DNA is the lifeblood of a CSI crime scene investigator. A “hit” in the FBI’s DNA database links the crook with the crime. An Internet Protocol address can do the same. It can help connect malicious online traffic to a device, network or service used in a cyberattack, giving cybercrime investigators a place to start.
The key difference is DNA can’t be “proxied” in same way IP addresses can be easily spoofed or masked. VPNs, Tor, proxies, and compromised machines (used as stepping stones) all sever the link between address and actor. For network defenders, when crooks use VPNs it’s as if the CSI crime scene was BleachBit of clues – no fingerprints, DNA or hair follicles to examine.
Criminal use of VPNs to cloak, hide, confuse law enforcement isn’t new. That makes IP intelligence firm Spur Intelligence’s revelation that 20% of surveyed companies – who are either not confident (16%) of their network monitoring efforts or don’t track (4%) IP-based traffic into their networks – so alarming.
The survey of 200 firms uncovered a huge disconnect between VPN-related security incidents and security teams who neglect to scrutinize anonymous traffic in real time.
On the line, Spur said, is the 54% of security incidents where a postmortem of an attack involved a VPN or proxy service. Credential abuse, malware/bot activity and bogus account creation topped the list of IP-related threats, respondents said.
The FBI warned March 12 that cybercriminals use residential proxies to route activity through home and small-business networks, making it harder to identify offenders or determine their locations.
Google’s Threat Intelligence Group said in January that it disrupted IPIDEA, one of the world’s largest residential proxy networks. Google said it observed more than 550 tracked threat groups using IPIDEA exit nodes during a seven-day period in January 2026, including actors tied to China, North Korea, Iran and Russia.
Compounding the enterprise challenge is the 23% of work-from-home employees using residential VPNs, mobile device (tablet or smartphone) proxies, and others that use data center proxies. Add to the mix that 32% of U.S. adults use a VPN, according to a separate 2025 survey by Security.org.
“When malicious activity is indistinguishable from real users, security teams can no longer rely on basic IP signals or reactive workflows to identify threats before damage occurs,” according to Spur.
Now factor in office workers and their personal (BYOD) devices. “A surprisingly low 38% of respondents indicated that access from personal (BYOD) devices to internal systems is strongly controlled, while 23% said network trust granted to BYOD once connected was only mostly controlled,” Spur wrote.
The study also suggests many organizations still treat IP intelligence as a forensic tool rather than a preventive control. Spur found that 44% primarily use IP enrichment for log analysis and investigations after incidents occur instead of using it proactively for adaptive access controls or fraud prevention.
The verdict? Spur, a company that specializes in IP intelligence, concluded that what companies lack is IP intelligence tools and an awareness of the importance of the market niche. “These findings reinforce that IP intelligence can no longer be treated as a back-end investigative tool,” the company wrote. “Security teams need to apply IP context earlier in workflows to inform real-time decisions on access, authentication, and fraud.”
