Unmasking the Proxy: Silent Push “Traffic Origin” Exposes True Actor Locations

A new report by Silent Push reveals how advanced traffic analysis can strip away the digital masks used by cybercriminals, exposing the true physical locations of threat actors who hide behind proxies and VPNs. The report highlights the power of “Traffic Origin,” a capability that analyzes network signals to pinpoint where a connection is actually coming from, rather than where it claims to be.

This technology offers a rare glimpse behind the curtain of modern cyberespionage, where North Korean IT workers and Russian-aligned actors often use residential proxies to blend in with legitimate traffic.

The core of the analysis revolves around distinguishing between a proxy server’s location and the actual source of the traffic. By analyzing proprietary global data, researchers can now identify the countries associated with an IP address’s true origin.

“This reveals the traffic’s true physical origin, not just where the proxy server sits,” the report explains.

This capability is particularly vital for detecting “insider threats” or fraudulent employees. For instance, North Korean IT workers often use residential proxies to masquerade as US-based freelancers. Traffic Origin can flag when an employee’s login, ostensibly from a home in Ohio, is actually being routed from a restricted region.

“Customers can also use Traffic Origin to automatically assess employee logins and identify when an IP address is masking traffic from an unexpected location or country of concern,” Silent Push notes.

The report provides a striking real-world example involving a VPN network with connections to conflict zones. Researchers tracked a specific IP address, 205.198.91[.]136, which outwardly appeared to be standard traffic. However, the Traffic Origin data told a different story.

“The Traffic Origin data for IP address 205.198.91[.]136 confirms it’s being used in Russian-occupied Eastern Ukraine,” the report states, identifying a cluster of activity in a highly sensitive geopolitical region.

The investigation didn’t stop there. By pivoting to another IP address in the same network, 194.147.16[.]244 (hosted on a UK network), researchers uncovered a global pattern of anomalous connections.

This single UK-based IP was facilitating traffic from a laundry list of high-risk locations: “Russia, China, Iran, and Myanmar,” along with “several in Bangladesh, a large cluster along the Kazakhstan-Kyrgyzstan border… and a new cluster near the Ukrainian border in Western Russia”.

This visualization of “traffic clusters” allows defenders to see beyond the single IP address and understand the broader infrastructure being used by threat actors to move data across borders.

Silent Push emphasizes that this approach complements existing threat intelligence. While residential proxy data helps identify what the IP is (e.g., a home router vs. a data center), Traffic Origin identifies who is driving the traffic.

“Together, these two solutions can help customers differentiate between innocuous residential IPs and those rented for criminal use globally,” the report concludes.

Related Posts:

• Attackers Leveraging Public Cobalt Strike Profiles to Evade Detection