Overview of the attack

This scraping attack exhibited a distinct three-phase pattern, as seen on the graph below (Figure 1). It started on March 3rd with an initial spike on March 5th, transitioned into a sustained high-volume assault from March 5-9th, peaking at 1.35 million blocked requests every two hours, then gradually declined from March 9-15th before stopping abruptly. 

Figure 1: Number of malicious requests blocked per 2-hour window

This pattern suggests the attackers tested detection thresholds early, scaled to maximum capacity mid-campaign, then kept at it consistently for days.

At this scale, even partial success would have yielded millions of scraped business listings, user reviews, and rating data worth substantial sums on secondary markets, as this data represents significant commercial value to the review platform’s competitors. 

Attack infrastructure and distribution

The attack leveraged geographically diverse proxy infrastructure spanning commercial hosting and residential broadband networks.

Five autonomous systems accounted for all malicious traffic:

• AS13213: THG Hosting Limited (54.25%), a UK-based hosting provider
• AS262287: Latitude.sh LTDA (17.18%), a Brazilian hosting and data center provider, also known as Maxihost
• AS20001: Charter Communications Inc. (13.54%), a major US cable/broadband ISP (Spectrum)
• AS396356: Latitude.sh (10.34%), Latitude.sh US operations
• AS11404: Wave Broadband (4.69%), a US-based cable and internet service provider

While the top two ASNs are registered in the United Kingdom and Brazil, the vast majority of their active network infrastructure and IP allocations are physically located in the United States.

This infrastructure mix is deliberate. Hosting providers offer speed and scale, while residential ISPs provide IP addresses that appear legitimate and are harder to block without risking false positives against real users.

How was the attack detected & blocked?

DataDome’s intent-based detection engine blocked all 80 million malicious requests throughout the 13-day campaign by identifying multiple threat markers that indicated malicious automated scraping activity rather than legitimate user traffic. 

Primary threat markers

Three primary detection signals provided the strongest evidence of malicious automated activity: 

• Inconsistent browser profile: As the attack’s predominant threat marker, the attackers attempted to impersonate legitimate browsers but failed to maintain consistent browser fingerprints across sessions.
• Server-side fingerprints: A substantial portion of the blocked traffic presented server-side characteristics inconsistent with claimed client environments, suggesting the use of headless browsers or automation frameworks.
• Device and session anomalies: Inconsistent device attributes and unlikely session sequences indicate that the attack leveraged a distributed infrastructure with poor session management.

Secondary threat markers

Multiple secondary indicators reinforced the automated nature of the campaign:

• Identity spoofing: User-agent and geolocation inconsistencies suggest the attackers attempted to evade detection through header manipulation and geographic distribution.
• Proxy infrastructure: Significant anonymity proxy usage indicates attempts to obscure attack origins.
• Anti-detection measures: Forged headers and cookies demonstrated the attackers’ active efforts to bypass security controls.
• Challenge-solving capabilities: The presence of automated challenge-solving indicated a moderately sophisticated operation willing to invest in evasion capabilities.

Overall, the attack demonstrated intermediate-to-advanced characteristics, including distributed infrastructure, multiple evasion techniques, and challenge-solving capabilities. 

However, the prevalence of consistency failures across browser, device, and session attributes suggested the attackers prioritized volume over stealth, likely relying on legitimate-looking but poorly implemented automation tools.

Protect your website from scraping attacks with DataDome

This attack demonstrates what modern scraping operations look like: 855,000 IPs across hosting and residential networks, intermediate evasion techniques, and 13 days of sustained pressure. Traditional defenses like IP blocking and rate limiting can’t keep up.

For example, before DataDome, Coop, a major Swiss e-commerce brand, was facing a heavy load on its servers due to scraping bots that significantly slowed page loading times: 

“Our IT teams were burdened with the manual task of analyzing traffic to identify and block bad IP addresses, which was time-consuming and inefficient, as blocking an IP only provided temporary relief before bots would reappear using new addresses,” said Tobias Schläpfer, Web Applications Developer & Manager of Bot Protection at Coop. 

After adding DataDome to its tech stack, Coop saw immediate improvements: 25% of the traffic—due to bad bot activity—disappeared, allowing web pages to load faster and improving the site’s SEO performance.

DataDome’s detection engine analyzes 5 trillion signals daily across thousands of AI models, stopping malicious bot and AI agent traffic at the edge to prevent attackers from causing damage to your business. 

If your platform faces similar scraping threats, book a demo to see how DataDome can protect your websites, apps, and APIs without adding friction for legitimate users.