
Title:
Bridging the Gaps in IP Geolocation: Strengthening Detection and Defense 
Against Cyber Threats

Authors:
Nalini Elkins, Outside the Stacks, Inc., nalini.elkins@outsidethestack.net
Mark Nguyen, Outside the Stacks, Inc., mark.nguyen@outsidethestack.net
Bill Jouris, Outside the Stacks, Inc., bill.jouris@outsidethestack.net



Submitted to:
IAB Workshop on IP Address Geolocation (ip-geo)
December 2025



Abstract

IP geolocation data is a critical tool in the arsenal of governments, 
financial institutions, and security platforms defending against cyber
actors and transnational fraud which may be tracked to specific geographic
regions.  However, the current mechanisms for identifying the geographic
origin of IP traffic suffer from key gaps: poor accuracy, manipulation 
through anonymization techniques (e.g., VPNs, proxies), dynamic IP 
reassignment, and insufficient integration with threat intelligence. This 
paper briefly highlights how adversaries from North Korea, Iran, Russia, 
and China have exploited these weaknesses, including tactics like remote 
work deception, infrastructure hijacking, and cloud service abuse. We 
recommend redesigning geolocation strategies to include contextual risk 
modeling, endpoint verification, and multi-signal attribution.



 1. Introduction

IP geolocation plays a foundational role in security architectures used by 
financial institutions, national infrastructure, and cloud providers. It enables 
basic risk scoring, access control, fraud detection, and threat attribution. 
However, the ability to infer a meaningful physical or jurisdictional origin 
from an IP address is increasingly undermined by attackers who intentionally
evade such controls.

Geopolitical threat actors routinely bypass IP-geo-based defenses by leveraging 
global proxy networks, rented infrastructure, and compromised endpoints. Without 
improved mechanisms for detecting such obfuscation, critical sectors remain vulnerable
to sophisticated intrusions masked by plausible geographic origin.



2. Gaps in Current IP-Geolocation Mechanisms

2.1. Precision and Trust Deficiencies
Most IP geolocation databases rely on outdated heuristics, static mappings, 
or regional registries. These sources often lack the precision needed for 
enterprise risk decisions, especially when IPs are allocated to global 
cloud providers or mobile networks.

2.2. Anonymization and Proxy Networks
Cybercriminals and nation-state actors increasingly use residential proxy 
networks, rotating mobile IPs, or compromised servers. IPs linked to benign 
geographies (e.g., U.S. broadband or European mobile ISPs) are weaponized
to evade scrutiny. The real origin is effectively masked.

2.3. Infrastructure Abuse and Rapid IP Churn
Attackers routinely change IPs via DHCP churn, leasing providers, or 
compromised hosting accounts. Once an IP is flagged as malicious, new 
infrastructure is spun up—often within hours. Threat actors like Russia’s 
APT28 (Fancy Bear) and China’s APT41 demonstrate this agility in their 
campaigns.

2.4. Misalignment Between Threat Feeds and Geo Systems
Threat intelligence feeds often contain valuable indicators, including 
known malicious IPs. But geolocation systems typically lack integration with 
these feeds. Additionally, feeds offer limited insight into context or reuse 
of infrastructure across campaigns.



 3. Recent Threat Examples Underscoring the Problem

3.1. North Korea – Remote Developer Infiltration
Between 2022–2024, North Korean operatives impersonated remote freelancers 
and gained access to U.S. financial and software firms. Using IPs from U.S.
based VPNs or residential proxies, they passed location checks and internal 
risk filters, exposing a critical failure of IP-geo systems.

3.2. Iran – Cloud Infrastructure Abuse
APT34 and MuddyWater, linked to Iranian intelligence, have hijacked 
legitimate hosting infrastructure and used rotating cloud IPs to conduct 
spear-phishing and credential theft against energy and financial targets. 
IPs resolved to major cloud providers across Europe and Asia, confounding 
basic geo-blocking defenses.

3.3. Russia – Credential Theft and VPN Laundering
Russian-linked APT28 and APT29 actors have leveraged public VPN services, 
residential proxies, and compromised routers to launch credential harvesting 
operations against government agencies and critical infrastructure. Notably, 
several 2023 campaigns involved using IPs geolocated in NATO countries to
avoid alerting geo-filters.

3.4. China – Strategic Espionage via Global Infrastructure
APT41, a China-based group, has conducted cyberespionage using global 
infrastructure rented through compromised accounts or commercial services. 
In 2024, they exploited Southeast Asian mobile ISPs to host staging servers, 
complicating attribution and geolocation.

These campaigns show that such actors often avoid IPs associated with their 
origin countries. Instead, they adopt infrastructure from trusted jurisdictions
to gain access, avoid scrutiny, and persist inside target environments.



 4. Recommendations for Future Approaches

4.1. Multi-Signal Risk Models
IP-geo alone is insufficient. Systems must incorporate signals such as ASN 
behavior, IP age, host reputation, TLS fingerprinting, and known abuse 
indicators. Cross-correlating these with behavioral telemetry improves 
threat attribution.

4.2. Endpoint and Session Verification
Strong geolocation should be complemented by device fingerprinting, 
location-aware authentication, enclave attestation, and behavioral analytics. 
Endpoint-based verification can reveal anomalies hidden by IP proxying.

4.3. Tight Integration with Threat Intelligence
Real-time threat feeds should feed directly into IP-geo engines. Rather 
than relying solely on location data, systems should weight reputation, 
velocity (e.g., login from 5 countries in 10 minutes), and infrastructure 
lineage (e.g., reused C2 IPs).

4.4. Publish Confidence Scores and History
Geolocation APIs and datasets should include metadata about resolution 
confidence, IP reassignment history, and anomaly markers (e.g., rapid ASN 
changes). Consumers of the data can then make risk-adjusted decisions.



 5. Conclusion

As adversaries evolve, IP address geolocation must evolve too. What was once a
moderately reliable signal is now easily manipulated by sophisticated actors. 
We urge the IAB community to consider IP-geo as a component of a larger risk 
model—enriched by context, informed by threat intelligence, and anchored in 
endpoint verifiability. Redesigning geolocation frameworks around these 
principles will bolster defenses in sectors that depend on accurate, actionable
threat attribution.



 References

1. FBI-CISA Advisory (2023). North Korean IT Workers in Critical Infrastructure. 
	https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/north-korea/publications

2. CISA Advisory (2024). Iranian Nation-State Actors Use Cloud for Persistent Access.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a

3. State of New Jersey (2023). Russia's APT28 Cyber Threat Operations.
https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/russia-cyber-threat-operations/russia-apt28


4. Recorded Future (2025). China’s APT41 Exploits Google Calendar.
https://therecord.media/china-linked-apt41-exploits-google-calendar-in-cyberattacks

5. U.S. Treasury (2022). Sanctions on Iran for Malign Cyber Activities.
https://home.treasury.gov/news/press-releases/jy0941