcement isn’t new. That makes Spur Intelligence’s revelation that 20% of surveyed companies – who are either not confident (16%) of their network monitoring efforts or don’t track (4%) IP-based traffic into their networks – so alarming.

The Spur survey of 200 firms released Wednesday called “The 2026 IP Intelligence Study” uncovered a huge disconnect between VPN-related security incidents and security teams who neglect to scrutinize anonymous traffic in real time.

On the line, Spur said, is the 54% of security incidents where a postmortem of an attack involved a VPN or proxy service. Credential abuse, malware/bot activity and bogus account creation topped the list of IP-related threats, respondents said.  

The FBI warned just in March that cybercriminals use residential proxies to route activity through home and small-business networks, making it harder to identify offenders or determine their locations.

Google’s Threat Intelligence Group said in January that it disrupted IPIDEA, one of the world’s largest residential proxy networks. Google said it observed more than 550 tracked threat groups using IPIDEA exit nodes during a seven-day period in January 2026, including actors tied to China, North Korea, Iran and Russia.

Compounding the enterprise challenge is the 23% of work-from-home employees using residential VPNs, mobile device (tablet or smartphone) proxies, and others that use data center proxies, Spur reports. Add to the mix another VPN trend where 32% of U.S. adults use a VPN, according to a separate 2025 survey by Security.org. That’s a lot of cloaked traffic to consider – if you choose to.

“When malicious activity is indistinguishable from real users, security teams can no longer rely on basic IP signals or reactive workflows to identify threats before damage occurs,” according to Spur.

Now factor in office workers and their personal (BYOD) devices that often come with a bring-your-own-VPN. “A surprisingly low 38% of respondents indicated that access from personal (BYOD) devices to internal systems is strongly controlled, while 23% said network trust granted to BYOD once connected was only mostly controlled,” Spur wrote.

The study also suggests many organizations still treat IP intelligence as a forensic tool rather than a preventive control. Spur found that 44% primarily use IP enrichment for log analysis and investigations after incidents occur instead of using it proactively for adaptive access controls or fraud prevention.

The verdict? Spur, a company that specializes in IP intelligence, concluded that what companies lack is IP intelligence tools and an awareness of the importance of the market niche. “These findings reinforce that IP intelligence can no longer be treated as a back-end investigative tool,” the company wrote. “Security teams need to apply IP context earlier in workflows to inform real-time decisions on access, authentication, and fraud.”

Author

  • Tom Spring

    Tom Spring is the founder of Security Point Break and is based in Boston, MA. For over two decades he has worked at national publications in the leadership roles of senior editorial director of SC Media, publisher at Threatpost, as executive news editor PCWorld/Macworld, and as technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.

Total
0
Shares

Leave a Reply

Previous Article
3D isometric illustration of red cloud server rack connected to desktop and mobile devices on a dark platform, representing cloud-managed MSP firewall infrastructure

SonicWall Just Plugged the Hole in Its MSP Firewall Strategy

Next Article
Researchers cluster around a laptop during a live exploit attempt at Pwn2Own Berlin 2026, with a ZDI official observing in the background wearing a Pwn2Own Berlin lanyard

Pwn2Own Finds an AI Problem of Its Own: Bug Submissions Surge 450%

Related Posts

Discover more from Security Point Break

Subscribe now to keep reading and get access to the full archive.

Continue reading