Description
This detector identifies situations where multiple employee identities appear to originate from the same network location, in a context that is inconsistent with legitimate independent remote work. Genuine remote employees operate from separate homes and networks, each with a distinct ISP, IP range, and network profile. When multiple claimed employees consistently share the same external IP address or subnet, particularly on a residential connection, it indicates that their devices are physically co-located rather than independently distributed.
This signal is most meaningful when the shared network has no enterprise characteristics: no corporate ASN, no managed DNS infrastructure, no VPN concentrator, and no office routing signatures. A farm of laptops running from a house or warehouse will appear on a standard residential ISP, which is inconsistent with a legitimate employer hosting many remote workers.
Common indicators include:
Multiple identities sharing a single external IP
Two or more employee accounts associated with the same organization consistently authenticate or interact from the same external IP address. For genuinely independent remote employees, IP collisions are rare; sustained overlap across sessions and days is a strong indicator of physical co-location.
Residential ISP with high employee density
The network resolves to a residential ISP (not an enterprise or data center ASN) yet supports a disproportionate number of employee sessions. A single residential connection hosting many employees simultaneously is implausible for a real household.
Absence of enterprise network infrastructure
Sessions from claimed employees show no signals associated with managed corporate environments - no enterprise VPN, no corporate DNS resolver, no managed proxy, and no organization-affiliated ASN. Real organizations typically provide some form of network infrastructure even for remote workers.
Coordinated session timing
Multiple identities from the same IP are active at the same time in shift-like patterns, consistent with operators at the same physical location working scheduled rotations rather than independent employees in different time zones following their own schedules.
Geolocation inconsistency with claimed employment
The shared IP resolves to a country or region that does not align with the claimed employee locations in HR or identity provider records, and the concentration of identities at that location makes individual relocation stories implausible.
Relevance to Social Engineering Attacks
Device farms - physical locations where multiple laptops or phones are operated under separate fabricated identities — are a recognized infrastructure model for large-scale fraud, ghost employee operations, and social engineering at scale. The network signature of a farm is one of its most reliable betrayals: unlike hardware or behavioral signals that require device access, network co-location is visible to any observer of session metadata.
Key attack-related scenarios include:
Ghost employee and synthetic identity operations
Organizations running large-scale fake employee placement, such as DPRK IT worker programs, operate many devices from centralized locations. Even when each device has a distinct hardware fingerprint and each identity has fabricated documentation, the shared network origin exposes the underlying infrastructure.
Help desk and verification farms
Organized fraud groups running repeated social engineering attempts against a target organization may operate a pool of identities from a single location. Detection of shared origin connects otherwise unrelated incidents into a coordinated campaign.
Residential proxy bypass attempts
Sophisticated operators may route some traffic through residential proxies to obscure the farm's IP, but behavioral patterns — such as consistent session timing, corroborating device signals, and identity clustering — often persist even when network routing is partially obfuscated.
Corroborating Signals
Co-located identities frequently appear alongside:
Remote Access & Control - Farm devices are almost always remotely operated; the same IP hosting many workers will often also show remote desktop artifacts on individual devices.
Anomalous Location - The shared IP location may conflict with HR or identity provider records for one or more of the identities.
Anomalous Device - Farm hardware tends toward commodity, identically provisioned devices that stand out against the varied personal equipment of genuine employees.
Notable Incidents and Threat Actors
DPRK IT Worker Operations (2022–present)
North Korean state-sponsored groups have placed thousands of IT workers at companies globally using fabricated identities operated from centralized locations in China, Russia, and elsewhere. Network analysis revealing multiple claimed employees sharing residential IPs has been a key investigative signal in identifying these operations.
BPO-style fraud operations
Business process outsourcing-style fraud centers operating across Southeast Asia and West Africa have been documented running dozens of simultaneous social engineering campaigns from single residential or small commercial addresses, with employee impersonation identities all routing through the same local network.