Trakkr Data

Security

A botnet sweeps the web wearing the costumes of two dozen AI crawlers, hunting for exposed secrets: a stray .env, a readable .git, a downloadable database backup. You can run the exact list against your own site, then read the forensic picture from the sites Trakkr tracks.

The threat we scan for

Anyone can type “GPTBot” into a user-agent header. A botnet does, to slip past the bot rules sites grant AI crawlers, and because the whole industry decides who is crawling from that string alone, the forged traffic gets counted as real AI activity. Here is the picture from the sites Trakkr tracks.

Updated 4d ago·Mar 12, 2026 - Jun 29, 2026
Forged hits
6,607
logged as AI crawlers
AI crawlers faked
20
distinct identities
Sites probed
1 in 5
30 of 160 tracked
Faked by one source
20
one machine, every costume

One address, many disguises

A single machine claiming to be a fan of rival AI crawlers at once. They are competing companies that never share an IP, so this can only be forgery.

208.84.101.xEU bulletproof host

One machine, claiming OpenAI · Anthropic · Perplexity · Common Crawl · Amazon · ByteDance · Apple and 1 more: 8 rival companies that never share an address.

13identities26secret paths74requests0exposedMasked IP on EU bulletproof host · Actor A
Source: Trakkr crawler telemetry · per-IP identity fingerprint, non-CDN client IPs · CC BY 4.0

18 seconds, 10 disguises

One source, one burst. The claimed AI vendor changes on nearly every request: a costume rack, not a crawler. Hover any request for the full line.

23:03:34+18s
GPTBotBytespiderPerplexityBotCCBotClaudeBotAmazonbotApplebotanthropic-aiChatGPT-Usercohere-ai
Source: Trakkr crawler telemetry · one observed burst from a single masked source · CC BY 4.0

Who they impersonate

The inverse of a crawler leaderboard: not who crawls you, but whose identity gets forged. The big, trusted names take the brunt.

#CrawlerShare of forgeries
1GPTBot
12.3%
2ClaudeBot
12.3%
3ChatGPT-User°
11.8%
4PerplexityBot
11.3%
5CCBot
9.1%
6OAI-SearchBot
8.7%
7GrokBot
7.4%
8DeepSeekBot
7.4%
9Applebot
3.6%
10Amazonbot
3.2%
11Bytespider
2.9%
12Perplexity-User°
2.8%
13cohere-ai
2.5%
14Claude-Web°
2.4%
15anthropic-ai
2.3%
° Trakkr labels these “LLM Interaction”, the metric a customer reads as “a real person asked an AI about us”. A forgery here fakes human intent, the costliest kind.

What they're hunting

Not one .env scanner: a multi-stack credential harvester sweeping every framework's secret store in a single pass. Every request is a GET that reads, never an exploit. Read it as your lock-these-down list.

Laravel · .env
29.9%
/.env/.env.local/.env.bak/backend/.env/config.env
API · admin · debug
22.1%
/actuator/env/v1/graphql/debug/pprof/cmdline/.well-known/jwks.json
GCP · Firebase keys
20.6%
/service-account.json/firebase-adminsdk.json/keyfile.json/gcp-credentials.json
Git repository
7.1%
/.git/config/.git/HEAD/.git/logs/HEAD
Generic secrets (json)
7.1%
/secrets.json/credentials.json/config.json
Spring Boot · Java
5.7%
/application.yml/application.properties/config/application.yml
SSH · AWS keys
3.5%
/.aws/credentials/.ssh/id_rsa/id_rsa/id_ed25519
.NET
2.1%
/appsettings.json/appsettings.Production.json
Rails
1.7%
/config/secrets.yml/secrets.yml
WordPress
0.1%
/wp-login.php/wp-content/debug.log

Two probes show real sophistication: JavaScript source maps (/_next/static/chunks/*.js.map), which can leak API keys shipped inside your frontend bundle, and JWKS endpoints (/.well-known/jwks.json), the keys that sign your tokens. This is not opportunistic noise.

Not one botnet, two

The forged user-agents split cleanly into two templates on two separate infrastructures. Each address block runs purely one template, so this is two tools, two operators.

