Risk Engine

IP & VPN Tracking
for Prop Firms

Real-time VPN, proxy, and TOR detection with IP reputation scoring, geo-restriction enforcement, and shared-IP multi-account flagging — every login screened before access is granted to your prop firm platform.

Book a Demo Rules Library
99.9%
VPN Detection Rate
<50ms
IP Screening Time
190+
Countries Mapped
VPN Access Blocked
IP Reputation: High Risk
IP Screening Log — Live
185.220.101.x Netherlands TOR Exit
104.21.14.x United States VPN (NordVPN)
91.108.4.x Russia Geo-Restricted
94.103.92.x Germany Proxy (Datacenter)
82.46.19.x United Kingdom Clean (Residential)
Capabilities

Every Network Threat Vector Screened

VPN, proxy, TOR, datacenter routing, geo-restriction, and shared-IP clustering — every login evaluated before access reaches your platform.

VPN Provider Detection

Cross-reference login IPs against a continuously updated database of 1,000+ VPN provider IP ranges — NordVPN, ExpressVPN, Mullvad, Surfshark, and commercial VPN infrastructure detected on first connection.

TOR Exit Node Blocking

Real-time lookup against the official TOR exit node consensus and extended relay lists. All TOR-routed logins are blocked instantly — with the block reason logged against the account for compliance audit.

Datacenter & Proxy Detection

Distinguish residential IPs from datacenter-hosted proxies, cloud server IPs (AWS, GCP, Azure), and commercial proxy services. Datacenter IPs are flagged and optionally blocked — configurable by account type and risk tier.

Geo-Restriction Enforcement

Block or flag logins from sanctioned countries, restricted jurisdictions, or territories excluded from your terms of service. Country-level controls with sub-region granularity for complex regulatory requirements.
Threat Coverage

What We Detect & Block

Six distinct network threat categories — each with independent detection logic, configurable enforcement, and dedicated audit logging.

VPN
Commercial VPN Services
Logins routed through consumer VPN providers — NordVPN, ExpressVPN, Surfshark, PIA, Mullvad, and 1,000+ more. Database updated daily with new provider IP ranges and server additions.
Proxy
Datacenter & Residential Proxies
HTTP, SOCKS4, and SOCKS5 proxies hosted in commercial datacenters or on residential proxy networks (LimeProxies, Smartproxy, Bright Data). Identified by ASN classification and abuse-score databases.
TOR
TOR Network Exit Nodes
All TOR relay exit nodes listed in the official consensus and community-maintained extended lists. Checked in real time on every login — new TOR exit node registrations propagated within minutes.
Geo
Sanctioned & Restricted Jurisdictions
OFAC-sanctioned countries, FATF grey/black list jurisdictions, and custom-restricted territories configured per your regulatory requirements. Logins from these locations blocked at authentication before platform access.
Shared IP
Multi-Account Shared Access
Three or more distinct accounts logging in from the same IP address within a configurable time window — flagged as a potential account farm or credential-sharing operation, integrated with the Multi-Account Behavior module.
Reputation
High-Risk IP Reputation
IPs with documented abuse history — previous fraud incidents, bot traffic, spam sending, or malware hosting — scored via aggregated reputation databases and weighted into the account's overall risk profile.
How It Works

Every Login Screened in Under 50ms

A layered network intelligence pipeline — lookup, score, enforce — before the dashboard even loads.

1

IP Extraction on Login

The client IP is extracted on every authentication event — account login, API call, and trading platform connection. Both IPv4 and IPv6 are supported, with proxy header inspection to detect X-Forwarded-For spoofing attempts.
2

Multi-Database Lookup

The IP is simultaneously queried against VPN provider ranges, TOR exit node lists, datacenter ASN databases, abuse reputation feeds, and geo-location databases — all in parallel within the 50ms window.
3

Risk Score Calculation

Results from all lookups are aggregated into a composite IP risk score (0–100). VPN and TOR detections score immediately critical; datacenter IPs score high; residential IPs with abuse history score medium based on severity.
4

Geo & Sanction Check

The resolved country is checked against your configured restriction list and the global OFAC/FATF sanction lists. Mismatches between claimed jurisdiction and IP geolocation are flagged as potential KYC circumvention attempts.
5

