Exposing Opaque Scraping Infrastructure Targeting Public-Interest Journalism

29 May 2026

Qurium’s investigation “Opaque Scrapers Hiding in the Crowd” documents a large-scale scraping event against the English-language website of Arab Reporters for Investigative Journalism (ARIJ) earlier in May. The incident targeted ARIJ’s library of investigations and generated a massive volume of automated traffic against the public-interest journalism platform.

Our investigation reveals that over a window of roughly 23 hours, the site received traffic from approximately 1.35 million unique IP addresses, spread across more than 7,300 autonomous systems and 223 country codes. More than three quarters of the IP addresses appeared only once, a pattern that makes conventional IP-based blocking ineffective and risky for media organizations that must preserve access for legitimate readers across the globe.

We estimate that opaque scraping and other automated access systems now account for at least 25% of the traffic and processing costs borne by the organizations we host. This burden is not limited to bandwidth, it includes web-server processing, cache pressure, database load, log ingestion, monitoring, alerting, and incident-response work.

Unlike legitimate crawlers, which identify themselves, publish documentation, provide contact details, and respect site policies, opaque scrapers hide behind distributed pools of residential, mobile, ISP, VPN, or brokered proxy addresses. At the level of a single request, this traffic can look like normal user activity. At scale, however, it overloads infrastructure and shifts the cost of industrial-scale data extraction onto public-interest organizations.

The observed behavior of the massive scraper attack is consistent with the Israeli owned NetNut’s ISP-integrated proxy model. NetNut claims that they scrape content in large scale without the use of proxies. If you are interested to learn how that is technically possible, then learn how we reproduced the core network behavior of the scraper attack in a lab environment using a minimal router and NAT setup. Turns out that the attack is possible by implementing a simple NAT in residential ISP’s around the world, and piggy back on subscribers “unused bandwidth” and tunnel back the traffic to NetNut.

Read the full investigation: “Opaque Scrapers Hiding in the Crowd.”

Press Contacts

Digital forensics
Tord Lundström <t at virtualroad.org>
Technical Director

Media
Clara Zid <info at virtualroad.org>
Outreach and Media manager

Cookie	Duration	Description
adsight	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight1	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight2	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight3	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight4	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight5	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-functional	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.