Foreign Trump Accounts on X Exposed – but X Is Unable to Reliably Detect or Block Modern VPN Architectures. An Investigative Report

Over the weekend, users on X were able to see for the first time where certain accounts are actually located – and the results left few people indifferent. Many of the loudest pro-Trump profiles, filled with U.S. flags, images from campaign rallies and patriotic slogans, do not originate from the United States at all. The new location display identifies them as users from South Asia, Africa or Eastern Europe. This includes names like “@TRUMP_ARMY” or “@MAGANationX,” accounts that had successfully presented themselves as American supporters. The disclosure hits precisely those accounts that have spent months spreading misleading claims – including the story that Democrats had bribed debate moderators. Research by NewsGuard shows that several of these supposedly “typical US pro-Trump accounts” are in reality possibly operated from abroad and reach hundreds of thousands of followers.

On Monday, we conducted a more in-depth analysis of the new location feature on X – and confirmed a technical behavior that has been well known in the IT security community for years: the platform is not able to reliably detect or block modern VPN architectures. This became especially clear when using CyberGhost, a service that uses so-called “shared exit nodes” and “layered routing” to obscure outgoing IP topology.

We tested the location function simultaneously over tunneled connections, traffic shaping and modulated timing signatures – X detected virtually none of it. Even with simultaneous multi-hop routes across different AS registers, the system remained blind and misassigned the accounts.

X relies – as far as can be seen – on a combination of geo-IP assignments and network-level fingerprinting methods, including standard procedures such as ASN queries, forward-confirmed reverse DNS checks and heuristic assignments over known proxy networks. These methods are largely ineffective against the current generation of commercial VPNs. CyberGhost uses distributed gateways in high-performance data centers that are deliberately designed to operate in the same address blocks as major cloud providers. As a result, the outgoing connection is indistinguishable from a regular server connection for external systems – and this is precisely why X was unable to identify VPN use in any of our tests.

Even more advanced methods such as traffic timing analyses or TLS fingerprint comparisons offer no decisive advantage against CyberGhost’s architecture. The client uses changing cipher suites, proxy obfuscation and “packet shaping” that adjusts traffic so that it blends into typical mobile or home networks. These camouflage mechanisms were originally developed to circumvent network restrictions in authoritarian states – but have a side effect: platforms like X simply see the VPN user as a normal client.

The result of our tests is clear: the new location function reliably shows real locations – as long as the user is unprotected. But as soon as a well-configured VPN is involved, the origin can be faked within milliseconds. Anyone who wants to can appear in Warsaw with one click, in Lagos a second later, then in New Delhi or Buenos Aires.

The platform occasionally displays warnings that data may be “inaccurate,” but this is not a technical countermeasure – it is an admission. As long as X relies on classic geo-IP detection while VPN providers operate with cloud clusters and obscured exit structures, the feature remains a tool for transparency – but not for verification.

Put simply: anyone who wants to hide their trace can still do so without much effort. And that explains why a wave of supposedly “American” pro-Trump accounts suddenly appears as users from South Africa, Pakistan or Eastern Europe – and could just as easily pretend the opposite. Even X acknowledges that VPNs or automatic provider proxies can cause inaccuracies. On some accounts, the platform already displays warnings that the data may be unreliable.

X product chief Nikita Bier explained that the new feature is intended to allow users to view an account’s origin by clicking on its signup date. But even X acknowledges that VPNs or automatic provider proxies can cause inaccuracies. On some accounts, the platform already displays warnings that the data may be unreliable. Still, the first discoveries reveal a large network of profiles presenting themselves as dedicated Trump supporters but operated far from the United States. A particularly striking case is “@BarronTNews_,” which claims to be located in “Mar-a-Lago,” yet is labeled “Eastern Europe (Non-EU).” The location function only applies to verified accounts – meaning checkmark accounts, paid individual profiles, organizations and brands. Normal users without checkmarks, protected accounts and older verified profiles from the “legacy” era currently remain invisible. In our tests, all paid verified profiles on X were correctly read, while unverified profiles consistently showed no location data.

In discussions on X, the feature is already fiercely contested. Some welcome the transparency, others call it an invasion of privacy. One thing, however, has become unmistakably clear: part of the political barrage on X does not come from American living rooms, but from users who neither vote in the country nor live with the consequences of its debates. For U.S. politics, this marks a new dimension – because suddenly it becomes visible how much influence foreign actors truly have on the daily digital noise surrounding Trump.