Had a hit recently from 82.23.125.61. The user-agent was

Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.4127.1908 Mobile Safari/537.36

This was flagged as robot / VPN (for at least a couple of reasons). The IP is ASN 812 - Rogers (huge cable-TV and cellular provider in Canada, equivalent to Comcast in the US). Spur ID's the IP as VPN, but calls it a data-center. This is interesting. BGP lookup comes back with a prefix 82.23.125.0/24, registrant is "private customer". I throw the IP into scamalytics, it says the IP is operated by "private customer". Geographical location Canada (Toronto). It also flags it as a VPN.

I do a trace-route to it.

The second last hop is 66.220.47.65. I do BGP lookup on that. It's still a Rogers IP, but the prefix registrant (66.220.47.0/24) is - Eleven Holdings Limited.

WHOIS Record for 66.220.47.0

Created Jan 22, 2025
Updated Jan 22, 2025
Registrant Organization ELEVEN HOLDINGS LIMITED
Registrant Country or Region Hong Kong S.A.R. of China
Registrar Name ORG-EHL10-RIPE

So here's an example of a residential ISP (Rogers) renting some of their IP's for use by international (Chinese) VPN operators. Unsuspecting webmasters would think traffic from this IP was organic and originated in Toronto.