Financial institutions use IP geolocation for two critical functions: screening transactions against sanctioned jurisdictions, and flagging logins from unexpected locations. Both depend on the same underlying databases, which rely on self-reported data. Setting aside VPNs, which defeat IP geolocation by design and are used by 1 in 3 internet users, this brief documents the structural reasons the system fails even when no one is trying to evade it. Geolocation by IP address is becoming less accurate over time.
01 — Mechanism
How Traffic Routes And Why It Crosses Borders
When you go online, your internet provider assigns your device an IP address from a pool it controls. When you visit a website or an exchange, they see that IP and ask a database: "where is this person?" But the IP address contains no location; the IP is a routing label, not a coordinate. The database's answer comes from what the owner of that IP block declared: registration records and geofeed files that say "these addresses are in this country." If the declaration is wrong or outdated, the answer is wrong. IP geolocation is not a measurement of where someone is. It is an inference built on self-reported data — and the underlying protocol was never designed to encode location. IP addresses are used for geolocation not because the method works, but because GPS is trivial to spoof and often not available — no better passive signal existed.
CGNAT — CARRIER-GRADE NETWORK ADDRESS TRANSLATION
Mobile carriers place thousands of subscribers behind a single public IP. Cloudflare (Oct 2025): a single IPv4 address can represent hundreds or thousands of users. Geolocation under CGNAT reflects the carrier gateway location. This is standard mobile internet architecture globally.
The probability that a single transaction from a sanctioned jurisdiction is flagged by IP-based screening. Drag the sliders below to test your own assumptions.
02 — The maths
What Are The Odds You Catch Them?
The standard defence from compliance teams: "criminals use VPNs, they occasionally slip up, and when they do we catch them." The sliders below let you test that claim with your own assumptions. Set the VPN rate and the IP accuracy and see the probability that you'll catch the transaction.
VPN USAGE RATE AMONG SANCTIONED-JURISDICTION TRADERS
85%
85% assumes most sanctioned-jurisdiction users hide behind a VPN. Real-world VPN adoption may be lower (the Exodus/OFAC settlement, Dec 2025, showed Iranian users routinely connecting without VPNs). Lower VPN usage exposes more real IPs — but exposure only helps if the IP is accurate. Drag left to test: even at 60% VPN, detection barely improves because the IP itself points to the wrong country.
IP RESOLVES TO CORRECT COUNTRY WHEN REAL IP EXPOSED
65%
Mobile (4G/5G): CGNAT means databases geolocate the carrier gateway, not the device. MaxMind's own cellular accuracy within 250km: US 68% (1 in 3 wrong), Spain 43%, France 12%. Global average: 73% — excluding Iran, Syria, North Korea, and Cuba, where MaxMind publishes no data at all. Cellular IPs are consistently less accurate than broadband (Callejo et al.).
P(DETECTED PER TRANSACTION)
9.8%
~90% of sanctioned-jurisdiction transactions are not flagged.
THE EQUATION
p(detected) = (1 − VPN%) × IP_accuracy%
At defaults (85% VPN, 65% IP accuracy): only 15% of sessions expose a real IP. Of those, only 65% resolve to the correct country. Result: fewer than 1 in 10 transactions are flagged. Chainalysis (Mar 2026) reported $104B in crypto sanctions evasion in 2025, up 694% year-over-year, despite IP-based screening being standard at every major exchange.
Fixed broadband is the most accurate connection type: the cable ends at a known physical address. Mobile, VPN, and satellite traffic are the connection types most likely used in sanctions-risk geographies. Click any card for sources.
FIXED BROADBAND PENETRATION IN SANCTIONED COUNTRIES (ITU/WORLD BANK 2023)
OECD average: 36 fixed broadband subscriptions per 100 people. Most sanctioned populations connect primarily via mobile — the connection type with the lowest geolocation accuracy (see accuracy cards above).
The full landscape includes twelve sanctioned jurisdictions. The IP geolocation failure modes (CGNAT, database disagreement at borders, LEO satellite) apply with equal force to Syria, Venezuela, and Myanmar as to Iran and Belarus. Cuba is an outlier (island nation, different routing profile). UN/EU/UK programs extend to additional jurisdictions.
