How does BigShield detect fake signups?

BigShield uses multiple signals including format validation, burner/disposable domain detection (945+ known providers), MX record checks, domain reputation analysis, and SMTP verification to produce a 0-100 risk score for every email address.

How fast is the email validation API?

Tier-1 signals (format, domain, burner detection, MX records) return in under 100ms — fast enough for inline signup validation without impacting user experience.

How much can I save by blocking fake signups?

Up to 40% of signups on AI and SaaS platforms use fake or disposable emails. A single abusive account can consume $5-50 in AI tokens. Email validation costs pennies per check, potentially saving thousands in wasted compute.

What programming languages are supported?

BigShield provides 5 official SDKs for TypeScript/Node.js, Python, PHP, Ruby, and Go. All SDKs include typed responses, automatic retries with exponential backoff, and typed error classes. The REST API can also be called from any language using standard HTTP requests with Bearer token authentication.

Can I create custom validation rules?

Yes. BigShield includes a custom rules engine with 6 rule types (domain block/allow, email pattern, IP range, country, and risk threshold), 4 actions (block, allow, review, require verification), and priority ordering. Rules can be managed via the dashboard or the API.

Industry7 min readMay 26, 2026

Which VPN Providers Have the Highest Abuse Rates? A Data-Driven Analysis

We analyzed millions of signups to determine which VPN providers, residential proxies, and mobile proxy networks show the highest fraud signal rates.

Not All VPNs Are Created Equal

VPN usage is not inherently suspicious. Millions of people use VPNs daily for legitimate privacy and security reasons. But when you are running a signup flow and trying to distinguish legitimate users from fraudsters, VPN traffic deserves extra scrutiny.

The challenge is that different VPN providers have wildly different abuse profiles. A signup from a Mullvad exit node carries a different risk weight than one from a free VPN app that monetizes through sketchy partnerships. And residential proxy networks are an entirely different animal.

We analyzed 4.7 million signups processed through BigShield in Q1 2026 that were associated with VPN, proxy, or anonymizing infrastructure. Here is what the data shows.

Commercial VPN Providers: Abuse by Tier

We categorized VPN providers into tiers based on their pricing, reputation, and privacy policies. The fraud signal rates vary enormously.

Premium VPNs (Mullvad, ProtonVPN, IVPN)

Fraud signal rate: 6.2%

Premium, privacy-focused VPNs have the lowest abuse rates among VPN traffic. This makes sense. These services cost $5-10/month, they do not offer free tiers, and their user base skews toward privacy-conscious professionals rather than people trying to create thousands of fake accounts. When we see fraud from these IPs, it tends to be individuals rather than large-scale operations.

Mid-Tier VPNs (NordVPN, ExpressVPN, Surfshark)

Fraud signal rate: 14.8%

The major consumer VPNs sit in the middle. Their large user bases include both legitimate users and a meaningful number of bad actors. Their pricing is accessible ($3-8/month with annual plans), and features like multi-hop routing and obfuscated servers make them attractive for fraud operations that need basic anonymization without investing in premium infrastructure.

Budget and Free VPNs (Hola, SuperVPN, TurboVPN, various mobile-only apps)

Fraud signal rate: 38.4%

Free and ultra-cheap VPNs have dramatically higher abuse rates. Many of these services monetize by selling user bandwidth as residential proxy infrastructure, which creates a feedback loop where the same network is used for both legitimate VPN users and proxy-based fraud. The fraud from these networks tends to be high-volume, automated, and unsophisticated.

The Real Problem: Residential Proxies

If commercial VPNs are the visible part of the iceberg, residential proxy networks are the mass below the waterline. These services route traffic through real residential IP addresses, making traditional VPN detection almost useless.

Residential proxies are the infrastructure of choice for professional fraud operations in 2026. Here is why, and how their abuse rates compare:

Major Residential Proxy Networks

We identified traffic from the five largest residential proxy networks in our Q1 data. The results are striking:

Bright Data (formerly Luminati): 41.3% fraud signal rate across 287K associated signups. As the largest player with enterprise pricing, Bright Data attracts sophisticated operations.
Oxylabs: 36.7% fraud signal rate across 198K signups. Similar profile to Bright Data, slightly lower volume in our dataset.
SOAX: 44.1% fraud signal rate across 94K signups. Smaller pool but higher concentration of abuse.
IPRoyal: 52.8% fraud signal rate across 156K signups. Their lower price point ($1.75/GB) makes them accessible to less capitalized fraud operations.
PacketStream: 58.3% fraud signal rate across 71K signups. The peer-to-peer model and low cost attract the highest proportion of abusive traffic.

