A new report by Silent Push reveals how advanced traffic analysis can strip away the digital masks used by cybercriminals, exposing the true physical locations of threat actors who hide behind proxies and VPNs. The technology, called “Traffic Origin,” analyses network signals to pinpoint where a connection is actually coming from rather than where it claims to be, according to Silent Push.
The study notes that North Korean IT workers and Russian-aligned actors often use residential proxies to blend in with legitimate traffic, with Traffic Origin helping to identify when an employee login from a home in Ohio is actually routed from a restricted region.
It also provides a real-world example involving a VPN network with connections to conflict zones, where the IP address 205.198.91[.]136 appears normal, but Traffic Origin shows it’s being used in Russian-occupied Eastern Ukraine; another UK-based IP, 194.147.16[.]244, revealed a global pattern of anomalous connections.
The findings emphasize that Traffic Origin, alongside existing threat intelligence, can help distinguish between benign residential IPs and those rented for criminal use globally, enabling better detection of insider threats and suspicious login activity.