How Fraudsters Use Proxies to Bypass KYC Checks

Know Your Customer checks exist for a reason. Regulators in banking, crypto, gambling, and a growing list of other industries require platforms to verify that users are who they claim to be - to prevent money laundering, sanctions evasion, fraud, and underage access. The problem is that the infrastructure fraudsters use to circumvent these checks has become as sophisticated as the checks themselves. At the center of that infrastructure is the proxy.

What KYC is actually trying to do

KYC verification typically involves a few overlapping checks: confirming a user's identity through government-issued documents, matching that identity to a real person through liveness detection or selfie comparison, verifying that the person is located in a permitted jurisdiction, and screening against sanctions and watchlists. Each step is designed to answer a question: Is this a real person? Are they who they claim to be? Are they allowed to use this service from where they're connecting?

Proxies attack the third question most directly. When a fraudster routes their connection through a residential proxy in a permitted country, the platform sees an IP address belonging to a legitimate local ISP. The geolocation check passes. The jurisdiction appears clean. The compliance system has no reason to flag the connection - and the fraud moves to the next step.

Geo-spoofing: bypassing jurisdiction restrictions

Many regulated platforms are licensed to operate only in specific countries. A crypto exchange licensed in the EU cannot legally onboard users from sanctioned jurisdictions. A gambling platform licensed in the UK cannot accept players from the United States. A financial services app may be restricted to certain states or regions within a country.

Geo-blocking based on IP address is the standard mechanism for enforcing these restrictions. And residential proxies break it entirely.

Unlike datacenter proxies - which are relatively easy to identify because they originate from cloud infrastructure with no residential customers - residential proxies route traffic through IP addresses assigned to real household internet connections. These IPs belong to real ISPs, appear in real geographic locations, and show no distinguishing technical characteristics that separate them from a legitimate user. When someone in a restricted jurisdiction connects through a residential proxy with a UK exit node, the platform's geolocation sees a UK residential IP. The restriction is bypassed.

Backconnect proxies extend this capability further. Instead of maintaining a fixed exit IP, backconnect systems rotate through thousands of residential addresses automatically, often changing IP with each new request. This means a single fraudster can appear to be connecting from a different UK residential address on every page load, eliminating the possibility of flagging based on repeated use of the same proxy exit node.

The multi-account KYC problem

For platforms that limit one account per verified user, the goal of KYC fraud shifts: not just to pass verification once, but to pass it many times under different identities. This is where proxies combine with document fraud to create a scalable operation.

The workflow looks like this. A fraudster acquires a set of synthetic or stolen identities - either fabricated documents, real documents belonging to other people, or documents from identity theft victims. For each identity, they need a registration that appears to come from a distinct person in a distinct location. Residential proxies provide the location diversity. Each account registers from a different IP, a different apparent city, a different ISP. Combined with a fresh device fingerprint and a new email address, each registration looks like a distinct individual.

The KYC step then verifies the identity document - but the document itself is either stolen, fabricated, or belongs to a real person who was paid a small fee to complete verification on behalf of the fraudster. Services that sell "KYC-passed accounts" on underground markets often use exactly this model: recruit real people to complete verification, then sell the verified account to the end user.

In crypto markets specifically, verified accounts are a commodity. A freshly KYC-verified account on a major exchange sells for $50-300 depending on the platform and account age. The economics work because verified accounts enable much larger transactions than unverified ones, and they provide a layer of identity separation for moving illicit funds.

Industries most exposed

While any regulated platform with KYC requirements faces this threat, some verticals are disproportionately targeted:

• Cryptocurrency exchanges: Crypto is the highest-value target. KYC bypass allows sanctioned individuals to trade, enables multi-accounting for bonus abuse, and provides clean accounts for layering illicit funds. Regulatory pressure has pushed exchanges to strengthen KYC, but the arms race continues.
• Online gambling: Gambling platforms face jurisdiction restrictions, age verification requirements, and responsible gambling obligations. Fraudsters bypass geo-blocks to access platforms unavailable in their region, and use proxy-assisted multi-accounting to claim welcome bonuses repeatedly.
• Neobanks and fintech: Digital-first financial services face aggressive account opening fraud. A fraudster who passes KYC on a neobank can obtain a real payment card, IBAN, or credit line under a synthetic identity, then exhaust the credit or use the account for money mule operations.
• Buy Now, Pay Later: BNPL providers rely on KYC to extend credit responsibly. Fraudsters who pass verification under a synthetic identity access short-term credit they never intend to repay, then disappear before collections begin.
• Age-restricted platforms: Streaming services, adult content platforms, and age-gated marketplaces use KYC or age verification to comply with regulations. Proxy-assisted account creation lets underage users or bulk account operators bypass these controls.