The overall residential proxy fraud signal rate is 44.6%, nearly three times the rate of mid-tier commercial VPNs. For a deeper look at how BigShield detects these, see our article on IP reputation scoring for datacenters, proxies, and VPNs.

The Rise of Mobile Proxy Networks

The newest and fastest-growing category is mobile proxies. These route traffic through real mobile carrier IP addresses (4G/5G), making them extremely difficult to detect through traditional means. Carrier-grade NAT means thousands of legitimate users share the same IP blocks, so you cannot simply blocklist them.

Mobile proxies have exploded in 2026 for a few reasons:

Detection difficulty: Blocking mobile carrier IPs would affect huge numbers of legitimate users
IP rotation: Mobile IPs rotate frequently, so reputation databases struggle to keep up
Geographic authenticity: Mobile IPs are inherently "residential" and geolocate accurately to the carrier's service area
Growing supply: Apps that pay users to share their mobile bandwidth have proliferated, especially in developing markets

In our Q1 data, mobile proxy traffic showed a 39.2% fraud signal rate. The volume is still relatively small (about 8% of all proxy-associated signups) but growing at roughly 15% quarter over quarter.

Datacenter IPs: Still the Easiest to Catch

For comparison, plain datacenter IPs without any VPN or proxy overlay remain the easiest fraud vector to detect. Signups from AWS, Google Cloud, Azure, DigitalOcean, and similar providers have a fraud signal rate of 67.4% in our data. Very few legitimate users sign up for consumer products from a bare datacenter IP.

Most fraud operations have moved past using raw datacenter IPs for this exact reason. But we still see significant volume from them, particularly from less sophisticated operations and from automated scripts running on cloud infrastructure that did not bother to route through a proxy.

Detection Strategies by Proxy Type

Different proxy types require different detection approaches. Here is what works for each:

Commercial VPNs

Detected through IP range databases (most VPN providers use known IP blocks), WebRTC leak detection, and DNS leak analysis. Accuracy: approximately 92-96%.

Residential Proxies

Harder to detect by IP alone. Effective signals include connection fingerprinting (residential proxies often show datacenter-like TCP/IP stack characteristics despite having residential IPs), timing analysis (proxy routing adds latency patterns), and behavioral clustering (multiple "residential" signups from geographically diverse IPs but with identical behavioral patterns).

Mobile Proxies

The hardest category. Detection relies on carrier IP range identification combined with behavioral signals: signup velocity from a given IP range, timezone consistency checks, device fingerprint correlation, and pattern analysis across the signup cohort.

What This Means for Your Signup Flow

The key takeaway is that not all VPN traffic should be treated equally. A blanket "block all VPNs" policy would frustrate millions of legitimate privacy-conscious users while barely denting sophisticated fraud that uses residential and mobile proxies.

Instead, consider a tiered approach:

Premium VPN traffic: Apply a small risk score increase (5-10 points on a 100-point scale) but do not block. Most of this traffic is legitimate.
Consumer VPN traffic: Moderate risk increase (10-20 points). Require email verification but allow signup.
Free VPN and known-abuse networks: Significant risk increase (20-35 points). Consider additional verification steps.
Residential proxies: High risk increase (25-40 points). Cross-reference with behavioral signals before allowing.
Datacenter IPs: Very high risk (35-50 points). Should require strong additional verification unless your product specifically serves developers and infrastructure users.

This is exactly how BigShield's scoring works. We maintain continuously updated databases of VPN, proxy, and datacenter IP ranges, and we weight the risk based on the specific provider and network type. For more data on malicious infrastructure, check out our monthly report on top malicious domains.

Want to see how your signup traffic breaks down by proxy type? BigShield's API returns detailed IP intelligence including VPN provider identification, proxy type classification, and datacenter detection on every validation call. Try it free at bigshield.app.