Geo velocity is when an account shows login activity from two locations that are geographically impossible to travel between in the time elapsed. If a user logs in from Lagos at 9:00 AM and from London at 9:05 AM, that account has almost certainly been compromised.
Think of it this way
If your employee's ID badge was swiped into your Lagos office at 9 AM and then into your London office five minutes later, you would immediately know someone else is using that badge. Geo velocity flags exactly this kind of physical impossibility in your login data.
After stealing credentials through phishing or a breach, an attacker logs in from their location (often a different country) while the real user is also actively using the account. The two simultaneous sessions from geographically distant IPs create an impossible travel pattern. Attackers sometimes use VPNs, but the timing and distance between locations still reveals the inconsistency.
Scenario 1
A customer in Abuja is using their mobile banking app when an attacker (using credentials bought on the dark web) logs in from Romania. Within 3 minutes, the attacker initiates a wire transfer. The real user notices their balance drop while still in-app.
Scenario 2
A company's employee account is used by a remote attacker who logs in from Eastern Europe at the same time the employee is working from their Nairobi home. The attacker exports 6 months of customer data before the session is revoked.
Anomira calculates the distance between successive login locations and compares it to the time elapsed. If the implied travel speed exceeds a physical threshold (typically 900 km/h, the speed of a commercial aircraft), it fires a geo velocity alert with high confidence.
See this attack in your live API traffic
Anomira detects geo velocity attack automatically — no configuration needed.