We Got Hit by the Mysterious Lanzhou Bots – Here's Everything You Need to Fight Back

In January 2026, our analytics went haywire. Thousands of visitors from a city in China we'd never heard of. Zero engagement. Zero conversions. Just ghosts in our data. It got us kicked off our ad network. Weeks later, Wired confirmed it: we weren't alone.

The Day Our Analytics Died

It started with a gut feeling. Something was off.

I was reviewing our Google Analytics 4 dashboard for CISO Marketplace in late January 2026 when I noticed something that didn't make sense. Traffic was up – way up – but conversions hadn't budged. Our bounce rate was through the roof. Engaged sessions had flatlined.

When I dug into the geographic breakdown, there it was: Lanzhou, China.

Thousands of sessions from the same city in northwest China. Session duration? Zero seconds. Pages per session? One. Scroll depth? None. These weren't users. These were ghosts.

At first, I thought we'd been targeted. Maybe a competitor was trying to poison our data. Maybe we'd pissed off someone with access to a botnet. But as I started searching for answers, I discovered something far more unsettling:

We weren't special. Everyone was getting hit.

Personal blogs. Government websites. SaaS platforms. eCommerce stores. News sites. From mom-and-pop WordPress installs to the official websites of the United States government – all of them drowning in the same mysterious traffic from Lanzhou.

This isn't a targeted attack. It's a tidal wave. And unless you're actively defending against it, it's probably corrupting your analytics right now.

How It Actually Cost Us Money

Before Wired published their investigation, before anyone was talking about this publicly, we were already bleeding from it.

In January 2026, we were removed from the Ezoic ad network on one of our properties. They never told us why. When we started investigating, we found the China/Singapore traffic pattern staring back at us from every analytics dashboard we checked. The bot traffic had inflated our sessions, tanked our engagement metrics, and made our traffic look fraudulent to ad networks – because from their perspective, it was.

We implemented Cloudflare Managed Challenges for CN and SG traffic immediately. Analytics cleaned up within days. But the damage was done – we had to go through the entire re-application process, this time with documentation proving we'd identified and mitigated the bot problem.

I'm sharing this because most of the coverage treats this as an inconvenience. For anyone running ad-supported content, this is a revenue event. If your ad network hasn't flagged you yet, it's likely a matter of time.

The Global Phenomenon: 14.7% of US Government Traffic is Chinese Bots

On February 12, 2026, Wired published their investigation confirming what thousands of website operators had been dealing with for months: a massive wave of unexplained bot traffic from China is systematically crawling the entire web.

The numbers are staggering:

• Lanzhou and Singapore are now the top two cities visiting US government websites, according to Analytics.usa.gov
• 14.7% of all traffic to US government sites comes from Lanzhou, China
• 6.6% comes from Singapore
• One webmaster reported 127,000 daily bot visits at peak – reduced to 2,000 after implementing ASN blocks
• Cortes Currents, a small Canadian community blog, logged 32,969 visits from Lanzhou in 2025 alone
• Known Agents founder Gavin King found the traffic from China and Singapore accounted for 22% of total traffic on his own site

This isn't random noise. This is industrial-scale data harvesting. The surge became widespread around September 2025, right as Chinese AI companies accelerated their push for training data. These bots aren't announcing themselves like OpenAI's GPTBot or Anthropic's ClaudeBot. They're pretending to be human.

And they're getting away with it.

The Broader Bot Epidemic

The Lanzhou phenomenon is happening against a backdrop of exploding AI bot traffic across the entire web. According to TollBit's State of the Bots reports tracking activity across hundreds of publisher websites:

• By Q4 2025, there was approximately 1 AI bot visit for every 31 human visits – up from 1 in 200 at the start of 2025
• Human web traffic declined 5% from Q3 to Q4 2025
• Over 13% of AI bot requests now bypass robots.txt entirely – a 400% increase from mid-2025
• Publisher defenses against AI bots surged 336% year-over-year
• Digital Trends reported receiving 4.1 million bot scrapes in a single week while getting only 4,200 human referrals back – a ratio of 966:1

TollBit's CEO Toshit Pangrahi put it bluntly: the majority of the internet is going to be bot traffic in the future. The Lanzhou bots are the most visible symptom of a structural shift already underway.

Why Lanzhou? (And Why It Doesn't Really Matter)

If you're wondering why all these bots seem to originate from the same mid-tier Chinese city, you're asking the wrong question.

