When most security teams think about VPN infrastructure, they picture data centers and hosting providers like AWS or DigitalOcean. And for the most part, they're right: 83.6% of commercial VPN traffic runs through hosting networks. But the remaining 16.4% operates on non-hosting infrastructure, primarily ISPs, creating a critical blind spot for fraud prevention, content protection, and compliance teams.
According to our recent analysis of the IPinfo Plus dataset covering 370,616 commercial VPN IPs, 60,738 IPs are hosted on non-hosting networks rather than traditional data centers. These IPs look residential, but are commercial VPNs.
The Infrastructure Split
Commercial VPN providers deploy infrastructure across two distinct categories:
Breaking down the 60,738 non-hosting commercial VPN IPs by network type:
These percentages refer specifically to commercial VPNs where the provider is identified (service-attributed VPNs), representing 1.8% of all detected VPN IPs, but 100% of commercially relevant VPN traffic.
Which VPN Providers Use ISP Infrastructure?
Analysis reveals 129 distinct commercial VPN providers operating infrastructure on ISP networks, a scale that simple hosting-based detection would completely miss. However, deployment is heavily concentrated among the top providers:
- Top 10 providers: 55,549 IPs (91.5% of ISP-based commercial VPN infrastructure)
- Remaining 119 providers: 5,189 IPs (8.5% of infrastructure)
Top Providers by IP Count
VPNGate (23,810 IPs): Volunteer-operated P2P network distributed across residential ISPs including Korea Telecom (AS4766), FPT Telecom Vietnam (AS18403), Rostelecom Russia (AS12389), and SoftBank Japan (AS17676).
NordVPN (8,255 IPs): Maintains significant non-hosting presence alongside its datacenter infrastructure.
Perimeter81 (7,171 IPs): Enterprise SASE solution with dedicated infrastructure across enterprise-focused ASNs.
Private Internet Access (6,048 IPs): Leverages backbone ISPs including Cogent Communications (AS174) and GTT Communications (AS3257).
The long tail: 119 additional providers including Surfshark (386 IPs), ProtonVPN (278 IPs), and others in the hundreds of IPs range, along with many smaller regional services maintaining limited ISP presence: 75 providers with fewer than 10 IPs each.
Why VPNs Choose ISP Infrastructure
Geographic Coverage
ISPs provide presence in markets where hosting infrastructure is limited: emerging markets, rural areas, and regions with restrictive data center regulations.
Circumvention Strategy
ISP IP addresses evade detection systems that only flag hosting ranges. Streaming platforms, financial institutions, and content filters maintain extensive blocklists of data center IPs ISP addresses slip through.
Cost-Effective Bandwidth
Backbone ISPs like Cogent and GTT offer high-capacity transit at competitive rates, ideal for bandwidth-heavy VPN operations.
Peer-to-Peer Architecture
Services like VPNGate route traffic through volunteers' residential connections, inherently using ISP infrastructure.
The Dual Nature of Privacy Technology
VPNs serve essential functions for millions of users worldwide. Journalists protecting sources in hostile environments, activists circumventing censorship, remote workers securing connections on public WiFi, and everyday users exercising their right to privacy all rely on VPN technology.
The infrastructure choices VPN providers make, including using ISP-based IP space, reflect the ongoing challenge of balancing user privacy rights with the detection needs of businesses facing fraud and abuse.
This isn't about "good" or "bad" VPN use. It's about giving businesses the visibility to distinguish between different types of traffic and apply policies that make sense for their specific context.
Why This Matters for Security Teams
The challenge is clear: non-hosting VPNs are designed to look like residential traffic. Traditional detection methods that rely on hosting flags will miss them entirely.
- For fraud prevention teams: Account takeover and credential stuffing attacks increasingly route through non-hosting VPNs to evade hosting-based filters. An IP from Korea Telecom could be a Seoul resident or a VPNGate exit node.
- For streaming and content platforms: Geographic licensing enforcement breaks when VPN users appear as legitimate ISP subscribers. An ISP IP from Germany could be a Hamburg subscriber or a masked user from Brazil.
- For financial services: Jurisdictional compliance requires detecting all VPN usage, not just obvious data center traffic. Missing non-hosting VPNs creates regulatory risk.
- For AdTech and analytics: Attribution and measurement models need to account for masked traffic that doesn't fit traditional VPN patterns.
At the same time, many legitimate users benefit from VPN infrastructure that isn't easily blocked:
- Privacy-conscious individuals can access services without being profiled or restricted based solely on VPN usage.
- Travelers can maintain access to their accounts and content without triggering overly aggressive fraud alerts.
- Remote workers in regions with limited datacenter presence get better performance through ISP-based infrastructure.
The challenge isn't VPNs themselves, it's having the context to apply the right policies for your specific needs without creating friction for legitimate users or missing genuine threats.
How IPinfo Detects Non-Hosting VPNs
IPinfo detects approximately 20.5 million VPN IPs across our IPinfo Plus dataset (December 2025) using two complementary methods:
Active protocol testing identifies VPNs by connecting to IPs and attempting VPN handshakes (OpenVPN, WireGuard...). This catches 98.2% of all VPN IPs, but without service attribution. We know these IPs run VPN protocols, but not which provider operates them.
Direct monitoring of commercial services identifies specific VPN providers by actively connecting to their infrastructure and mapping IP pools. This attributes 1.8% of VPN IPs (370,616 IPs) to commercial services like NordVPN, ExpressVPN, and the other hundreds of providers we track.
Within that 1.8% of attributed commercial VPNs, 60,738 IPs operate on non-hosting infrastructure: the focus of this analysis.
Our full VPN detection delivers:
- VPN detection across both hosting and non-hosting networks
- Service identification for commercial providers
- Accurate hosting classification (hosting: true/false)
- ASN and organization details including ASN type for infrastructure context
- Detection methodology including the specific source of the detection
- History metrics like first seen and last seen dates
This combination enables informed decisions: Is this IP residential, corporate, or commercial VPN? If it's a VPN, which service operates it? And other details that will enable teams to make decisions based on data.
Example simplified VPN record from IPinfo Plus:
Note that hosting: false while vpn: true together with ASN data identify this as a Thai ISP, not a hosting provider.
A Small Category With Outsized Impact
In our current snapshot, most commercial VPN infrastructure still lives in traditional datacenter hosting. But a small, diverse subset of services, especially P2P models and hybrid providers, also operate exit nodes inside ISP and business networks.
This doesn't represent a recent shift in the ecosystem so much as a long-standing blind spot: systems that rely solely on hosting detection will miss these nodes entirely.
By understanding how VPNs distribute their infrastructure across hosting, business, and ISP networks, teams can build policies that reduce fraud and abuse without over-blocking legitimate users.
Want to explore how IPinfo classifies VPNs and proxies? Visit our Privacy Detection documentation or contact us to learn more about integrating this data into your workflow.
Share this article
About the author
As the product marketing manager, Fernanda helps customers better understand how IPinfo products can serve their needs.