Sanctions compliance depends on reliably placing a user inside a jurisdiction. IP geolocation has two structural failure modes: database-level disagreement that misattributes border populations without any VPN required, and the shift to LEO satellite internet. OFAC comprehensively sanctions five countries; a further seven face significant programs. Combined population: ~390M people.
01 — Mechanism
How Traffic Routes And Why It Crosses Borders
An IP address identifies which organisation holds a block of addresses in a registry. It tells you where network infrastructure is registered, not where the device using that address is physically located. It was never designed to pinpoint physical presence. The industry relies on IP geolocation because GPS-derived location is too fragile for compliance at scale: GPS requires device-level permissions, is trivially spoofable, unavailable on desktop browsers and backend servers, and absent from most blockchain transactions. IP is used not because it works, but because no better passive signal exists.
CGNAT — CARRIER-GRADE NETWORK ADDRESS TRANSLATION
Mobile carriers place thousands of subscribers behind a single public IP. Cloudflare (Oct 2025): a single IPv4 address can represent hundreds or thousands of users. Geolocation under CGNAT reflects the carrier gateway location. This is standard mobile internet architecture globally.
Cloudflare, "One IP address, many users" (Oct 2025) · IETF RFC 6888 · CAIDA: 28.85% of mobile operator networks use CGNAT
02 — The maths
What Are The Odds You Catch Them?
The standard defence from compliance teams: "criminals use VPNs, they occasionally slip up, and when they do we catch them." The sliders below let you test that claim with your own assumptions. Set the VPN rate and the IP accuracy and see the probability that you'll catch the transaction.
VPN USAGE RATE AMONG SANCTIONED-JURISDICTION TRADERS
85%
85% is deliberately generous to the compliance case. Real-world VPN adoption may be lower (the Exodus/OFAC settlement, Dec 2025, showed Iranian users routinely connecting without VPNs), but lower VPN usage only increases exposure, not accuracy. Drag left to test.
IP RESOLVES TO CORRECT COUNTRY WHEN REAL IP EXPOSED
65%
65% default reflects mobile connections, the dominant type in sanctioned countries. MaxMind's own data: 44–59% country-level accuracy on cellular IPs.
P(DETECTED PER TRANSACTION)
9.8%
~90% of sanctioned-jurisdiction transactions are not flagged.
THE EQUATION
p(detected) = (1 − VPN%) × IP_accuracy%
At defaults (85% VPN, 65% IP accuracy): only 15% of sessions expose a real IP. Of those, only 65% resolve to the correct country. Result: fewer than 1 in 10 transactions are flagged. Chainalysis (Mar 2026) reported $104B in crypto sanctions evasion in 2025, up 694% year-over-year, despite IP-based screening being standard at every major exchange.
Defaults based on: Reuters (2021) Iran/Binance VPN reporting · Exodus/OFAC settlement Dec 2025 ($3.1M, 254 violations) · MaxMind cellular accuracy own data (44–59%) · Schopman (Radboud, 2021) independent validation · ipapi.is GPS ground-truth study Jan 2026 · Chainalysis 2026 Crypto Crime Report.
03 — Sourced evidence
Accuracy by Connection Type
Fixed broadband is the most accurate connection type: the cable ends at a known physical address. Mobile, VPN, and satellite traffic are the connection types most likely used in sanctions-risk geographies. Click any card for sources.
FIXED BROADBAND PENETRATION IN SANCTIONED COUNTRIES (ITU/WORLD BANK 2023)
OECD average: 36 fixed broadband subscriptions per 100 people. Most sanctioned populations connect primarily via mobile, the connection type where IP based geolocation accuracy drops to 60–85% at country level.
