There has been a prolific rise in the popularity of cloud storage in recent years. While cloud storage offers many advantages such as flexibility and convenience, users are now unable to tell or control the actual locations of their data. This limitation may affect users’ confidence and trust in the storage provider, or even be unsuitable for storing data with strict location requirements. To address this issue, we propose an illegal file transfer detection framework that constantly monitors the real-time file transfers in the cloud and is capable of detecting potential illegal transfers which moves sensitive data outside the (“legal”) boundaries specified by the file owner. The main idea is to classifying multiple users’ location preferences when making the data storage arrangement in the cloud nodes. We model the legal file transfers among nodes as a weighted graph and then maximize the probability of storing data items of similar privacy preferences in the same region. Then we leverage the socket monitoring functions provided by LAST-HDFS (a recent location-aware Hadoop file storage system) to monitor the real-time communication among cloud nodes. Based on our legal file transfer graph and the detected communication, we propose an approach to calculate the probability of the detected transfer to be illegal. We have implemented our proposed framework and our experimental results indicate that our approach is able to detect much more illegal file transfers than the state of the art.