ScraperAPI using Cloudflare to attack Cloudflare clients

It has come to our attention that a web scraping service called “ScraperAPI” is being used by malicious actors to scrape data from our website in a blatant violation of our website Terms of Service.
Cloudflare’s filters are unable to stop the attacker as we see requests from scraperapi and countless IPs, as per the scraperapi website they control 40M IPs around the world.
The issue becomes worse as our research shows that scraperapi is using Cloudflare as thei CDN and DNS provider.
So what we have is Cloudflare allowing one client of theirs (ScraperAPI) to attack another client of theirs and are profiting from the rise in requests charged, from the need of the attacked website to employ more Cloudflare paid services to counter the attack.
Cloudflare should cease and desist from doing any kind of business with scraperapi, a service dedicated to facilicating the exact attacks to Cloudflare clients that Cloudflare is supposed to guard against.
We believe this is a pivotal moment for Cloudflare’s history, will the allow a malicious actor like scraperapi to continue using their resources to illegally attack other Cloudflare client or, in general, any other data-rich, website?
We need an immediate answer.

Use the same pattern that lead you to think it’s them to create a WAF Rule to block them (user agent, IP, ASN etc.)

You’re joking right? We have been adding more and more rules for 10+ days - the guys have 40M IPs, we have blocked 100s of ASNs and 10s of patterns.
We have Cloudflare Business and Blocking Definite Bots and Challenging Likely Bots.
We pay Cloudflare to protect us from such attacks but Cloudflare is actually supporting, providing connecticity to our attacker, the attack requests make money for Cloudflare as we also use Argo and Cloudflare gets paid for serving our content to the attacker.
It’s a potentially life-threatening situation for CF. I expect a reply from the highest level of CF’s management and an immediate resolution. CF should stop working with scrapers. CF has too choose sides. Is CF a good faith business? Or a bad faith businesses facilitator and associate?

No, and I’m sorry if my reply lead you to believe so. This is a community of volunteers, and we try our best to help people having issues with Cloudflare tools, config etc. If you feel that Cloudflare tools are not sufficient to deal with your scraping issue, all I can suggest is that you register the issue at


It is important to note that Cloudflare cannot be held responsible for conflicts between customers. The use of Cloudflare by another customer is irrelevant to your case and should not be a concern.
Scraping is a gray area that is not necessarily illegal. Cloudflare cannot stop their services based on your personal upset and concerns. Additionally, from the description provided, it does not appear that the customer is using Cloudflare directly to attack you.

Cloudflare, even on the ENT range, is provided as is and the bot protection (sbfm) is a module that you have chosen to purchase and understand is provided as is. If it does not meet your expectations, you have the option to add your own firewall rules or stop using the service altogether if you find it unsatisfactory.

Ultimately, you can reach out to support and give them feedback but they have no obligation nor SLAs that force them to update the bot protection to suit your specific needs.

That sounds reasonable. I also manage several Cloudflare sites and the numbers you’re seeing seem typical. If you need assistance managing your firewall rules, there are several managed service providers that can assist you. However, they typically charge a fee that is similar to an ENT package, if not slightly more.





Cloudflare cannot control the actions of its customers and must comply with all applicable laws and regulations.

Cloudflare strives to operate as a good faith business and provides its services to all customers regardless of their activities. The decision to work with a specific customer is based on compliance with applicable laws and regulations and not based on personal opinions or preferences.


The issue here is very simple. A Cloudflare customer is breaking the ToU of the website of another CF customers. Cloudflare profits from this ToU violation and has no rush to help the attacked customer resolve the issue.

It’s all about who makes money and who has their business attacked.
CF and ScraperAPI make money. Our business is being attacked.

Your statement regarding Cloudflare and ScraperAPI is not entirely accurate.

Cloudflare cannot control the actions of its customers and must comply with all applicable laws and regulations. While it is true that a customer may be in violation of the terms of use of another customer’s website, Cloudflare cannot be held responsible for the actions of its customers. Additionally, it is not accurate to say that Cloudflare profits from a ToU violation or is not interested in helping the affected customer resolve the issue.

In reality, Cloudflare provides its services to all customers regardless of their activities and strives to operate in good faith. If a customer is found to be in violation of the terms of use, Cloudflare will investigate the matter and take appropriate action if necessary.

1 Like

Exactly and my forum post here is for tracking the time it will take Cloudflare to understand and resolve the issue that has been reported multiple times already through all possible communications means by a Business Customer with a supposed ticket reply time of 8h.

We understand your frustration with the situation you are facing, however, it appears that you are missing the point regarding the issue at hand.

The customer in question is breaking the terms of use of your website, not Cloudflare’s. This does not affect your instance with Cloudflare and does not warrant a resolution from Cloudflare.