Shared-IP Account Cluster Check

The IP is compared against the login history of all accounts in your firm. If 3+ accounts share the same IP within your configured time window, a shared-access flag is raised and passed to the Multi-Account Behavior module.
6

Enforcement & Audit

Based on the composite score and your configured thresholds, the login is allowed, warned, blocked, or escalated to the operator review queue. Every decision is written to the immutable IP audit log with full signal detail.
IP / VPN Risk Dashboard
Account #5512 — 185.220.101.xTOR ExitBlocked
Account #8841 — 104.21.14.xVPN Score: 98Blocked
Account #7701 — 91.108.4.xGeo: RestrictedBlocked
Account #3305 — 94.103.92.xDatacenter IPFlagged
Account #1101 — 82.46.19.xRisk Score: 3Clean
Full Control

Your Policy. Your Thresholds.

Not every firm has the same geo policy or VPN tolerance. Configure every parameter from the admin panel — which countries to restrict, which IP types to allow, and what risk score triggers which action — per account tier.

  • Allow, warn, or block independently for VPN / TOR / Proxy / Geo threats
  • Different policies for challenge vs. funded — stricter enforcement at payout stage
  • Whitelist specific IPs or IP ranges — office IPs, institutional traders, support staff
  • Export full IP history per account — ready for KYC audits or regulatory requests
99.9%
VPN / TOR Detection
Accuracy Rate
<50ms
IP Screening Time
Per Login Event
190+
Countries & Territories
Geo-Mapped
6
Threat Categories
Screened Per Login
Frequently Asked Questions

IP & VPN Tracking FAQs

Everything you need to know about how FXPropTech screens network access and detects fraudulent IP activity in prop firm accounts.

Prop firms need IP and VPN tracking to prevent traders from bypassing geo-restrictions, hiding multi-account operations, circumventing KYC checks, and evading sanction screening. Without IP tracking, a single trader can operate multiple funded accounts from the same device and location while appearing to be separate individuals.

FXPropTech detects VPN provider connections, TOR exit node usage, datacenter and proxy IP routing, residential IP abuse, geo-restriction violations, shared-IP multi-account clusters, and jurisdiction mismatches between a trader's claimed location and their actual IP geolocation.

The system queries the connecting IP against continuously updated VPN provider ASN and IP range databases. When a match is found, a VPN signal is generated. VPN detections score immediately critical in the composite IP risk score, triggering the configured enforcement action — warn, block, or escalate.

Yes. TOR exit node IPs are checked in real time against the official TOR Project exit node list and supplementary threat intelligence feeds. TOR connections are scored as immediately critical and can be auto-blocked on login — preventing anonymous access to prop firm accounts entirely.

The resolved IP country is checked against operator-configured geo-restriction lists and global OFAC/FATF sanction lists. Mismatches between a trader's claimed KYC jurisdiction and their actual IP geolocation are flagged as potential KYC circumvention. Sanctioned country IPs are blocked automatically.

Shared-IP detection compares each login IP against the historical login records of all accounts in the firm. If 3 or more distinct accounts log in from the same IP address within the configured time window, a shared-access flag is raised and passed to the Multi-Account Behavior module for coordinated-trading analysis.

The full IP risk score — covering VPN, TOR, datacenter, abuse reputation, geolocation, sanction check, and shared-IP cluster lookup — runs in under 50 milliseconds on every login and API authentication event, ensuring zero perceptible latency for legitimate traders.

Yes. IP risk score thresholds that determine warn, block, or escalate actions can be configured independently per challenge phase (Phase 1, Phase 2, funded). This lets operators apply stricter screening during evaluation and adjust tolerance for funded accounts based on their risk appetite.
Get Started

Screen Every Login.
Allow Only Legitimate Access.

VPNs and proxies are used to bypass geo-restrictions, hide multi-account operations, and circumvent KYC. Deploy the IP tracking system and close those gaps before they become payouts.

Book a Demo Explore Platform
99.9% VPN Detection
TOR Exit Blocking
Sub-50ms Screening
Full IP Audit Trail