A scraper ran on our network for 6 days using 194 different Tencent Cloud IPs. Every request carried a fake iPhone User-Agent (iOS 13.2.3 from 2019). It never read robots.txt. It never identified itself. It averaged 1.8 requests per IP -- staying below every rate limiter, every WAF rule, every IP-based detection system.
In your analytics, this looks like 194 different people casually browsing on iPhones. No alert. No anomaly. Nothing to investigate.
The numbers:
- 194 unique IPs (all ASN 132203, Tencent Cloud)
- 362 requests over 6 days
- Fake iPhone UA (iOS 13.2.3 -- released November 2019)
- 1.8 hits per IP average (evades all IP-based detection)
- Never read robots.txt
- Hit paths across entire site including /es/, /de/, /fr/, /no/, /zh/
- All datacenter IPs -- no real iPhone connects from a datacenter
What this means:
If you run e-commerce, it has your prices. If you run media, it has your content. If you run SaaS, it mapped your app. And you never saw it because every request looked like a real user.
We caught it by measuring behavioral conduct -- not counting IPs.
Full forensic breakdown: https://botconduct.org/report/april-2026/part-2/
Part 2 of the State of Bot Conduct series. Part 1: https://botconduct.org/report/april-2026/part-1/
BotConduct.org -- Behavioral scoring for bots and AI agents.
Top comments (0)