Sources: MaxMind per-country breakdown (support.maxmind.com) · Chetty et al. UChicago 2021 · Callejo et al. (Arxiv 2109.13665) · Gharaibeh et al. ACM IMC 2017 · APNIC Labs Starlink 2025 · BigDataCloud Aug 2025 · ipapi.is GPS ground-truth study Jan 2026 (586 residential IPs, 10 providers) · ITU/World Bank fixed broadband subscriptions 2023
04 — Scope of problem
The Full OFAC Sanctions Landscape
COMPREHENSIVE SANCTIONS
Nearly all transactions prohibited. Highest enforcement risk for exchanges.
— Cuba
— Iran
— North Korea
— Syria
— Russia
Source: OFAC.treasury.gov · Sanction Scanner 2025
SIGNIFICANT TARGETED PROGRAMS
Major sectoral or individual sanctions. SDN screening required.
— Belarus
— Venezuela
— Myanmar
— Sudan
— Yemen
— Libya
— Afghanistan
Source: OFAC.treasury.gov · Princeton ORPA 2025
NOTE ON SCOPE
The full landscape includes twelve sanctioned jurisdictions. The IP geolocation failure modes (CGNAT, database disagreement at borders, LEO satellite) apply with equal force to Syria, Venezuela, and Myanmar as to Iran and Belarus. Cuba is an outlier (island nation, different routing profile). UN/EU/UK programs extend to additional jurisdictions.
05 — Geographic exposure
Border Population Risk by Sanctioned Country
DATA NOTE
Border proximity percentages are estimates from geographic and census analysis, not a single published dataset. City-level distances are verified geography. Population figures from UN DESA World Population Prospects 2024 Revision.
SELECT COUNTRY
HOW CLOSE ARE SANCTIONED CITIES TO BORDERS? (vs. 100km GEOLOCATION ERROR BAND)
MaxMind's own data puts US city-level accuracy at 66% within 50km; one in three lookups places the user in the wrong city. An independent validation (Schopman, Radboud University, 2021) measured country-level accuracy of geolocation via IP address at 78.6%. Peer-reviewed ground-truth research (Gharaibeh et al., ACM IMC 2017) found only ~50% of lookups landed within 100km of actual location; half of all lookups missed by more than 100km. Mobile/CGNAT IPs produced errors up to 15,000km (Schmitt et al., UChicago, PAM 2022). A January 2026 GPS ground-truth study (ipapi.is) tested 10 commercial providers against 586 clean residential IPs with VPNs, proxies and datacentres filtered out; the best-case scenario for geolocation. The best provider placed only 72.9% of lookups within 50km; the worst managed 60.2%. MaxMind's own accuracy_radius field is documented at 67% confidence with 100km as a published example.
MaxMind accuracy_radius: support.maxmind.com. "67% confidence radius, ranging from 5km to hundreds of km"
FALSE NEGATIVES — THE MIRROR PROBLEM
The same accuracy-radius error that lets a sanctioned-country user appear unsanctioned also works in reverse. Geolocation databases disagree by an average of 620km across all IP types (Nur et al., IEEE BalkanCom 2023, 6.3M IPs tested). Land borders between sanctioned and unsanctioned countries are narrower than 620km, so the average database error alone can misattribute country. IP blocks get reallocated between registries, update cycles lag by weeks, and RIPE explicitly allows registration country to differ from usage country. A user in Azerbaijan with an IP block recently reassigned from an Iranian range, or a Turkish border resident whose ISP serves both sides of the Syrian border, can resolve to sanctioned address space in one geolocation database while appearing correctly in another. These users are wrongly blocked from service, a compliance false positive that is also a detection false negative: the system spends enforcement resources on the wrong people. At border-city scale, this is not rare. It is a predictable byproduct of database-level error in regions where IP infrastructure does not align with political boundaries.
Population in unsanctioned countries within geolocation error band of a sanctioned border. Sources: UN DESA 2024, national census data, ITU. North Korea excluded (no public internet, no IP addresses to resolve to).