620km
Average disagreement between geolocation databases on where an IP address is located. Land borders between sanctioned and unsanctioned countries are narrower than this.
HOW CLOSE ARE SANCTIONED CITIES TO NON-SANCTIONED JURISDICTIONS?
IP geolocation is at its most accurate in the United States: dense infrastructure, well-maintained registries, static broadband IPs. Even there, MaxMind's own data shows only 66% city-level accuracy within 50km; one in three lookups places the user in the wrong city. A January 2026 GPS ground-truth study tested 10 commercial providers against 586 clean residential IPs (VPNs, proxies and datacentres filtered out — the best-case scenario). The best provider placed only 72.9% of lookups within 50km; the worst managed 60.2%. In sanctioned regions — where mobile dominates, infrastructure is sparse, and registries are poorly maintained — accuracy is substantially worse. MaxMind's own accuracy_radius field uses 100km as a published example. The cities below are within 100km of a non-sanctioned jurisdiction.
people in sanctioned jurisdictions live within 100km of a non-sanctioned jurisdiction
people in sanctioned jurisdictions live within 150km of a non-sanctioned jurisdiction
people in sanctioned jurisdictions live within 200km of a non-sanctioned jurisdiction
None of these people need a VPN to be misattributed by IP geolocation. Database disagreement alone exceeds these distances.
FALSE NEGATIVES — THE MIRROR PROBLEM
The same error works in reverse. The 620km average database disagreement exceeds every land border between a sanctioned and unsanctioned country. A user in Azerbaijan with an IP block recently reassigned from an Iranian range, or a Turkish border resident whose ISP serves both sides of the Syrian border, can resolve to sanctioned address space in one database while appearing correctly in another. These users are wrongly blocked from service — a compliance false positive that is also a detection false negative: the system spends enforcement resources on the wrong people while actual sanctioned-jurisdiction traffic passes through.
Population in unsanctioned countries within geolocation error band of a sanctioned border. Sources: UN DESA 2024, national census data, ITU. North Korea excluded (no public internet, no IP addresses to resolve to).
06 — Why these inaccuracies persist
The IP Address Supply Chain
The primary inputs to IP geolocation databases are self-declared: the holder of an IP address selects a country in WHOIS records and publishes RFC 8805 geofeeds (CSV files that say "this prefix is in this country"). WHOIS has no verification process for geographic accuracy. Geofeeds are explicitly "self-published" — RFC 8805 itself says consumers MAY treat them as a hint only. Research confirms geofeeds contain 8% wrong country-level data and 20.4% wrong city-level data (IPinfo, 2025). Some providers attempt independent verification through active probing — pinging IP addresses from distributed servers and triangulating location from round-trip times — but this technique cannot reach most consumer devices, which sit behind NAT or carrier-grade NAT and drop unsolicited probes (Fainchtein & Sherr, 2024; RFC 8805). For the mobile IPs that dominate sanctioned-country traffic, databases fall back to the self-declared data.
ALLOCATION
Regional Internet Registry
ARIN, RIPE, or APNIC allocate ranges of IP addresses to organisations that apply and provide documentation.
→
SECONDARY MARKET
IP leasing company
Intermediaries (IPXO, LogicWeb, Heficed) buy or aggregate IP ranges from holders and rent them to customers.
→
COUNTRY SELECTED
Customer self-selects country
The customer chooses which country the IP range should appear to be in, from a dropdown menu provided by the IP leasing platform. The WHOIS record and geofeed CSV are updated to match.
→
DATABASES INGEST
MaxMind, IP2Location
Geolocation providers scrape geofeeds and WHOIS records. The self-declared country becomes the database "truth."
→
COMPLIANCE QUERIES
Exchange screens IP
Sanctions screening returns the self-declared location. A user in Tehran appears to be in Frankfurt.
