DEV Community: wishdo.io

How we handled a coordinated scraper botnet and moved to wishdo.io

wishdo.io — Wed, 08 Apr 2026 13:56:45 +0000

Building and scaling a platform transparently is a great way to engage the community, but it also exposes your infrastructure to targeted attacks. Recently, our team at wishdo.io (formerly cadou.me) went through a 5-stage negative SEO and scraping campaign that forced us to overhaul our security and migrate our entire domain.

Here is the technical breakdown of the attack and our mitigation strategy.

The attack vectors

1. Malicious 301 redirect injection
The campaign started with a domain-level attack. An external site, admngrsgames.com, pointed a permanent 301 redirect to our root. The referring domain was saturated with thousands of low-quality, toxic backlinks. The intent was to poison our link profile and trigger a manual action from Google.

2. Distributed scraping via Tencent AS139341
Our monitoring picked up a massive scraping operation. We identified over 1,400 unique IPs originating from Tencent/Aceville infrastructure.

Behavior: Systematic traversal of 247 categories across 27 languages.
Fingerprinting: Spoofed Chrome headers (20+ versions) and complete disregard for robots.txt (specifically paths like /livewire-).
Rate: Approximately 1 request per IP every 3 hours to avoid simple threshold-based rate limiting.

3. Traffic fraud and referrer pollution
Attackers used fake Referer: https://admngrsgames.com/ headers to flood our analytics. Technical analysis revealed affiliate parameters (psystem=pw, traffictarget=reseller) used to monetize the scraped traffic through a secondary network of "doorway" sites under the ".games" brand.

The technical response

We implemented a multi-layered defense to regain control of our infrastructure.

Cloudflare custom rules

Instead of blocking individual IPs, we used Cloudflare’s expression engine to block entire ASNs and specific bot patterns.

(ip.src in {43.128.0.0/11 43.160.0.0/11 101.32.0.0/14 ...} or http.request.uri.path contains "lazy-") and not cf.client.bot

This allowed us to drop malicious traffic at the edge before it ever reached our origin, significantly reducing server load.

Infrastructure reports

We filed forensic evidence with abuse departments:

GoDaddy: Reported the redirecting domain.
Tencent/Aceville: Provided logs of coordinated scraping from AS139341.
Cloudflare: Reported the downstream ".games" network using their CDN for content redistribution.

The decision to migrate

While the technical defense was successful, the SEO impact on the original domain was significant. We decided to migrate to wishdo.io for three reasons:

Clean link profile: Moving to a new domain allowed us to shed the toxic backlinks inherited from the 301 redirect.
Global TLD: The .io extension better fits our roadmap for AI-driven features on a global scale.
Zero-trust architecture: We used the migration as an opportunity to implement stricter rate limiting and signature-based request validation from day one.

Takeaways for developers

Monitor raw logs: Tools like GA4 won't show you the technical nature of a scraper botnet. You need raw access logs and ASN-level data.
Leverage edge computing: Blocking at the application level (Nginx/PHP) is too late during a high-volume attack. Move your firewall rules to the edge (Cloudflare/Fastly).
Don't fear the migration: If your domain is strategically compromised by negative SEO, a clean move can be faster than waiting for search engines to recalibrate.

We are now fully operational at wishdo.io. The attack was a massive stress test, but it ultimately led us to build a more resilient, scalable infrastructure.

Have you faced similar coordinated attacks? Let's discuss mitigation strategies in the comments.

Why wishdo.io doesn’t have a mobile app (and why users prefer it that way)

wishdo.io — Fri, 03 Apr 2026 18:42:33 +0000

Most wishlist tools follow the same playbook:

download an app, create an account, allow notifications, and then – maybe – you can share a list.

But when we looked at what users actually struggle with, a few patterns stood out:

They don’t want another app on their phone.
They want to add items from any store, not just Amazon.
And they lose the element of surprise when someone buys a gift from a shared list.

So we built wishdo.io differently.

The problem with “app‑first” wishlists

Existing solutions often feel heavy.

You’re forced to install something, sign up with an email, and then convince your friends to do the same. By the time everyone is onboard, the friction kills the use case.

Also, most wishlists are closed ecosystems.

Amazon’s wishlist works – but only if everyone shops on Amazon. They don’t.

Other apps limit you to their own catalogs or require manual entry for every item.

And one more thing: no surprise.

When you share a traditional wishlist, everyone sees who reserved what. The gift is spoiled before it’s even wrapped.

How wishdo.io solves these three problems

We designed wishdo.io as a browser‑first online wishlist. No installation. No app store. Just a link you can share anywhere.

1. Works without an app

Open wishdo.io in any browser – desktop, mobile, tablet. Create a wishlist in under ten seconds. Share the link. That’s it.

Most users we talked to preferred not installing an app for something they use occasionally. This turned out to be useful in practice – non‑tech users (grandparents, friends who hate new apps) can open it without any hurdles.

2. Add from any online store

Paste a product URL from Etsy, eBay, Shopify, or a local boutique. wishdo.io automatically pulls the title, image, and price. No manual copying.

No lock‑in to a single marketplace. If it’s sold online, it belongs on your wishlist.