What proxy detection catches - and what it doesn't

IP-based checks at the KYC stage are not a complete solution, but they're an important signal layer. The key is understanding what residential proxy detection can and cannot tell you.

What it catches: Residential proxy providers have measurable infrastructure. Their IP pools are built through peer-to-peer SDK injection into apps, router-level compromises, and willing participants selling their bandwidth. Security researchers and threat intelligence firms track these pools and maintain databases of known residential proxy IPs. An IP that has been observed routing proxy traffic - even if it appears residential - can be flagged as a proxy risk with high confidence.

What it misses: No database is complete. New residential proxy IPs enter pools continuously. Very fresh exit nodes won't appear in any blocklist. And a fraudster with a direct residential connection in a permitted jurisdiction - no proxy at all - poses the same geo-spoofing risk if they physically relocated or are using a legitimate connection to represent a restricted person. IP reputation data catches proxy-assisted fraud; it doesn't catch a fraudster who happens to be physically present in the right location.

This means IP checks at KYC should be understood as one layer in a defense stack, not a standalone solution.

Detection signals that strengthen KYC

The most effective KYC fraud programs layer signals from multiple categories:

• IP classification at onboarding: Check every KYC-stage IP against a comprehensive database of VPN endpoints, proxy exit nodes, Tor exit relays, and datacenter ranges. A legitimate user completing KYC from a residential connection has no reason to be routed through proxy infrastructure. Elevated risk scores at this stage should trigger enhanced verification steps rather than automatic rejection.
• ASN and ISP analysis: Even when a specific IP isn't in a proxy database, the autonomous system and ISP it belongs to provide context. An IP from a hosting provider that also operates a large proxy network carries higher risk than one from a regional consumer ISP with no proxy business.
• Connection consistency: KYC flows involve multiple steps over several minutes. A legitimate user maintains a consistent IP and network throughout. Connections that change IP mid-session, show unusual latency patterns, or exhibit TCP/IP characteristics inconsistent with their claimed ISP are worth flagging.
• Device fingerprint matching: Browser fingerprinting across KYC sessions can reveal clusters of "different users" who share deep technical characteristics - the same fonts, GPU rendering behavior, or audio context output. These clusters suggest the same physical device is being used for multiple verifications, regardless of what the proxy layer is doing to the IP.
• Velocity and timing: Legitimate KYC completions are distributed naturally through time and geography. A platform that processes 10 new KYC verifications per hour doesn't expect 80 in a single burst, each from a different apparent location. Velocity spikes are a strong signal of coordinated batch operations.
• Email domain risk: The email addresses associated with KYC accounts are an independent signal. Addresses from disposable email providers, auto-generated patterns, or freshly registered domains indicate accounts that weren't created for genuine long-term use.

The layered KYC defense model

Treating KYC as a binary pass/fail gate is the wrong mental model. The more useful frame is a risk-scoring system that accumulates signals and determines the level of scrutiny each application receives.

A low-risk applicant - clean residential IP, established email domain, device fingerprint with no recent matches, normal behavioral timing - flows through standard KYC. A medium-risk applicant - VPN IP, webmail address, slightly fast form completion - receives a step-up: additional document verification, liveness check, or manual review. A high-risk applicant - known proxy IP, disposable email, burst timing, fingerprint matching three recent applications - gets rejected or placed in a hold queue.

This model limits both fraud exposure and false positive rates. Most legitimate users have clean signals and experience no friction. Fraud attempts cluster at the high-risk end where the cost of each additional verification step erodes the economics of bulk operations.

How AntiProxies fits into KYC fraud prevention

Two of the six detection signals above - IP classification and email domain risk - are directly covered by the AntiProxies database. Our IP intelligence dataset classifies addresses across VPN, proxy, Tor, datacenter, and residential proxy categories, with monthly updates that track new infrastructure as it emerges. The email intelligence layer flags disposable providers and high-risk domain patterns at registration.

For KYC flows specifically, local database lookups matter more than in most contexts. KYC is a high-stakes, latency-sensitive step where users expect a response in seconds. Introducing a round-trip API call to an external vendor adds latency, creates an external dependency, and raises data-sharing questions that compliance teams rightly scrutinize. With AntiProxies running locally in your infrastructure, lookups resolve in microseconds, there's no third-party sharing of applicant data, and the system stays operational even when external services experience outages.

If your platform operates under KYC requirements and you're seeing geo-spoofing, multi-account abuse, or identity fraud at the onboarding step, the proxy and email intelligence layers are the highest-ROI additions to your detection stack. Explore our feature overview and pricing, or review our VPN and proxy detection and disposable email detection pages for implementation details.