Datacenter IP bans — AWS, DigitalOcean, OVH — are no longer effective. The modern fraudster operates from your neighbor's living room.
Over the last six months, our intelligence network has tracked the rapid expansion of "ShadowNode" — an underground commercial proxy service selling access to millions of hijacked residential IP addresses across 190+ countries.
How ShadowNode Works
Threat actors distribute "free VPNs" or pirated software containing a silent background SDK. This SDK turns the victim's home internet connection into a proxy exit node. Fraudsters then pay ShadowNode $3–8/GB to route their attacks through these Comcast, AT&T, and Vodafone IPs.
Network Scale
Networks like ShadowNode operate at massive scale, routing traffic through millions of residential IPs across dozens of countries. These networks generate substantial revenue by selling clean residential exit nodes to fraud operators worldwide.
Detecting the Invisible
Sentinel defeats ShadowNode by analyzing behavioral and protocol signals rather than IP reputation. We flag TCP/IP stack mismatches, unusual MTU sizes, and cross-network velocity patterns. Additionally, ShadowNode nodes share subtle timing signatures in their TLS handshakes which Sentinel's ML models flag with high accuracy.