The Advanced IP check lets you extract the IP address of the device your applicant uses for verification and run it through our databases to ensure it is genuine and secure.

With the Advanced IP check, you can:

Ensure that cybercriminals do not intercept your applicant traffic.
Reveal the applicant's location.
Find out if your applicant uses a VPN to connect to the internet.

📘
Note
The Advanced IP check is available at an additional cost. Contact us to learn more.

How advanced IP check works

An IP address—short for Internet Protocol address—is a unique numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. It serves as an identifier for the source and destination of internet traffic.

Your applicants' consent for personal data processing allows Sumsub to use built-in analytical tools to collect their IP addresses.

According to the internal logic, the system checks the data and returns a list of IP check parameters that represent the results of the check.

IP address check automation

In the Dashboard, you can create a client list with a set of values to manage matching applicants or transactions. When you create an IP Ranges list, you can set up conditions for automatic IP address checks.

The conditions of this check depend on the type of your list:

Blocklist — IP addresses from that list will be automatically assigned with a High risk label.
Whitelist — IP addresses from that list will be automatically assigned with a Low risk label.
Custom — the system will not perform any automatic actions.

Advanced IP check list

The following table explains the available Advanced IP check parameters.

Check parameter	Description
IP	The IP address of the device used by the applicant during verification.
Risk level	Shows the overall risk level of the detected IP address. The value can be safe (GREEN), suspicious (YELLOW), or risky (RED).
Abuse velocity	Shows whether the IP address has been associated with frequent abusive behavior over the past 24–48 hours. The value can be High, Medium, Low, or empty if no abuse velocity data is available.
Connection type	Shows the type of network the applicant uses to connect to the internet. Possible values are `residential`, `cellular`, `business`, `hosting`, and `educational`.
Location	The country and city associated with the applicant IP address.
Timezone	The timezone associated with the applicant IP address.
Internet provider	The company that provides internet access for the detected IP address.
Organization	The legal name of the organization that owns or operates the detected IP address. This can match the internet provider or indicate another organization, such as a company, university, cloud provider, hosting provider, or data center.
Proxy	Shows whether the applicant connects through a proxy server. A proxy is an intermediary server between the applicant’s device and the internet. It can hide the applicant’s original IP address or make the connection appear to come from another location. The value can be safe (GREEN), suspicious (YELLOW), or risky (RED).
VPN	Shows whether the applicant connects through a VPN. A VPN routes internet traffic through another server and can hide the applicant’s original IP address or location. The value can be safe (GREEN), suspicious (YELLOW), or risky (RED).
TOR	Shows whether the applicant connects through the TOR network. TOR routes traffic through multiple intermediary servers to hide the user’s original IP address. The value can be safe (GREEN), suspicious (YELLOW), or risky (RED).

The following connection types may appear in the IP check results.

Connection type	Description
Residential	The IP address belongs to a regular home internet connection.
Cellular	The IP address belongs to a mobile network operator.
Business	The IP address belongs to a corporate or business network.
Hosting	The IP address belongs to a server, cloud, hosting, or data center provider rather than a regular home or mobile internet connection. This may indicate that the applicant uses a VPN, proxy, remote server, or automated environment.
Educational	The IP address belongs to an educational institution, such as a school, college, or university network.

Advanced IP check risk labels

The following risk labels are assigned to applicant profiles during the Advanced IP check and indicate certain characteristics of an applicant.