Actor A
“the faithful copy”
Appeared2026-05-30
Identities~13
HostingEuropean bulletproof / abuse ranges
IP ranges88.151.32–34.x · 185.213.174–175.x · 208.84.101.x · 192.210.193.x

The classic set, plus a long tail: cohere-ai, anthropic-ai, Claude-Web, Applebot.

The tell
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ClaudeBot/1.0; +mailto:[email protected]
Mozilla/5.0 (compatible; ClaudeBot/1.0; [email protected])

Real ClaudeBot signs [email protected], never a mailto: to support@.

Actor B
“the buggy generator”
Appeared2026-03-12
Identities~8
HostingIran + Google Cloud VMs
IP ranges151.243.143.x · 34.34.225.x · 34.96.49.x · 35.200.82.x

Skews to the newer bots: DeepSeekBot, xAI-SearchBot, GrokBot.

The tell
Mozilla/5.0 (KHTML, like Gecko; compatible; GPTBot/1.3; +https://openai.com/gptbot
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; GPTBot/1.2; +https://openai.com/gptbot

The "(" opened after Mozilla never closes. Real OpenAI agents always close it.

Why this fools everyone

Every AI-visibility tool, ours included until now, decides who is crawling from the user-agent string, which anyone can type. Verify it against the real client IP and the picture changes.

GrokBot100%claimed
PerplexityBot100%claimed
GPTBot100%claimed
ClaudeBot100%claimed

The fix: trust Cloudflare’s verified-bot label and the real client IP it already exposes, fall back to the operators’ published IP ranges (openai.com/gptbot.json and the like), and never count a request for a secret file as a crawl. Trakkr counts a crawl only when the source checks out. Contamination shown on traffic where the client IP is checkable; it is deliberately uneven, and Anthropic being nearly clean is part of why it is real.

Scan your own site

Run the exact secret-store list the botnet hunts, against your own domain. Read-only, and we never store what we find.

75 read-only checks · about 15 seconds · we never store what we find.
Try
Methodology

Forged traffic is identified from server-side crawler telemetry across the sites Trakkr tracks: requests whose user-agent claims a known AI crawler but whose target is a secret-store path, or whose source IP claims to be several rival operators at once. CDN edge IPs are excluded before any per-IP fingerprinting, so multi-identity findings hold only on real client IPs. The aggregate is honest-small (0.9% of verifiable-IP traffic) and the soft 200s were single-page-app catch-alls, so there were 0 real exposures. Collection began with server-side logging in Mar 12, 2026 - Jun 29, 2026, so volume reflects coverage onset, not a 16x spike in attacks. No customer is named: the page reads only aggregate counts, size tiers and masked attacker IPs. For what real crawlers do, see Crawlers.

Trakkr crawler telemetry · impostor analysis·CrawlersCitationsWeb adoptionCC BY 4.0

Common questions

Is GPTBot really crawling my site?

Maybe not. Anyone can put "GPTBot" in a user-agent header, and a botnet does exactly that to get past the bot rules sites grant AI crawlers. The only way to be sure is to verify the request came from a published OpenAI IP range, not just trust the string. On traffic where the client IP is checkable, a meaningful slice of some vendors’ "crawls" do not check out.

How do I verify a real AI crawler?

Three layers. Never count a request for a secret file (like /.env) as a crawl. Trust Cloudflare’s verified-bot signal where it is present. Otherwise check the client IP against the operator’s published ranges (openai.com/gptbot.json and the equivalents for Anthropic and Perplexity) or a reverse-DNS lookup. Trakkr now counts a crawl only when the source checks out.

Did any of these scans succeed?

No. Across every site in this dataset there were zero real file exposures. Some probes returned a 200, but all were single-page-app or static catch-alls that answer 200 to everything; a real exposure would serve only the real file while every bogus variant 404s. The risk is the integrity of the measurement, not a breach.

How big is the problem?

Honest answer: small in aggregate, on roughly 0.9% of traffic where the client IP can be verified. It is concentrated, though: about 1 in 5 tracked sites saw forged probes, and on a few small sites with little real AI traffic it reached 10.7% of recorded AI-crawler hits. The point is less the volume than the fact that classifying crawlers by user-agent alone can be fooled.