NO PARTY IN THIS CHAIN VERIFIES WHETHER TRAFFIC ACTUALLY ORIGINATES FROM THE DECLARED COUNTRY
The economic incentive is to misrepresent location. An IP address geolocated to the United States or Germany has active lease demand on the secondary market. An IP address geolocated to Iran or Syria has none. IPv4 scarcity has created a leasing market where addresses flow entirely one-directionally toward commercially valuable regions, regardless of where the traffic actually originates. Major VPN providers source address space this way to offer exit nodes in 90+ countries without operating hardware in most of them (acid.vegas, 2026; Livadariu et al., ANRW 2020). The result: the same pipeline for self-reporting the geolocation of an IP address is actively used at scale to make IP addresses appear to be in countries where the provider operates no physical servers or network equipment.
Privacy-preserving relays. Apple iCloud Private Relay, commercial VPNs, and Cloudflare WARP route traffic through infrastructure that deliberately breaks the IP-to-location link. Databases must choose between geolocating the physical egress server or the logical user region, producing systematic inter-database disagreement across hundreds of millions of devices. iCloud Private Relay is bundled with every paid iCloud subscription — a user base numbering in the hundreds of millions — and requires no separate sign-up; any iPhone running a current OS with a paid iCloud plan can enable it in four taps. Apple's geohash truncation covers roughly 800 km²; a 2023 measurement study found median location errors exceeding 1,000 miles for IPv4 users in several countries, even though Apple explicitly publishes egress IP locations to help geolocation vendors stay current (Flynn, Bronzino & Schmitt, 2023; Apple, 2021).
Satellite internet breaks IP geolocation at every layer. The user connects to an orbiting satellite, which downlinks to a ground station, but the IP address does not resolve to the ground station. It resolves to the Point of Presence (PoP), a routing hub connected by terrestrial fiber. Pan et al. (Dec 2025) mapped 5.98 million Starlink routers and found the entire global network funnels through just 49 PoPs serving 165 countries. Users in countries with a local PoP (US, UK, Germany, Brazil, ~49 total) get ~95% country accuracy because traffic stays domestic. Users in the remaining 100+ countries route through foreign PoPs: Africa through Frankfurt, the Caribbean through Miami, the Pacific through Sydney. For these users, the IP address belongs to a server in a different country. Starlink publishes a GeoFeed file that tells databases "this IP is actually in Kenya, not Germany," but the IETF (Nov 2025) found it is manually maintained, prone to errors, and databases cache it for days or weeks while Starlink shuffles IPs constantly. All sanctioned countries fall in the no-PoP tier. Starlink went from zero to 10 million subscribers in four years on ~10,000 satellites. It has FCC authorisation for 42,000. Two more constellations are entering the market: Amazon Leo (7,774 satellites authorised, beta 2026) and Blue Origin's TeraWave (5,408 satellites, FCC filing January 2026). If all three deploy to plan: 55,000+ LEO satellites providing internet connectivity, a fivefold increase from today, all routing through a few dozen ground-based PoPs. Every new subscriber in a sanctioned country is another connection where IP geolocation depends on a manually updated spreadsheet.
DOCUMENTED SANCTIONS EVASION
2,500+
Starlink devices operating inside Myanmar scam compounds. Sanctioned jurisdiction, significant OFAC program. Wired identified more than 100 devices at a single facility. SpaceX confirmed and terminated them in October 2025.
None were flagged by IP geolocation. Every device's IP address geolocated to Thailand or China, not Myanmar.
Verified actuals only, no projections. 1M (Dec 2022), 4M (Sep 2024), 9M (Dec 2025), 10M (Feb 2026). Source: SpaceX. This is Starlink alone. Amazon Leo and TeraWave subscribers not included.
SUMMARY FINDING
Every layer of this system — from self-declared registry data to satellite routing through foreign countries — degrades the link between an IP address and a physical location. LEO satellites and the IPv4 secondary market are making it less reliable over time.
Every failure mode documented here — CGNAT, database disagreement at borders, LEO satellite, self-declared geolocation, VPN — is a default property of how the internet works in 2026. None require the user to do anything unusual. They compound one another. And the problem extends beyond static infrastructure: tens of millions of devices roam internationally on any given day, each producing an IP address from their home country regardless of where the device actually is (GSMA/Kaleido Intelligence, 2024: 100M+ active 5G roamers alone).
DATA NOTE
Border proximity percentages are estimates from geographic and census analysis, not a single published dataset. City-level distances are verified geography. Population figures from UN DESA World Population Prospects 2024 Revision.