I would -guess- that currently it's based on a number of factors with different weighting. So an account that uses a VPN will get a certain amount of weight in the algorithm - possibly depending on whether it's a reputable VPN or not - but its not the sole factor. More important would be frequency of original content vs. comments and retweets, presence of repeated memes, times active (24 hour posting schedule likely a bot), speed of reaction when retweeting/commenting (consistently very rapid replies), and association with flagged bot accounts (part of the same net).I might depend on which VPN. There's lots of quite reputable companies running them. I use Cloudflare's free 18.104.22.168 VPN+optimization service on my phone - and they will soon be rolling that out for desktops. I suspect it will become increasingly common over the next few years - similar to the gradual adoption of HTTPS.
It might be hard to tell though - they could just be doing partial shadow-blocks on Tor accounts, or similar.
Each box that it ticks contributes a certain amount of points, and once it hits a determined level you say it's a bot - possibly with a grey-area section where it's flagged for deeper manual review.
I'm not a tech guy but it's how -I'd- tackle the issue if you asked me to detect bots.