Geo-Cloaking
Geo-cloaking is when a merchant website serves different content depending on the visitor's IP or language preference. Typically, clean content goes to regulators and compliance scanners, while prohibited or high-risk content goes to target customers in other regions.
Definition
Geo-cloaking is when a merchant website serves different content depending on the visitor's IP or language preference. Typically, clean content goes to regulators and compliance scanners, while prohibited or high-risk content goes to target customers in other regions.
What geo-cloaking looks like in practice
Picture a merchant site that looks completely benign when a Kuala Lumpur compliance analyst visits from the office. The same URL, opened from a Jakarta residential IP, returns a totally different storefront, one selling a prohibited product category in Bahasa Indonesia. Opened again from a Bangkok IP, it returns a third variant in Thai. None of these variants ever reach the scanner in Kuala Lumpur, so none of them appear in the compliance report.
Geo-cloaking is the mechanical answer to one-region monitoring. As long as compliance scans run from a single location, the merchant only has to serve clean content to that location. The rest of the regional audience is hidden.
How cloaking is implemented
Cloaking logic can live in several places:
- Server-side IP-based switching. The web server looks up the visitor's IP against a geolocation database and returns a different page depending on the country.
- Language header switching. The server inspects the browser's Accept-Language header and serves content in the first language it matches.
- Residential vs datacenter IP filtering. The server treats datacenter IPs as suspicious (probably a scanner) and serves sanitized content, while residential IPs get the real content.
- Cloudflare / CDN rules. A rule at the CDN layer routes traffic from specific country codes to specific origin pools.
None of these techniques are illegal in themselves. They are the same techniques used for legitimate localization. The abuse is when they are used to hide prohibited content from compliance visitors.
Multi-locale detection
The only reliable way to catch cloaking is to visit the same URL from multiple locales and compare what each visit returns. Kenal AURA runs scheduled scans from eight ASEAN-relevant locales (EN-MY, MS-MY, ZH-CN, TH-TH, VI-VN, ID-ID, EN-SG, EN-PH) through a residential-IP pool, hashes the returned content, and flags divergence. When the Jakarta locale returns a different hash than the Kuala Lumpur locale, the case is raised with both captures attached as evidence.
Why cloaked sites also drift
A cloaked storefront selling a prohibited product almost always drifts away from the approved Merchant Category Code. The drift is silent in the approved locale, but it surfaces clearly once you compare against the locale the cloaked content was intended for. Locale-aware scanning plus MCC-drift detection is the pairing that actually catches sophisticated laundering schemes, not either alone.
Frequently asked questions
- How does geo-cloaking work technically?
- The website inspects the visitor's IP address, browser language headers, or geolocation signals at request time and decides what HTML to return. A visitor from Malaysia sees one version, a visitor from the United States sees another, and an automated compliance scanner from a US-based datacenter sees a third.
- Why do merchants do it?
- To bypass compliance monitoring. A merchant operating a prohibited business can serve a clean storefront to any IP that looks like an auditor, acquirer, or card-scheme scanner, while still reaching their target customers in other regions. Geo-cloaking is a direct response to one-region-only monitoring.
- How is geo-cloaking detected?
- By crawling the same URL from multiple regional locales, hashing the returned content, and comparing hashes. Any locale whose content hash diverges is flagged. Kenal AURA scans from eight or more ASEAN-relevant locales and raises a divergence alert when the hashes do not match.
- Is a VPN enough to detect geo-cloaking?
- A VPN alone is not enough. Sophisticated cloaking also inspects browser language, timezone, residential-IP reputation, and header entropy. Effective detection runs from a real residential-IP pool across multiple locales and compares results across them, not from one VPN endpoint.
See how Kenal AURA handles this in production
Kenal AURA is the merchant lifecycle risk operations platform for acquirers, PSPs, and fintechs across Malaysia and ASEAN.