Residential proxies are the single biggest reason legacy fraud-detection APIs have failed in the last three years. If your defense stack is based on IP reputation, you are blind to 70%+ of modern fraud traffic. Here's why — and the exact signals that still work.

A residential proxy is an IP address assigned by a home ISP — Comcast, BT, Orange, T-Mobile — that's been co-opted as an outbound gateway. Commercial networks like BrightData, Smartproxy, IPRoyal, Oxylabs, and ShadowNode operate pools of 50 million+ of these IPs. They're rented by the GB, rotated per request, and indistinguishable from a real home user at the network layer.

This breaks the core assumption of every IP-reputation API released between 2012 and 2022: that the IP is diagnostic of the user. In 2026, it isn't. A residential proxy IP is literally a real Comcast customer's IP address — the same one that might be streaming Netflix from a different tab.

Why IP blocklists are obsolete

Legacy providers (IPQS, Fraudlabs Pro, MaxMind minFraud) detect proxies by maintaining blocklists of known proxy IP ranges. This strategy has two critical failures against residential proxy networks:

  • The blocklist can't exist. A residential IP is used by a real customer 95% of the time and by a fraudster 5%. Blocking the IP breaks the customer.
  • Rotation defeats it anyway. Even if you blocklisted every exit IP of a known residential provider, the provider rotates through millions per hour. Your list is stale before it's loaded.

This is why "we use IPQS" often means "we catch 30% of proxies." The other 70% are residential, and neither IPQS nor any IP-blocklist vendor has a viable answer.

What still works: the 4 signal families

Detecting residential proxies reliably requires moving up the stack — from the IP itself to the behaviors that the proxy can't hide.

1. ASN classification (the 30% baseline)

Commercial residential proxy providers concentrate on specific ASNs — particularly ISPs with known resale agreements. BT Group (AS2856), Vodafone Italy (AS30722), Orange Romania (AS8953) are heavily represented in BrightData's pool. You won't catch 100% from ASN alone, but you'll catch ~25–35% of residential proxy traffic with just this one signal, and zero false positives on customers whose ISPs aren't compromised.

2. Device fingerprint analysis (the 50–70% uplift)

This is where the real detection happens. Residential proxy users are always also running something else suspicious on the client — an antidetect browser, a virtualized environment, or automation framework. The IP looks clean. The browser doesn't.

  • Canvas tampering — Kameleo/GoLogin canvas rendering deviates from real hardware in measurable ways (Bezier curve aliasing, subpixel positioning, emoji rendering).
  • WebGL parameter mismatches — claimed GPU doesn't match claimed OS, or renderer strings are spoofed inconsistently.
  • Audio context fingerprinting — tampered browsers leave traces in audio processing that genuine Chrome doesn't.
  • Font metric anomalies — font availability claims that don't match the claimed OS.

A browser tampering score above 0.5 is a ~92% predictor of residential proxy usage in fraud contexts. Combined with an ASN flag, confidence approaches 99%.

3. TLS / JA3 fingerprint

Every browser produces a characteristic TLS handshake fingerprint (JA3 / JA4). Residential proxy libraries often don't perfectly replicate the target browser's TLS stack. A session claiming to be Chrome 118 on Windows but with a Firefox JA3 is diagnostic. This catches automation frameworks especially well.

4. Behavioral timing

Residential proxies add ~30–80ms of latency on each request. In a fraud farm, this shows up as suspiciously similar inter-request timings across sessions (all taking 200ms to submit forms when real users vary 100–3000ms). Sentinel's visitor ID lets you run this analysis longitudinally per device.

Practical detection stack

The practical stack for detecting residential proxies in 2026:

  1. Client-side SDK — collects canvas, WebGL, audio, and TLS-like signals from a real browser context.
  2. Server-side evaluate call — combines client signals with ASN lookup, known-residential-provider matching, and historical visitor ID analysis.
  3. Combined verdict — scored 0–100 for risk, with individual booleans for proxied, dch (datacenter), tampering, and visitor_id.

This is exactly what Sentinel's API returns in one call, in under 40ms.

Common residential proxy providers and their patterns

  • BrightData (formerly Luminati) — largest pool, strong ASN concentration in EU/US Tier-2 ISPs. Detectable via ASN + device fingerprint combo.
  • Smartproxy — similar pool composition, often resold BrightData stock under a different brand.
  • IPRoyal — primarily SOCKS5, shows higher latency jitter. Behavioral timing catches it well.
  • Oxylabs — enterprise-tier, cleaner ASN distribution, requires device fingerprint for detection.
  • ShadowNode — fastest-growing in 2025–2026, newer ASN pool. We track this actively; see our deep-dive on ShadowNode.
  • PacketStream / HoneyGang / Honeygain — P2P bandwidth-sharing networks. Consumers install the app voluntarily. Different ASN distribution, but detectable via client-side signals when the exit traffic reaches you.

A test you can run today

If you want to validate that your current defenses miss residential proxies:

  1. Sign up for a 24-hour BrightData trial ($5 minimum deposit).
  2. Route a browser through their residential endpoint with a US exit.
  3. Try to complete whatever fraud-sensitive action matters to your platform (signup, checkout, bonus claim).
  4. Check your fraud dashboard. Does the session show any risk signal? If not, you have a problem.

We've run this test against every major legacy IP-reputation API. Only the services that do device-layer analysis catch it.

Getting started with Sentinel

The free tier at sntlhq.com/signup includes residential proxy detection — a capability most paid competitors don't offer at all. 1,000 requests/hour, no credit card. Pair it with the browserTampering signal from the device-intel endpoint for compound detection.