Four Fake Bingbots Walk Into a Threat Intel API

# Four Fake Bingbots Walk Into a Threat Intel API

**Author:** Patrick Duggan (with Claude Code)

**Series:** Hall of Shame

The Setup

Pi Day. 11 PM. We're reviewing live Cloudflare traffic after a 16-deploy marathon when four IP addresses catch our eye.

| IP | Requests | Location |

|---|---|---|

| 108.74.132.56 | 2,800 | Tupelo, Mississippi |

| 108.219.97.19 | 1,160 | Titusville, Florida |

| 85.214.129.202 | 1,030 | Berlin, Germany |

| 89.117.104.18 | ~500 | Frankfurt, Germany |

5,500 requests. All hitting our threat enrichment endpoints: `/enrich/ip/`, `/block/`, `/v1/otx/enrich/ip/`. Feeding us IP addresses and scraping back our enrichment results.

All four claiming to be the same thing:

The Problem

They're not Bing.

Real bingbot resolves to `*.search.msn.com`. These resolve to:

AT&T residential broadband in Mississippi and Florida. A Strato dedicated server in Berlin. A Cyberzone VPS in Frankfurt with no reverse DNS at all.

Zero of these are Microsoft. Zero are Bing. They're spoofing the bingbot User-Agent to bypass bot detection while bulk-scraping our threat intelligence enrichment API.

What They Were Doing

Feeding us IPs and harvesting the enrichment:

They're building their own threat intelligence database using our enrichment as a free backend. Feed us an IP, get back our AbuseIPDB scores, VirusTotal detections, ASN data, geolocation, and threat classification. 5,500 times. For free. While pretending to be Bing.

The `/block/` endpoint hit is particularly cute — one of the scrapers checked whether WE had blocked THEM. We hadn't. We have now.

The Two-Country Pattern

This is a coordinated operation:

- **Germany (Berlin + Frankfurt)**: The infrastructure. A Strato dedicated server and a Cyberzone VPS. This is where the scraping scripts run. Automated. Persistent.

- **United States (Mississippi + Florida)**: Either residential proxy exits or the operator's actual home connections. The AT&T broadband IPs add "legitimacy" to the traffic — residential IPs are harder to block than datacenter IPs.

Running the same operation from two countries, four IPs, one spoofed User-Agent. Just enough distribution to avoid rate limits. Not enough to avoid pattern recognition.

How We Caught Them

We were reading live Cloudflare traffic at 11 PM on Pi Day — after 16 deploys, a blog post, a Bluesky campaign, a customer welcome system, an ops dashboard, a Node.js upgrade, an AIPM 2.0 launch, and a Zscaler-blocking-our-own-customer incident.

The traffic volume stood out. The fake bingbot UA confirmed it. Reverse DNS settled it in 4 seconds.

Verification command anyone can run:

If it doesn't resolve to `*.search.msn.com`, it's not Bing. Period.

The Verdict

**Blocked.** All four IPs added to our Cloudflare blocklist.

**Indexed.** All four enrichment-scraping patterns added to our behavioral detection.

**Published.** You're reading this.

To the operator: you had 5,500 free enrichment queries. That's over. Register for an API key like everyone else. Free tier gets you 500 queries a day, legitimately, without pretending to be a search engine.

Or keep scraping and we'll keep publishing your IPs, your ISPs, your hosting providers, and your residential broadband addresses in blog posts that rank on Google.

Your call.

The Pi Day Tally

This was the 17th notable event on Pi Day 2026. In order:

1. Traffic report sweep

2. 23 IOCs indexed (CL-STA-1087)

3. Bluesky engagement blitz

4. AIPM conversion fixes shipped

5. Blog post #685 published

6. LinkedIn post

7. Console errors fixed

8. Node 20→22 + undici patched

9. Customer welcome system built and deployed

10. Ops dashboard built and deployed

11. AIPM 2.0 (competitive comparison, fix code, delta tracking)

12. LD-JSON @graph consolidated across 3 properties

13. Markov page ELI5'd

14. Trust signals from AI council encoded

15. Zscaler blocking our customer fixed (+ patent discovered)

16. Ops dashboard moved behind auth

17. Four fake bingbots caught and blocked

Not bad for a Friday.

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →