If any intelligent hacker is going to be using a residential proxy, assumedly from the victim's approximate location, what is the use of flagging VPN users who are using datacenter IP addresses?
That's the thing - most hackers are lazy and will just use some regular proxy or a VPN.