GeoIPHub

Introduction

GeoIPHub is a real-time IP intelligence API that we designed, engineered, and now operate end to end at Keplaris. Give it an IP address and it answers in a single response with more than 140 data fields: where the address sits in the world, down to country, city, GPS coordinates, and timezone; whether it hides behind a VPN, proxy, or residential proxy network; what threat activity it has been tied to, from botnets and malware to spam and Tor; and a composite fraud risk score from 0 to 100 that distills all of it into one number a product team can act on.

We built GeoIPHub in 2025 as an in-house product of our New York studio. It was not a client engagement. It was our answer to a question we kept hitting on engineering work for others: why is it so hard to get fast, honest, current intelligence about an IP address? The product is live today at geoiphub.com, with a free tier of 2,000 requests per day that requires no credit card, and paid plans starting at 39 dollars per month for 25,000 daily requests.

The challenge

An IP address is the one signal every online business receives on every single request, and it is also one of the most commonly misread. The teams we built GeoIPHub for, developers, security engineers, and fintech platforms, all run into the same four problems.

• The IP space never sits still. Address blocks change hands, prefixes get re-announced, and infrastructure that was a quiet hosting range last month is a proxy exit today. Databases refreshed weekly or monthly are describing an internet that no longer exists.
• Modern evasion looks legitimate. Residential proxies route fraud traffic through real home connections, and self-hosted VPNs on commodity cloud servers never appear on any vendor's provider list. Detection that only matches against published lists misses exactly the traffic that matters most.
• The market recycles itself. Many IP data vendors resell or repackage one another's databases, so the same attribution errors propagate everywhere with no independent signal to check against.
• The lookup sits in the hot path. An IP check runs inside checkout flows, login screens, and ad auctions. If the call is slow, teams eat the latency or skip the check; neither is acceptable.

Solving any one of these is a feature. Solving all four at once is a product. That was the brief we wrote for ourselves.

Our approach

We made one decision early that shaped everything else: GeoIPHub would generate its own evidence rather than aggregate other people's conclusions. That meant building a full data pipeline from the ground up, fusing more than 60 intelligence sources, then going further by actively probing the network to confirm what the feeds claim.

Verify, don't just aggregate

Published lists tell you what a provider admits to operating. Active measurement tells you what an address is actually doing. Our pipeline treats third-party feeds as hypotheses and network observation as confirmation, and the two are weighted accordingly when the risk score is computed.

Build for the decision path

Because the lookup lives inside payment and authentication flows, we engineered the serving layer for sub-100ms median responses and designed the response so a single call replaces what would otherwise be three vendors: a geolocation provider, a proxy detection service, and a threat intelligence feed. One endpoint, one JSON document, 140-plus fields, with official SDKs for Python, Node.js, Go, and PHP so integration takes minutes rather than sprints.

Inside the eight-layer detection engine

The core of GeoIPHub is an eight-layer detection engine that classifies every address from multiple independent angles, so no single feed, heuristic, or vendor error can decide the outcome alone.

The foundation is authoritative attribution. We ingest registry data from all five Regional Internet Registries and watch live BGP route announcements, so every prefix is tied to the network that actually announces it right now, not the one that owned it when a static database was compiled. On top of that sits infrastructure classification: dedicated feeds identify hosting and datacenter ranges, known VPN provider fleets, Tor exits, and consumer relays such as iCloud Private Relay and Cloudflare WARP, each labeled separately rather than flattened into one anonymizer flag.

Then comes the layer that most distinguishes the engine: active scanning. The pipeline probes candidate addresses across 109 ports and more than 13 tunneling and proxy protocols, including OpenVPN, WireGuard, IKEv2, Shadowsocks, SOCKS, and HTTP proxies. This is how GeoIPHub catches the self-hosted VPN on a rented cloud server that appears on no provider list anywhere, the case where list-resellers go quiet and our engine returns a confirmed positive. The remaining layers add behavioral and reputational depth: botnet and command-and-control intelligence, spam and abuse feeds with DNSBL checks, scanner and crawler identification, and reverse-DNS analysis with WHOIS enrichment to validate naming claims against routing reality.

Everything the eight layers observe is reduced to 44 individually weighted signals, and those signals produce the composite fraud risk score from 0 to 100. Because the weights favor direct observation over reputation, the score degrades gracefully: when feeds disagree, confirmed evidence wins. And because the entire dataset is rebuilt on a 2-hour refresh cycle through 22 feed modules, a verdict is never more than two hours older than the internet it describes.

Key capabilities

Everything in GeoIPHub is reachable through one REST call with an API key. These are the capabilities that call unlocks.

• IP geolocation with country, city, GPS coordinates, and timezone, backed by authoritative registry and routing data with 99.99 percent global IP coverage.
• VPN, proxy, and residential proxy detection driven by the eight-layer engine, including active port scanning that confirms tunnels instead of trusting lists.
• Threat intelligence flags covering botnets, malware infrastructure, spam sources, scanners, crawlers, and Tor, fused from more than 60 intelligence sources.
• A composite fraud risk score from 0 to 100, computed from 44 weighted signals, so teams can gate decisions on one number or drill into the evidence behind it.
• More than 140 data fields per lookup in clean JSON, with SDKs for Python, Node.js, Go, and PHP, plus bulk lookup endpoints and webhooks on paid tiers.
• Sub-100ms median responses, engineered for checkout, login, and ad-serving paths where the lookup cannot be the bottleneck.
• A 2-hour data refresh cycle across the full dataset, so classifications track the live internet rather than last quarter's snapshot.
• A free tier of 2,000 requests per day with no credit card, and paid plans from 39 dollars per month for 25,000 daily requests.

Results

GeoIPHub shipped in 2025 and runs in production today at geoiphub.com. The system holds its engineering targets: 99.99 percent global IP coverage, sub-100ms median response times, more than 140 fields per lookup, and a full dataset rebuild every 2 hours.

Just as important is the range one integration covers: the same API and risk score serve six distinct jobs.

• Fraud and chargeback prevention, scoring transactions before they settle.
• VPN and proxy filtering for platforms that need to know who is really connecting.
• Bot and scraper defense, separating automation from human traffic.
• Geo-compliance and content targeting, enforcing regional rules with confidence.
• Account-takeover prevention, flagging logins from anonymized or hostile infrastructure.
• Ad-tech click-fraud protection, filtering invalid traffic before it pollutes spend.

For us as a studio, GeoIPHub is also proof of how we work: a hard infrastructure problem taken from first principles to a live, priced, documented product, pipeline, engine, serving layer, and SDKs included, entirely in-house.

What's next

The roadmap follows the same logic that built the product: more direct observation, fresher data, easier adoption. We are extending active scanning to additional protocols, bringing confirmed-handshake verification to more of the on-demand lookup path, deepening WHOIS enrichment across the prefix space, and continuing the benchmarking program that measures our classifications against independent ground truth. On the product side, we are expanding the enterprise tier, including on-premise database delivery for teams that need lookups inside their own perimeter. The internet keeps moving every two hours; so do we.