For a brief moment in October, Alejandro Quintero thought he had made it big in China. The Bogotá-based data analyst owns and manages a website that publishes articles about paranormal activities, like ghosts and aliens. The content is written in “Spanglish,” he says, and was never intended for an Asian audience. But last fall, Quintero’s site suddenly began receiving a large volume of visits from China and Singapore. The amount of traffic coming from the two countries was so high and consistent that it now accounts for more than half of total visits to Quintero’s site over the past 12 months.
When he first noticed the traffic spike, Quintero thought he’d found an audience on the other side of the world. “I need to travel to China right now because I’m the bomb there,” Quintero says he recalls thinking. But as soon as he dug into the data, he knew something was wrong. Google Analytics, a common tool used by website owners to parse web traffic, shows that all the Chinese visitors are from one specific city: Lanzhou. They are unlikely to be real humans, because they stay on the page for an average of 0 seconds and don’t scroll or click. Quintero quickly realized his website was actually being bombarded by bots.
Quintero later found out from social media that he was far from the only website operator who started seeing a large influx of bots from China and Singapore beginning in September. A lifestyle magazine based in India, a blog about a small island off the coast of Canada, the owners of several personal portfolio websites, a weather forecast platform with over 15 million pages, ecommerce shops hosted by Shopify, and even domains run by the US government have all reported being hit by what appear to be the same bots. And they were easy to spot because the bots significantly skewed each website’s usual analytics patterns. In the last 90 days, 14.7 percent of visits to US government websites came from Lanzhou and 6.6 percent came from Singapore, making them the top two cities in the world supposedly hungry for information from the American government, according to Analytics.usa.gov.
While their IP addresses can be traced to China and Singapore, there’s little information about who’s actually behind this massive amount of automated visits. Website owners who are being targeted have largely concluded that the bots don’t pose any immediate harm. Given that AI-related bot activity surged across the internet last year, many believe the traffic could be connected to companies harvesting web data for training models.
Where Is Lanzhou, Anyway?
When website owners saw the sudden uptick of visits from China, many of them started asking, where is Lanzhou? The second-tier city in China’s northwest is known for its heavy manufacturing industries and historical legacy as a Silk Road trading hub. But it’s neither a tech hub nor home to significant numbers of data centers. So why is so much traffic coming from the city?
Lanzhou might not be the actual source of the bots, says Gavin King, founder of Known Agents, which analyzes automated online traffic. King’s own company website has also been targeted by bots from China and Singapore. When he looked deeper into the specific details of the visits, the only thing he could say for certain was that all of the traffic was eventually being routed through Singapore. Google Analytics determined the visits originated from Lanzhou, but King says that could just be an educated guess instead of a precise location.
But the most concrete detail King found is that the traffic is being routed through servers belonging to several major Chinese cloud companies. King says the bot traffic his website received all came through the Autonomous System Number (ASN) 132203, a unique identifier in the internet’s routing system assigned to an internet service provider operated by the Chinese company Tencent. Andy, the manager of a large weather forecasting website group, says he detected bot traffic coming from ASNs associated with Tencent, Alibaba, and Huawei. (He asked only to use his first to protect his privacy.) All three companies are major cloud providers, and it’s unclear whether the bots are coming from in-house or clients using their servers.