By New research from IPinfo published this week reveals that 85% of major VPN providers systematically lie about where your traffic actually exits. The company analyzed over 6 million data points across 20 major providers using physics-based measurements and found 17 of them routing traffic through entirely different countries than advertised—with some showing over 50% of their locations as fake. Only three providers achieved perfect accuracy: Mullvad, IVPN, and Windscribe.
Physics doesn’t lie, but VPN providers do. IPinfo used Round-Trip Time measurements from 1,200+ global probe points to catch providers red-handed. When a VPN claims you’re in the Bahamas but shows 0.15-0.42ms latency to Miami, the server isn’t 1,500km away in the Caribbean—it’s sitting in a Florida data center. This isn’t just a consumer privacy issue. For developers testing geolocation features, meeting compliance requirements, or building fraud detection systems, these VPN location mismatches break fundamental security assumptions.
How IPinfo Caught VPN Providers Lying
IPinfo deployed ProbeNet, an internet measurement platform with 1,200+ points of presence worldwide, to measure where VPN traffic actually exits. The methodology is elegant: connect to a VPN location, capture the exit IP, then measure Round-Trip Time from the nearest ProbeNet probe. Speed-of-light constraints provide hard physical limits—sub-millisecond response times prove geographic proximity.
The results are damning. Of 20 major providers tested, 17 had significant mismatches between claimed and actual locations. IPinfo founder Ben Dowling didn’t mince words: “Some brands had over half of their listed locations exit somewhere else entirely, and others advertised whole countries with no real infrastructure there at all.”
The worst offenders? IPVanish showed 61% virtual or unmeasurable locations. CyberGhost and ExpressVPN both clocked in at 57%. The median geolocation error was 3,100 kilometers, with 83% of disagreements exceeding 1,000km. Thirty-eight countries appeared as “virtual-only” across all tested providers—meaning zero actual infrastructure exists in those locations despite marketing claims.
VPN Location Fraud Breaks Developer Workflows
The security implications go far beyond consumer privacy. VPN location fraud undermines three critical developer use cases: testing, compliance, and fraud detection.
For testing, developers routinely connect to VPN locations to simulate global users and test region-specific features. Connect to a “Japan server” to verify Japanese content libraries, regional pricing, or payment gateway integrations. However, if that server actually exits in California, your tests pass while production users in actual Japan see completely different behavior. The testing was theater.
Compliance gets even worse. Organizations processing EU citizen data route traffic through “Netherlands VPN servers” to meet GDPR’s data residency requirements. If that traffic actually exits in the US, they’re unknowingly violating data sovereignty laws—potential fines of up to 4% of global revenue. HIPAA, CCPA, and other regulatory frameworks all assume traffic exits where claimed. VPN location fraud turns compliance documentation into fiction.
Fraud detection systems layer geolocation as a security signal. Flag orders from high-risk countries, block access from sanctioned regions, verify payment methods match IP locations. When VPNs lie about exit points, these controls fail. Attackers exploit the gap: use a “Somalia VPN” that actually routes through trusted UK infrastructure to bypass regional restrictions and fraud filters.
The timing couldn’t be worse. VPNs already account for 58% of ransomware incidents according to Coalition’s Cyber Threat Index, with compromised VPN credentials being the initial attack vector in 48% of Q3 2025 attacks—up from 38% just one quarter earlier. Location mismatches compound this crisis by making geolocation-based access controls unreliable.
The Hacker News Verdict
The research hit Hacker News frontpage with 313 points and 182 comments, sparking intense debate about whether virtual locations constitute fraud or acceptable industry practice if disclosed. The community split along predictable lines.
Some argued virtual locations are harmless—just marketing. Others weren’t having it. One commenter cut to the core: “If you think traffic exits in the US and it exits elsewhere, that causes problems with compliance and data domicile promises to clients.” Another shared real-world experience: “We had suppliers claiming to be in Mexico or South America who were actually just in Texas.”
The physics verification resonated. As one HN user noted: “If you’re getting sub-millisecond ping times from London you aren’t talking to Mauritius.” Speed of light doesn’t care about marketing claims.
Consensus emerged on transparency. Proton VPN explicitly labels virtual locations in their documentation—making the practice disclosed rather than deceptive. The problem isn’t virtual locations per se. The problem is lying about them.
The Three Providers Who Actually Passed
Only three VPN providers achieved 100% accuracy in IPinfo’s testing: Mullvad, IVPN, and Windscribe. All three share a common philosophy: transparency over marketing, privacy over profit, evidence over claims.
Mullvad’s approach borders on radical: no account required (just generate a random number), flat €5 monthly pricing with no upsell pressure, accepts cash payments by mail, publishes third-party audit reports, and maintains fully open-source code. HN users praised the service consistently: “The longer I use Mullvad, the more I like it. I’ve tried MANY competitors first.”
IVPN and Windscribe follow similar privacy-first principles. Both accept anonymous payments, undergo regular third-party audits, and disclose their infrastructure honestly. Windscribe even offers a free tier with 10GB monthly bandwidth—proof that honest VPN providers can compete without lying about server locations.
But here’s the bigger trend: 65% of organizations plan to replace VPN services entirely within a year, with 81% transitioning to zero-trust security frameworks by 2026. The VPN trust crisis extends beyond location fraud. When 48% of enterprises experienced VPN-related breaches in the last two years and nearly half of ransomware attacks start via compromised VPNs, the industry is shifting away from perimeter-based security altogether.
What Developers Should Actually Do
Don’t trust VPNs for geolocation testing. Use real test users in target regions instead. If that’s not feasible, layer multiple verification signals: IP location plus browser timezone plus payment method plus shipping address. Assume IP geolocation can be spoofed and design accordingly.
For compliance, verify traffic exits where claimed using independent measurement tools—don’t take VPN providers at their word. Consider switching to one of the three transparent providers (Mullvad, IVPN, Windscribe) or better yet, transition to zero-trust architecture that doesn’t rely on perimeter security.
For fraud detection, accept that VPN location fraud exists and build systems resilient to it. Single-signal fraud detection (IP location only) is brittle. Multi-factor approaches combining IP, device fingerprinting, behavioral analysis, and payment verification create more robust defenses.
The broader lesson: when 85% of an industry systematically misrepresents a core feature, trust is broken. Developers can’t control whether VPN providers lie, but we can design systems that don’t break when they do.
