Residential Proxy Networks Are Enabling Account Takeover That Perimeter Controls Cannot See

Accertify, a fraud decisioning platform provider, has identified a sustained shift in account takeover (ATO) infrastructure: attackers are moving away from datacenter/hosting IPs and toward commodified residential proxy networks, allowing credential-stuffing and login-based attacks to pass through perimeter security without triggering velocity or reputation-based controls. Analysis of internal Accertify client data from 2024–2025 shows this pattern across six industries: retail, airlines, quick-service restaurants, online marketplaces, ticketing, and grocery. Individual attacks reached up to 12 million attempts and credential success rates of 1–2%, creating as many as 200,000 compromised victims per attack.

Attack pattern: Login attempts are distributed across large pools of residential IPs rather than concentrated through hosting services, which lease out large pools of IPs that allow traffic to be routed anonymously. As a result, no single source ever crosses a velocity threshold. Proxy pools can be geo-matched to a target’s customer base down to the state and postal code, making individual sessions indistinguishable from genuine local shoppers by IP alone.

Confirmed pattern: Accertify has observed residential proxy-enabled ATO attacks at far greater scale than many public examples suggest. In one documented attack on an online marketplace, login volume reached 300 transactions per second (TPS) at peak, arriving in waves of high-risk events. Within a 10-minute period, the attack used 14,864 unique IPs, with individual IPs scoring 99–100 on risk models yet almost never repeating: traffic was observed arriving from residential ISPs including T-Mobile, Cox, Charter, Verizon, and Comcast. Because no single IP approached a velocity threshold, the activity passed through the perimeter without triggering an alert.

Scale of the shift: Accertify’s dataset shows high-risk events with low per-IP usage rose 46% year-over-year, and the share of high-risk events with low per-IP usage increased from 57.5% to 84.1% compared to the prior year. Separately, 99.29% of IPs observed in the attack dataset carried a clean reputation with no prior fraud signal. High-risk events tied to heavily-reused IPs fell from 32% to 5.6% over a 13-month period, while high-risk transactions originating from hosting environments (e.g., AWS, Host Royale) dropped 61% year-over-year.

Infrastructure Source

Residential IP pools used in these attacks are rented by the gigabyte through commercial proxy-as-a-service marketplaces, which are marketed for legitimate uses such as ad verification but are used interchangeably by fraud actors. Much of the underlying IP inventory is sourced from SDKs embedded in free mobile apps and VPN services that monetize users’ bandwidth. Because the traffic originates from real consumer devices and networks, it does not carry the hosting-provider or datacenter signatures that origin-based detection relies on.

Attack Chain

The infrastructure supports a full ATO chain by distributing traffic widely across legitimate residential IP addresses, avoiding the need for a traditional low-and-slow attack pattern:

  1. Procure & arm: Credentials sourced from dark web markets are paired with a geo-matched residential proxy pool, allowing the attack to begin at scale without relying on repeated traffic from the same source.
  2. Credential stuffing: Breach lists are tested at volume against login endpoints. Because attempts are spread across a broad set of legitimate residential IP addresses, no velocity spike, hosting flag, or IP reputation flag is raised.
  1. Gain access: Confirmed accounts are ranked by value (loyalty balance, stored payment, gift card inventory) and handed off for monetization.

From a single point of access, observed monetization paths include:

  • Purchases charged to stored payment or loyalty balances and shipped to drop addresses
  • Compromised cards loaded onto the takeover account, where account history bypasses new-card fraud checks
  • Full loyalty balance transfers to actor-controlled accounts or resale on secondary markets
  • Point redemptions routed through third-party partner platforms, splitting losses between the originating brand and the partner

Why Perimeter and MFA Controls Aren’t The Full Answer

Perimeter tools are designed to sit in front of the application, where they must screen every visitor on every page load in microseconds. That architecture makes them effective for fast allow-or-deny decisions at the edge, but less suited to deeper cross-account pattern analysis that depends on backend fraud, transaction, loyalty, and post-authentication account activity.

Many might turn to Multi-Factor Authentication (MFA) as the solution. But MFA is not a complete control when attackers can create accounts using email addresses they control or gain access to the email tied to an account, allowing them to satisfy verification steps directly. For high-value accounts with stored payment, loyalty balances, or gift card inventory, attackers adapt by combining credential stuffing, account creation, phishing, and downstream monetization tactics that MFA alone is not designed to stop.

Closing the gap requires correlating perimeter and network signals with business-context data – including chargebacks, loyalty abuse, account changes, and cross-merchant ATO patterns – because IP reputation and page-load signals alone no longer provide reliable visibility into residential proxy-enabled attacks.

Recommendations for Security and Fraud Teams

  • Security teams should re-assess what percentage of authenticated logins are being measured for post-authentication risk, not just what is blocked at the perimeter.
  • Fraud teams should quantify ATO-driven chargeback volume and ensure it is shared back to security; if security does not have that number, the feedback loop between the two functions is not closed.
  • Both teams should reassess challenge/step-up authentication policies that rely on static, rules-based thresholds and create unnecessary friction for legitimate users. Adaptive friction should be deployed at key points in the user journey using behavioral and device signals combined with holistic fraud intelligence, rather than decisions based only on a single perimeter session.

Data cited is based on internal Accertify client data from 2024–2025.

 

 

More Recent Blog Posts

Executive Summary The retail and hospitality sectors operate on high-velocity human interaction, making their front lines a major target for sophisticated social engineering...

A New Class of Digital Operator Retail organizations are moving quickly to operationalize agentic AI to streamline customer service, create self-serve customer workflows,...

For years, fraud and cybersecurity have been treated as separate problems, owned by different teams and addressed with different tools. Fraud programs focused...