Security
A botnet sweeps the web wearing the costumes of two dozen AI crawlers, hunting for exposed secrets: a stray .env, a readable .git, a downloadable database backup. You can run the exact list against your own site, then read the forensic picture from the sites Trakkr tracks.
Anyone can type “GPTBot” into a user-agent header. A botnet does, to slip past the bot rules sites grant AI crawlers, and because the whole industry decides who is crawling from that string alone, the forged traffic gets counted as real AI activity. Here is the picture from the sites Trakkr tracks.
One address, many disguises
A single machine claiming to be a fan of rival AI crawlers at once. They are competing companies that never share an IP, so this can only be forgery.
One machine, claiming OpenAI · Anthropic · Perplexity · Common Crawl · Amazon · ByteDance · Apple and 1 more: 8 rival companies that never share an address.
18 seconds, 10 disguises
One source, one burst. The claimed AI vendor changes on nearly every request: a costume rack, not a crawler. Hover any request for the full line.
Who they impersonate
The inverse of a crawler leaderboard: not who crawls you, but whose identity gets forged. The big, trusted names take the brunt.
| # | Crawler | Share of forgeries |
|---|---|---|
| 1 | 12.3% | |
| 2 | 12.3% | |
| 3 | 11.8% | |
| 4 | 11.3% | |
| 5 | 9.1% | |
| 6 | 8.7% | |
| 7 | 7.4% | |
| 8 | 7.4% | |
| 9 | 3.6% | |
| 10 | 3.2% | |
| 11 | 2.9% | |
| 12 | 2.8% | |
| 13 | 2.5% | |
| 14 | 2.4% | |
| 15 | 2.3% |
What they're hunting
Not one .env scanner: a multi-stack credential harvester sweeping every framework's secret store in a single pass. Every request is a GET that reads, never an exploit. Read it as your lock-these-down list.
Laravel · .env29.9%
API · admin · debug22.1%
GCP · Firebase keys20.6%
Git repository7.1%
Generic secrets (json)7.1%
Spring Boot · Java5.7%
SSH · AWS keys3.5%
.NET2.1%
Rails1.7%
WordPress0.1%
Two probes show real sophistication: JavaScript source maps (/_next/static/chunks/*.js.map), which can leak API keys shipped inside your frontend bundle, and JWKS endpoints (/.well-known/jwks.json), the keys that sign your tokens. This is not opportunistic noise.
Not one botnet, two
The forged user-agents split cleanly into two templates on two separate infrastructures. Each address block runs purely one template, so this is two tools, two operators.
The classic set, plus a long tail: cohere-ai, anthropic-ai, Claude-Web, Applebot.
◐Real ClaudeBot signs [email protected], never a mailto: to support@.
Skews to the newer bots: DeepSeekBot, xAI-SearchBot, GrokBot.
◐The "(" opened after Mozilla never closes. Real OpenAI agents always close it.
Why this fools everyone
Every AI-visibility tool, ours included until now, decides who is crawling from the user-agent string, which anyone can type. Verify it against the real client IP and the picture changes.
The fix: trust Cloudflare’s verified-bot label and the real client IP it already exposes, fall back to the operators’ published IP ranges (openai.com/gptbot.json and the like), and never count a request for a secret file as a crawl. Trakkr counts a crawl only when the source checks out. Contamination shown on traffic where the client IP is checkable; it is deliberately uneven, and Anthropic being nearly clean is part of why it is real.
Run the exact secret-store list the botnet hunts, against your own domain. Read-only, and we never store what we find.
Forged traffic is identified from server-side crawler telemetry across the sites Trakkr tracks: requests whose user-agent claims a known AI crawler but whose target is a secret-store path, or whose source IP claims to be several rival operators at once. CDN edge IPs are excluded before any per-IP fingerprinting, so multi-identity findings hold only on real client IPs. The aggregate is honest-small (0.9% of verifiable-IP traffic) and the soft 200s were single-page-app catch-alls, so there were 0 real exposures. Collection began with server-side logging in Mar 12, 2026 - Jun 29, 2026, so volume reflects coverage onset, not a 16x spike in attacks. No customer is named: the page reads only aggregate counts, size tiers and masked attacker IPs. For what real crawlers do, see Crawlers.
Common questions
Is GPTBot really crawling my site?
Maybe not. Anyone can put "GPTBot" in a user-agent header, and a botnet does exactly that to get past the bot rules sites grant AI crawlers. The only way to be sure is to verify the request came from a published OpenAI IP range, not just trust the string. On traffic where the client IP is checkable, a meaningful slice of some vendors’ "crawls" do not check out.
How do I verify a real AI crawler?
Three layers. Never count a request for a secret file (like /.env) as a crawl. Trust Cloudflare’s verified-bot signal where it is present. Otherwise check the client IP against the operator’s published ranges (openai.com/gptbot.json and the equivalents for Anthropic and Perplexity) or a reverse-DNS lookup. Trakkr now counts a crawl only when the source checks out.
Did any of these scans succeed?
No. Across every site in this dataset there were zero real file exposures. Some probes returned a 200, but all were single-page-app or static catch-alls that answer 200 to everything; a real exposure would serve only the real file while every bogus variant 404s. The risk is the integrity of the measurement, not a breach.
How big is the problem?
Honest answer: small in aggregate, on roughly 0.9% of traffic where the client IP can be verified. It is concentrated, though: about 1 in 5 tracked sites saw forged probes, and on a few small sites with little real AI traffic it reached 10.7% of recorded AI-crawler hits. The point is less the volume than the fact that classifying crawlers by user-agent alone can be fooled.