The Residential Proxy Problem: Shared Infrastructure and Rapid Rotation

We analyzed 170+ million residential proxy IPs over a 90-day period (86M IPv4, 87M IPv6) and discovered two patterns that explain why fraud detection is so hard:

1. 46% of residential proxy IPs appear across multiple provider networks simultaneously (70% for IPv4, 22% for IPv6). The same compromised infrastructure, infected routers, malware-laden devices, bandwidth-sharing apps, is accessible through different proxy services. An IP in Bright Data's network is often also available through Smartproxy, Oxylabs, and many other providers. Over longer time windows, IPv4 infrastructure shows even higher cross-provider overlap, with nearly 70% of IPv4 addresses appearing across multiple providers.
2. 60% of residential proxy IPs are only observed once in a 90-day window (32% for IPv4, 87% for IPv6). The same addresses don't persist, they rotate rapidly between active proxy use and legitimate residential traffic, cycling out faster than reputation systems can track them. IPv6 addresses show extremely high churn with 87% observed only once, demonstrating their ephemeral nature. Even over a 90-day period, a majority of residential proxy IPs are seen only once, making it nearly impossible for traditional reputation systems to build meaningful abuse history.

For fraud teams relying on traditional IP reputation data, abuse history, or risk scoring models, these two realities create a critical blind spot. The rapid rotation of IPs combined with shared infrastructure across providers means that blocking individual residential proxy service IPs or relying on historical abuse data is ineffective against residential proxy networks.

Why Residential Proxies Break Traditional Detection

Residential proxies are fundamentally different from datacenter proxies or VPNs. They route traffic through real consumer ISP connections: your neighbor's compromised router, a student's laptop running a bandwidth-sharing app, a smart TV infected with malware. These IPs look legitimate because they are legitimate addresses, just temporarily hijacked for proxy traffic.

The challenge isn't just detection: it's the rotation. Residential proxy IPs constantly cycle between three states:

1. Active as a proxy - Currently routing malicious traffic
2. Inactive - Temporarily removed from the proxy pool
3. Legitimate use - Back to serving the actual homeowner

This rotation happens rapidly: sometimes hourly, sometimes daily. An IP routing credential stuffing attacks at 3pm might be streaming Netflix for a legitimate user by 6pm.

The Rotation Problem: IPs Churn Faster Than Reputation Can Track

Our January 2026 analysis of 170 million residential proxy IPs over a 90-day window shows that these addresses rotate so quickly that historical reputation becomes unreliable. On average, a residential proxy IP is visible for just 4.56 days. That average hides a major split:

• IPv4: 7.86 days
• IPv6: 1.29 days

This short lifespan explains why most residential proxy IPs never accumulate meaningful history. Most IPs disappear before reputation can form.

60% of residential proxy IPs are observed only once during the 90-day period. In other words, a majority of IPs vanish after a single appearance. This effect is overwhelmingly driven by IPv6, while IPv4 also presents a high churn:

• IPv4: 33% observed once during the 90-day period.
• IPv6: 87% observed once during the 90-day period.

Even when IPs do return, they do so inconsistently. Only 9% of IPs are reobserved within 7 days:

• IPv4: 18% reobserved within 7 days
• IPv6: 0.6% reobserved within 7 days

78% of IPs do not persist beyond 30 days from first observation:

• IPv4: 59% drop out beyond 30 days
• IPv6: 99% drop out beyond 30 days

Just 22% reappear after 30 days, almost entirely driven by IPv4:

• IPv4: 41% reappear after 30 days
• IPv6: 1% reappear after 30 days

What this means: Residential proxy IPs don't simply churn out, they rotate. The same addresses cycle between active proxy use and dormancy multiple times per month. An IP might route attacks Monday, disappear Tuesday-Thursday, reappear Friday, then vanish again the next week. They cycle in and out of proxy use faster than reputation systems can detect, score, and respond especially for IPv6, where persistence is nearly nonexistent.

This rotation speed destroys the foundation of IP reputation systems.

Traditional IP reputation models work by building historical profiles: "This IP has been associated with fraud, so flag it as high-risk." But when IPs cycle between proxy and legitimate use multiple times per month, what does historical reputation represent?

You're either:

• Scoring normal users as fraudsters because they inherited an IP that was briefly used as a proxy last week
• Giving actual proxy traffic a clean score because the IP doesn't have enough historical data yet

Risk scoring models face the same problem. They aggregate behavior over time to calculate scores. But by the time an IP accumulates enough "bad behavior" to trigger a high risk score, it's already cycled out of the proxy pool and back to legitimate residential use. The lag between detection and scoring makes the data perpetually stale.

The Overlap Problem Makes It Worse

Our January 2026 analysis revealed that rotation isn't the only issue, it's reuse at scale:

• 46% of residential proxy IPs appear in 2+ provider networks (79M out of 170M IPs)
• 19% appear in 5+ providers (33M IPs)
• 9% appear in 10+ providers (15M IPs)
• Some IPs appear in up to 98 different provider pools (0.3% appear in 50+ providers)

This means the same compromised infrastructure is being accessed through multiple proxy services. Fraudsters don't need to switch infrastructure: they just switch which provider they're buying access through.

Examples from our December 2025 data:

• 196.22.142.127: Present in 101 providers (the current maximum)
• 185.53.76.74: Active across 96 providers
• 81.169.144.135: Found in 96 providers (this is the only one we flagged as abusive)
• 198.143.60.19: Appears in 90 providers

These heavily shared IPs appear across almost all major residential proxy providers, including netnut, 922proxy, oxylabs, brightdata, smartproxy, lunaproxy, and dozens of others. They're likely sourced from large ISP pools that multiple providers tap into, or from the same upstream malware networks that feed multiple services.

Why This Breaks Detection

The residential proxy ecosystem is more interconnected than most fraud teams realize. Many providers aren't operating independent infrastructure, they're sourcing from the same underlying pools:

• The same compromised routers accessed through different services
• The same P2P bandwidth-sharing apps white-labeled under different brands
• The same malware networks feeding multiple proxy providers

The implication: Provider identity alone isn't a strong enough signal.

If your detection system flags IPs "from Bright Data" but the same IPs are simultaneously available through eight other providers, what happens when an attacker switches services? Your system doesn't recognize it as the same infrastructure. The IP that was flagged yesterday gets through today because it's accessing through a different provider.

This overlap pollutes IP reputation data and inflates false negatives. An IP might have a clean reputation score because it's only been flagged on one provider, while the other seven providers offering access to the same IP haven't been detected yet.

Beyond Residential: Mobile and Datacenter Proxies

The proxy landscape extends beyond traditional residential IPs. As of December 2025, IPinfo tracks the full spectrum:

Mobile proxies route traffic through cellular networks: real smartphones and mobile devices running proxy apps. These are particularly challenging because mobile IPs are frequently shared across many devices through carrier-grade NAT. An IP that looks like a single mobile user might actually be serving hundreds of devices. We tag these with a _mobile suffix (e.g., soax_mobile) because they require different risk assessment than standard residential proxies.

Datacenter proxies use hosting infrastructure rather than residential ISPs. Providers like Bright Data and Oxylabs offer datacenter proxy pools alongside their residential offerings. While datacenter IPs are theoretically easier to detect (they come from known hosting ASNs), commercial datacenter proxies from major providers are still widely used for fraud and scraping. As of December 2025, we track datacenter proxies from six major providers: Bright Data, ByteZero, DataImpulse, Decodo, Geonode, and Oxylabs flagging them with a _datacenter suffix.

This distinction matters because mobile and datacenter proxies have different characteristics and require different detection strategies, but they're all part of the same abuse ecosystem.

What Actually Works: Context Over Direct Observation

When IPs cycle between active and dormant states within hours, when the pool refreshes weekly with mostly new addresses, and when the same IPs are accessible through multiple providers simultaneously, you need a detection approach that adapts to this reality.

This is where direct observation makes the difference. Because IPinfo subscribes to residential proxy services and actively connects through them, we can see patterns that inference-based detection misses. 

More importantly, we can provide the contextual signals that help fraud teams make intelligent decisions despite this complexity:

Last seen timestamp - When was this IP last observed actively routing through a proxy network? An IP last seen 30 days ago is fundamentally different from one active yesterday. Recency is the strongest signal.

Percent of active days - Has this IP been consistently in proxy pools (high persistence = higher risk) or is it newly rotated in? Distinguishing persistent infrastructure from transient rotation matters enormously.

Provider identification - While we show which provider was most frequently observed, the real value is knowing the IP was detected through direct observation across 103 networks, not inference. We're not guessing based on subnet patterns or behavioral signals.

Mobile and datacenter tagging - IPs routing through carrier networks or hosting infrastructure get tagged with _mobile or _datacenter suffixes, because these proxy types behave differently and require different risk models.

These temporal signals matter because they reflect current state, not historical reputation.

A Better Standard for Residential Proxy Detection

Traditional approaches: IP reputation databases, risk scoring models, behavioral inference were built for a world of static datacenter proxies. They struggle with residential proxies because they can't keep pace with rotation or account for cross-provider reuse.

Any organization evaluating residential proxy data should ask:

• How was this IP detected? Direct observation or inferred from patterns?
• How current is this data? Daily updates or stale lists? With over half of proxy IPs appearing only once even in a 7-day window, yesterday’s data is already outdated.
• What temporal context is provided? When was it last seen active? How persistently has it appeared?
• Are mobile and datacenter proxies distinguished? Different types require different handling.
• Can you explain this flag to compliance? Clear detection methodology matters.

At IPinfo, our approach starts with verification-based detection: subscribing to proxy services and directly observing which IPs are in active use. As of January 2026, we track 101 residential proxy providers and multiple datacenter and mobile proxy providers. This direct observation across 147 million IPs is what allowed us to discover the cross-provider overlap and rapid daily churn patterns and it's what enables us to provide temporal context that adapts to this reality.

Because when residential proxy IPs alternate between malicious and legitimate use within hours, when the IP pool refreshes weekly with mostly new addresses, when the same IPs are simultaneously accessible through multiple providers, and when mobile and datacenter proxies add additional complexity, historical reputation becomes noise.

What matters is knowing which IPs are active threats right now, understanding what type of proxy infrastructure they represent, and having the temporal context to make intelligent risk decisions despite the complexity.