Full Report
LinkedIn has filed a lawsuit against Delaware company ProAPIs Inc. and its founder and CTO, Rehmat Alam, for allegedly scraping legitimate data through more than a million fake accounts. [...]
Analysis Summary
# Incident Report: Unauthorized Mass Data Scraping by ProAPIs
## Executive Summary
LinkedIn filed a lawsuit against ProAPIs Inc. and its founder, Rehmat Alam, for systematically scraping vast amounts of user data using over one million fake accounts. The unauthorized activity violated LinkedIn's Terms of Service (ToS) and involved industrial-scale data extraction offered through their "iScraper API." LinkedIn is seeking an injunction, deletion of all scraped data, and statutory damages.
## Incident Details
- **Discovery Date:** On or before October 6, 2025 (Continuous detection leading up to filing)
- **Incident Date:** Ongoing activity prior to October 6, 2025
- **Affected Organization:** LinkedIn (Microsoft-owned)
- **Sector:** Social Media / Professional Networking
- **Geography:** Lawsuit filed in California; alleged enabler based in Pakistan.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing leading up to filing.
- **Vector:** Creation of fake/fraudulent accounts.
- **Details:** ProAPIs continually created and utilized "more than a million fake accounts" to perform large-scale data extraction.
### Lateral Movement
- Not explicitly described as traditional network intrusion, but involved systematic movement across the platform infrastructure via automated access mechanisms.
### Data Exfiltration/Impact
- **Details:** Automated extraction (scraping) of legitimate user profile data on an industrial scale, facilitated by the sale of the "iScraper API" tool for up to \$15,000/month.
### Detection & Response
- **How it was discovered:** LinkedIn's "advanced technology and dedicated teams" promptly detected and restricted the fraudulent activity.
- **Response actions taken:** Filed a lawsuit in California seeking a permanent injunction, deletion of scraped data, and financial damages against ProAPIs, Rehmat Alam, and Netswift.
## Attack Methodology
- **Initial Access:** Creation of 1M+ fake accounts, potentially utilizing invalid or fraudulent payment methods (bogusing premium account signups).
- **Persistence:** Maintaining access via the network of automated fake accounts.
- **Privilege Escalation:** Not applicable in the traditional sense, but exploiting platform access capabilities through bulk account creation.
- **Defense Evasion:** Continuously creating new accounts to bypass existing detection mechanisms (implied by the scale and duration of activity).
- **Credential Access:** Alam is accused of using invalid credit cards to acquire Premium LinkedIn accounts, suggesting fraudulent billing/service access rather than direct credential theft.
- **Discovery:** Automated reconnaissance/profiling inherent in the scraping process.
- **Lateral Movement:** Scaling the scraping operations across the platform using massed fake accounts.
- **Collection:** Automated extraction of public and potentially semi-private profile data.
- **Exfiltration:** Data transferred to ProAPIs for compilation and sale via their API.
- **Impact:** Violation of ToS, data misappropriation, and operational risk from the scale of automated traffic.
## Impact Assessment
- **Financial:** LinkedIn is seeking compensation for actual and exemplary damages, plus attorney fees. ProAPIs charged high fees (\$15,000/month) for the scraping tool.
- **Data Breach:** Large-scale scraping of legitimate user profile data. Although the data was publicly available or accessible via scraping, the scope involved over one million accounts.
- **Operational:** Increased load on infrastructure required to combat and restrict the automated scraping activity.
- **Reputational:** Previous scraping incidents required official clarification that external data compilations resulted from scraping, not platform security breaches.
## Indicators of Compromise
- *(Note: As this is a lawsuit regarding ToS violations via an API, traditional IoCs like malicious IPs or malware hashes are not detailed; behavioral indicators are relevant.)*:
- **Network indicators:** High volume, repetitive, automated user requests from associated IP ranges.
- **File indicators:** N/A
- **Behavioral indicators:** Mass creation of accounts showing automated pattern usage; use of invalid payment details for premium services.
## Response Actions
- **Containment measures:** LinkedIn detected and restricted the operations of the fake accounts.
- **Eradication steps:** Seeking court-ordered permanent injunction against ProAPIs and deletion of all scraped data.
- **Recovery actions:** Legal action taken to enforce ToS compliance and prevent future illicit data access.
## Lessons Learned
- Scraping remains a significant threat vector, even without traditional malware intrusions, leading to significant data misuse.
- Continuous investment in advanced technology is necessary to keep pace with industrial-scale scraping operations (e.g., the new mechanisms implemented in 2022).
- Legal action is a necessary tool when technical remediation alone is insufficient to halt malicious external actors.
## Recommendations
- Enhance automated systems to aggressively detect and block the creation of large botnets of fake accounts used for data extraction.
- Maintain proactive legal enforcement against entities openly violating ToS for commercial gain (similar past successes cited against ProxyCurl).
- Review account validation processes, particularly for premium services, to prevent fraud involving invalid payment instruments.