There's another option, albeit a more tedious one. Since you have a unique situations users on your platform all using the same VPN, one thing you can do is put together a list of footprints that malicious users have in common.
For example, on the last forum I worked on, we had a similar situation where IP detection was unreliable because of how many people used the same VPN. Since part of my job was to investigate these issues and come with solutions for them, I started looking into the other footprints and making a list of them.
For example, in the case of spam networks that shared the same VPN, I often noticed that they had the following in common:
- They used the same avatars
- They used the same link in their homepage URL field
- They often started their posts off with the same messages
Based on this, the easiest thing to do was to identify the spam network based on the homepage URL field since no genuine users would link to that spam site.
After coming up with a manual solution, it was then easy to come up with an automated solution to dealing with this issue that wouldn't affect genuine users.
Going back to your case specifically, if you manage to identify the bad actors on your forum, you can either look into seeing Xenforo has a built-in feature for dealing with that (just keep resource management in mind), finding a plugin that has the solution you're looking for, or creating a custom plugin that does what you need it to do.
