Tuesday, September 9, 2025

Announcing the Synthient IP Risk Database

Residential proxies pose numerous challenges to online platforms. Static indicators fall short, with residential proxy providers using sketchy mobile SDKs or free VPN apps to build large pools of IP addresses. Attackers can use these IP addresses to conceal their attacks making it appear as if each request is coming from a legitimate device. This latest release of Synthient V3 aims to improve the identification of leased IP addresses and the detection of active proxies.

Goal is too:

• Enable companies to recognize malicious patterns and filter out fraudulent traffic.
• Give CTI researchers and DFIR practitioners the tools needed to detect and pivot on adversary infrastructure.

Expanding Residential Proxy and VPN Coverage

One of our goals is to equip clients with the data and tools needed to detect fraudulent patterns. Knowing that an IP address is associated with a residential proxy is not enough to block the traffic outright due to the inherent nature of residential proxies. Our tests show that combining IP intelligence and specific JavaScript signals allows for the high-confidence detection of active proxies. As a result, we've made a tremendous effort to map out the largest proxy providers, achieving upwards of 99.9% coverage among the larger networks. 👉 Explore the data for yourself at search.synthient.com.

Fig 1. Numbers obtained from inquiry or publicly available information.

Challenges Faced

One of the difficulties faced in mapping proxy providers is the reseller ecosystem. Larger resellers often contact other providers, offering cheap deals to resell their products. We estimate the total number of unique proxy pools to be between 12 and 18, with most providers reselling IPs from these pools. To account for this and maximize our coverage, we will ignore white-label resellers and focus on mapping the source pools directly.

Fig 2. The Reseller Ecosystem and the no-KYC Dilemma

Another challenge is detecting ISP proxies, with providers purchasing whole subnets and leasing them to fraudsters so that they can hide their traffic. Mapping them requires more manual effort, but due to a fundamental flaw in infrastructure, it allows for enumeration.

Fig 3. The Shady ISP Ecosystem

Making the Data Searchable

Part of this release includes our publicly accessible search engine, which allow users to search the database without paying for a subscription. We want to showcase the full extent of our data and feel that charts don't fully capture the full capabilities.

Fig 4. search.synthient.com

Behavioral Signals

We also included behavior-based signals in our data as part of this update. Due to the high churn rates of both proxies and VPNs, we want to provide additional indicators that allow customers to make quick decisions. As part of adding behavioral signals we now track torrenting behavior, device clusters, and programmatic traffic. We’ve extended our partnerships with 3rd party data providers, helping us bring novel data to the platform.

Fig 5. New Behavioral Signals

Conclusion

As bot developers continue to evolve, so will their tools. It's a cat-and-mouse game that requires novel approaches to reclaim the advantage from the defenders. This latest release aims to reduce that gap by tackling challenging risks such as residential proxies and automated browsers head-on. Schedule a call here if you’d like to learn more or integrate this data into your product.