3. Surprise mode (arguably the most interesting part)

When someone wants to buy you a gift from your list, they click “reserve”. The item becomes locked so nobody else buys the same thing. But the buyer stays anonymous until the gift is delivered.

The surprise is preserved. No more “oh, I see you bought me the blue sweater”.

It feels closer to a real gift exchange than a transaction log.

What about discovery? Users don’t always know what they want

Another observation: people often create a wishlist and then… stare at an empty page. They don’t know what to add.

So we added curated collections, articles, and themed storefronts.

You can browse gift ideas by category or see popular items – it helps when users don’t know what to add yet. Nothing fancy, just practical navigation.

Under the hood (for the dev.to audience)

We kept the tech simple on purpose:

URL parsing – fetches Open Graph and schema data from product pages. Fallback to page title + main image.
Reservation system – database locking per user per item. Anonymous until marked “purchased & delivered”.
No WebSockets – polling for reservations. Lower complexity, and for a wishlist it’s fast enough. Polling instead of WebSockets keeps things simple, but it does mean short delays in edge cases (e.g., two people reserving the same item within a second). We accept that trade‑off.

Stack: Node.js + Postgres on a basic VPS. Handles hundreds of active lists without issues.

Why no mobile app yet?

We get this question sometimes. “When will you launch on iOS and Android?”

The honest answer: not until it solves a real problem.

Adding an app creates friction – installation, permissions, updates. A browser‑based create wishlist tool is instantly accessible. No “download our app” popup. No broken links.

If the web version reaches 10k daily active users, we’ll consider a PWA. For now, the web‑first approach seems to match what users actually prefer.

Monetization without ruining the experience

wishdo.io is free for all core features.

We run small affiliate links on curated collections – if someone buys through a recommendation, we earn a tiny commission. No ads, no paywalls.

Premium features (custom domains, analytics for power users) may come later, but creating and sharing a wishlist will stay free.

Try it if you’re curious

You can check it out at wishdo.io if you want to see how it works.

Feedback or feature requests? Comments are open – we’re actively improving it.

P.S. “wishdo.io” means “Wish & Do”. That’s the whole idea.

Which wishlist services do you use? I tested a bunch and ended up with cadou.me

wishdo.io — Fri, 03 Apr 2026 17:55:22 +0000

Which wishlist services do you use? I tested a bunch and ended up with cadou.me

I've always had a love–hate relationship with wishlists.

On one hand, it's great to have a place to dump things I want to buy later. On the other hand, most wishlist tools feel… lifeless. Just a boring grid of links and prices.

So a few months ago, I went on a small quest. I tested Listful, Amazon Wishlist, Giftster, and a couple of others. And yeah, I ended up sticking with cadou.me. Not because it's perfect (nothing is), but because it solves a few things that others ignore.

Here's my honest breakdown.

What I tried first

Listful – clean, minimal, works like "Notion for wishlists". You add items, share the list, done. Mobile-first. Great for quick onboarding. But after a while, it felt… shallow. No discovery, no inspiration. Just a database.
Amazon Wishlist – classic, but locked inside Amazon's ecosystem. And let's be real – half the stuff I want isn't even on Amazon anymore.
Giftster – good for families and group gifting. But it's rigid. You can't really browse or explore. You just assign items to people.

All of them missed one thing: discovery.

Then I found cadou.me

cadou.me isn't just a wishlist. It's more like a hybrid:

wishlist + gift ideas + curated collections + articles + a small storefront.

Sounds like a lot? Yeah, but it actually works.

1. Discovery is built in – not an afterthought

On Listful, you add an item and share a link. That's it.

On cadou.me, I can browse themed collections, see what others are saving, and even stumble on gift ideas I hadn't thought of.

It's closer to Pinterest than to a spreadsheet.

2. It helps with the "what to gift?" problem

Big one for me. I suck at choosing gifts for friends.

With cadou.me, I don't have to jump between five sites. I can look at curated lists, read short articles, and get actual inspiration.

That alone made me switch.

3. SEO and external reach – surprisingly useful

I didn't expect this, but cadou.me gets organic traffic from Google and Telegram. My wishlist isn't just a private note – it can actually help someone else find a gift idea.

And if you're into affiliate links, there's potential to earn something on the side. Not the main reason I use it, but nice to have.

4. Flexibility: lists, articles, storefronts

You can create a simple wishlist. Or you can build a themed storefront. Or write a short article about why you love certain products.

It doesn't force you into one mode. That's rare.

So where does cadou.me shine?

If you just want a fast, simple wishlist – Listful is fine. No hate.

But if you want:

to discover new gift ideas
to create a wishlist online that's actually fun to browse
to share curated collections with friends or followers

then cadou.me wins.

And yeah, it's great for those searching "create wishlist" tools – because it gives you way more than just a list.

Bottom line

Don't use cadou.me if you only need a barebones checklist.

Use it if you want inspiration, flexibility, and a wishlist that doesn't feel dead.

I'm sticking with it.

Try it yourself: cadou.me – especially if you're tired of boring wishlists.

P.S. If you know another underrated wishlist tool, drop it in the comments. I'm still curious.