WHY THESE INACCURACIES PERSIST
Stale registry records. Databases rely on public WHOIS data, which reflects where the organisation that registered the IP block is headquartered, not where the address is physically routed (Fainchtein & Sherr, 2024).
Mergers and IP leasing. IPv4 scarcity has created a secondary market where IP blocks move between regions through acquisitions and leasing. Static databases lag behind these transfers by days to weeks (Livadariu et al., ANRW 2020).
Privacy-preserving relays. Apple iCloud Private Relay, commercial VPNs, and Cloudflare WARP route traffic through infrastructure that deliberately breaks the IP-to-location link. Databases must choose between geolocating the physical egress server or the logical user region, producing systematic inter-database disagreement across hundreds of millions of devices.
Sources: Fainchtein & Sherr (2024) · Livadariu et al. IRTF ANRW 2020 · Apple iCloud Private Relay documentation · Nur et al. IEEE BalkanCom 2023
06 — Specific exposure
High-Risk Cities: IP Address May Resolve Across Border
Cities within the 100km MaxMind accuracy band are flagged. No VPN needed for misassignment at this range.
City distances from geographic sources. 100km band = MaxMind accuracy_radius documented example (support.maxmind.com).
★ ENFORCEMENT SOURCES
Myanmar/Starlink: BBC/Wired Oct 2025.
07 — Present and escalating risk
The LEO Internet Inflection
IP geolocation works by mapping an IP address to the physical location of the network infrastructure that issued it. Satellite internet breaks this at every layer. The user connects to an orbiting satellite, which downlinks to a ground station, but the IP address does not resolve to the ground station. It resolves to the Point of Presence (PoP), a routing hub connected by terrestrial fiber. Pan et al. (Dec 2025) mapped 5.98 million Starlink routers and found the entire global network funnels through just 49 PoPs serving 165 countries. Users in countries with a local PoP (US, UK, Germany, Brazil, ~49 total) get ~95% country accuracy because traffic stays domestic. Users in the remaining 100+ countries route through foreign PoPs: Africa through Frankfurt, the Caribbean through Miami, the Pacific through Sydney. For these users, the IP address belongs to a server in a different country. Starlink publishes a GeoFeed file that tells databases "this IP is actually in Kenya, not Germany," but the IETF (Nov 2025) found it is manually maintained, prone to errors, and databases cache it for days or weeks while Starlink shuffles IPs constantly. All sanctioned countries fall in the no-PoP tier. Starlink went from zero to 10 million subscribers in four years. Two more constellations are entering the market: Amazon's Project Leo (beta 2026) and Blue Origin's TeraWave (5,408 satellites, FCC filing January 2026). Competition, falling prices, and a much larger user base. Every new subscriber in a sanctioned country is another connection where IP geolocation depends on a manually updated spreadsheet.
DOCUMENTED SANCTIONS EVASION — BBC / WIRED, OCT 2025
BBC and Wired confirmed Starlink is active inside Myanmar scam compounds — sanctioned jurisdiction, significant OFAC program. Wired identified more than 100 Starlink devices at a single facility (KK Park). SpaceX confirmed and terminated over 2,500 devices in October 2025. None were flagged by IP geolocation — the devices appeared to be in Thailand or China based on ground station routing, not Myanmar.
BBC News / Wired, Oct 2025 · Wikipedia Starlink article (Jan 2026 revision)
STARLINK SUBSCRIBERS (M) — VERIFIED ACTUALS ONLY
Verified actuals only, no projections. 1M (Dec 2022), 4M (Sep 2024), 9M (Dec 2025), 10M (Feb 2026). Source: SpaceX. This is Starlink alone. Amazon Leo and TeraWave subscribers not included.
SUMMARY FINDING
IP address is a network routing artifact. It was never designed to establish physical presence. Two documented structural trends make it less reliable over time.
CGNAT, database disagreement at borders, LEO satellite, VPN. These compound one another, and none of them require the user to do anything unusual. They are default properties of how the internet works in 2026.