De-anonymization of VPN and Proxy Users through Connection Matching

AM
SzerzőAleksei Morozov
Frissítve: 2026. február 14.
02 p

Connection matching is one of the most effective ways of de-anonymization of users of VPN and proxies, employed by intelligence agencies and law enforcement around the world. Let's imagine a situation: you are an intelligence officer searching for a dangerous hacker. All you have is his IP address, from which he accessed a website once a month ago.

It seems like a great opportunity to identify the user by IP address, as it is known that the hacker is in the same country as you, but the IP address belongs to a VPN service and is located in the Netherlands. What to do?

First, you send a request to the VPN owner asking for data on who used that IP address at that time. Let's assume the VPN owner ignores your request.

You have a set of malware at your disposal that can infect the hacker's device, but here’s the problem – there is no contact with him. The hacker has done his job and has gone underground, so all methods of active de-anonymization are useless.

What to do? You have a system of ORM (operational-search measures, in Russia it is SORM), which scans all traffic of all users, and you have providers who are legally required to retain user activity data. Yes, you cannot decrypt the recorded VPN traffic, but you don’t need to. You need to see who among the residents established an encrypted connection with the desired VPN server in the Netherlands during the specified time period.

If this is a popular public VPN, there may be several users, but there cannot be many. Let’s say in our case there are three people. Determining which of them is the hacker is no longer a difficult task; standard investigative practices are used for this, which have no direct relation to issues of anonymity and security on the internet.

In a similar way, users of proxies can also be de-anonymized, but against Tor users, the attack will not work, as the IP address to which the Tor user connects is the address of the entry node, and at the exit, they have the IP address of the exit node. There are specific de-anonymization methods against Tor users using ORM, for example, https://book.cyberyozh.com/ru/tajming-ataka-kak-spetssluzhbyi-deanonimiziruyut-polzovatelej-messendzherov/

Hasznos?

Előző cikkDe-anonymization of VPN and Proxy Users through Third-Party WebsitesKövetkező cikkDe-anonymization of VPN and Proxy Users through Cookies

Maradjon naprakész

Iratkozzon fel frissítéseinkre, hogy soha ne maradjon le semmiről.