Label	API name	Description
VPN usage	`vpnUsage`	Detects whether VPN connection is used. Based on the `RED` VPN usage flag or risky ASN used.
TOR usage	`torUsage`	Detects whether TOR connection is used. Based on the `RED` TOR usage flag.
High risk IP	`highRiskIp`	Indicates high risk IP addresses. Based on the `RED` Risk level flag.
Devices from distant IP locations were used	`distantIpLocations`	Login from different and distant IP addresses for a short period of time. Based on the 100KM geographical distances between consecutive IP locations for applicant actions with risky ASN used.
Mismatch between ID document country and IP country	`idDocCountryVsIpCountryMismatch`	ID document country mismatches the country IP address. Checks if there is any mismatch between the countries associated with the applicant's IP address and ID documents.
Mismatch between applicant address and IP country	`addressCountryVsIpCountryMismatch`	The physical address does not meet the IP address. Checks if there is any mismatch between the address country and IP address country.
Country of photo creation is different from IP and ID document countries	`exifCountryVsIdDocCountryOrIpCountryMismatch`	Country of photo creation is different from IP and ID document countries. Checks if the country derived from the image metadata matches the applicant’s ID document and IP country.
Failure to continue on another device	`failedSessionContinuation`	The session was interrupted. Based on the failed attempt to open a WebSDK link.
Multiple devices were used	`multipleDevices`	Informs whether the applicant uses multiple devices (>1 device). Set if multiple unique desktop devices were used.
Multiple mobile devices were used	`multipleMobileDevices`	Informs whether the applicant uses multiple mobile devices (>1 mobile platform). Set if multiple unique mobile devices were used.
Lengthy onboarding session	`lengthySession`	The session lasts too long (>=10 minutes). Set if the applicant ID uploading activity consists of two or more session attempts. It calculates the time difference between the earliest and latest event timestamps. If the time difference exceeds 10 minutes, this risk labels will be added.

Get started with advanced IP check

You can perform advanced IP check during both KYC and Transaction Monitoring. The setup depends on the selected flow.

Advanced IP check during KYC

To start using the advanced IP check during KYC, complete the following steps.

Step 1: Enable the setting

In the Dashboard, navigate to the Verification levels in the Integrations section.
Select the level of interest.
On the Configurations tab of the verification level settings, open the Fraud prevention section, and enable the IP insights checkbox.

Step 2: Verify applicants

Verify your applicants using the WebSDK or MobileSDK.

📘
Note
To perform advanced IP check during pre-KYC (e.g, on user sign up or login), create applicant via this API method and include the creationTrackingData object with the IP address.

Advanced IP check during Transaction Monitoring

To start using the advanced IP check during the Transaction Monitoring, use one of the following methods:

Send IP address via this API method when submitting a transaction for an existing applicant.
Send IP address via this API method when submitting a transaction for a non-existing applicant.

Review advanced IP check results

To view the Advanced IP check results:

In the Dashboard, go to the Applicants page and open the profile that you need.
Scroll down to the IP check section and review the results.

Alternatively, you can use this API method to get the results, as the following example demonstrates.

Request

curl -X GET \
    'https://api.sumsub.com/resources/checks/latest?applicantId=6735ad170942f455a3711bf3&type=IP_CHECK'

Response

{
    "checks": [
        {
            "answer": "GREEN",
            "checkType": "IP_CHECK",
            "createdAt": "2025-05-28 15:42:24",
            "id": "142965bb-6775-4d85-a6ed-39aa94f7726a",
            "ipCheckInfo": {
                "ip": "33.199.219.172",
                "ipInfo": {
                    "ip": "33.199.219.172",
                    "countryCode2": "US",
                    "countryCode3": "USA",
                    "city": "Ashburn",
                    "state": "Virginia",
                    "stateCode": "US-VA",
                    "lat": 39.04,
                    "lon": -77.49,
                    "asn": 14618,
                    "asnOrg": "Amazon.com",
                    "org": "Amazon.com",
                    "riskyAsn": false,
                    "riskScore": 75.0,
                    "timezone": "America/New_York",
                    "connectionType": "hosting",
                    "proxy": true,
                    "vpn": true
                },
                "internetServiceProvider": "Amazon.com",
                "connectionType": "hosting",
                "organization": "Amazon.com",
                "proxy": "RED",
                "vpn": "RED",
                "tor": "GREEN",
                "riskLevel": "GREEN",
                "riskScore": 75.0
            }
        }
    ]
}