Lanzhou is the capital of Gansu Province, with a population of about 4 million. It's not a tech hub. It's not Beijing or Shenzhen. So why is it suddenly the world's most prolific website visitor?

The answer: it's probably a proxy point.

Gavin King, founder of Known Agents (a company that analyzes automated online traffic and was itself targeted by these bots), investigated the specific details of the visits. The most concrete finding: all of the traffic was eventually being routed through Singapore. Google Analytics attributed the visits to Lanzhou, but King says that could be an educated guess rather than a precise location. The only certainty is that the traffic routes through servers belonging to several major Chinese cloud companies – Tencent, Alibaba, and Huawei.

The geographic pinpoint is likely meaningless. What matters is the infrastructure serving that traffic – and that's where we can fight back.

Technical Fingerprints: How to Identify the Lanzhou Bots

Before you start blocking traffic, you need to confirm you're actually dealing with these bots. Here's what to look for in your analytics:

Behavioral Red Flags

The defining characteristic is zero engagement. These bots load your page (or just hit your analytics endpoint) and immediately disconnect. They're not reading, clicking, or converting. They're harvesting.

Geographic Signals

• Primary origin: Lanzhou, Gansu, China
• Secondary origin: Singapore
• Traffic type: Usually shows as "Direct" (no referrer)

Device Fingerprints

The bots are trying to look human, but they're failing:

• Operating System: Windows 7 (Windows NT 6.1) – an OS from 2009 that barely anyone legitimately uses anymore
• Screen Resolution: 1280×1200 – a non-standard aspect ratio (ghost hits), or 3840×2160 (actual page loads)
• Browser: Chrome (spoofed user agent)
• Device Category: Almost exclusively desktop – suspicious given that mobile traffic dominates real-world browsing

The Ghost Hit Phenomenon (This Is the Key Detail Most People Miss)

Here's the part that confuses everyone and is the single most important technical detail about this entire phenomenon: many of these hits appear in Google Analytics but don't show up in server logs or Cloudflare analytics at all.

This means the bots aren't even loading your actual pages in many cases. They're hitting Google Analytics measurement protocol endpoints directly with fabricated data using your GA4 Measurement ID. Your server never sees them. Cloudflare never sees them. But your analytics are poisoned all the same.

This is why multiple website owners reported blocking China and Singapore entirely on Cloudflare – country-level blocks, ASN blocks, the works – and GA4 continued to record visits from Lanzhou. The ghost hits bypass your entire server infrastructure because they never touch your server. They go straight to Google's analytics collection endpoints.

What this means practically:

• Cloudflare rules and server-side blocks will stop the bots that actually load your pages and consume bandwidth
• GA4 data filters and segments are required to clean up the ghost hits that bypass your server entirely
• You need both – infrastructure blocking and analytics filtering – to fully address this

Quick GA4 Check

Go to GA4 → Reports → User → Demographics → Location. If you see a massive spike from:

• Lanzhou, Gansu, China
• Singapore

...with zero engagement metrics, congratulations. You're one of us.

The ASN Block List: Your First Line of Defense

The bots that actually hit your server route through a handful of Chinese cloud providers. Block their Autonomous System Numbers (ASNs), and you cut off that portion of the flood at the source.

Gavin King's investigation for Known Agents confirmed that the bot traffic he analyzed all came through ASN 132203, a Tencent-operated network. Community reports have identified additional ASNs involved.

Primary Targets: Tencent Cloud

Secondary Targets: Alibaba Cloud

Tertiary Targets: Huawei Cloud

Supplementary IP Ranges

If your hosting doesn't support ASN-level blocking, here are the IP ranges most commonly associated with bot traffic:

# Alibaba ranges (high confidence)
8.219.0.0/16
8.222.0.0/16
49.51.0.0/16
120.53.0.0/16

# Tencent ranges (high confidence)
101.32.0.0/16
119.28.0.0/16
43.128.0.0/14
43.153.0.0/16

Cloudflare Mitigation: Copy-Paste Ready Rules

If you're on Cloudflare – and if you're not running behind a CDN/WAF in 2026, we need to have a different conversation – here's how to shut down the bot traffic.

Option 1: ASN Block (Recommended)

This is the surgical approach. You block the specific cloud providers hosting the bots while leaving the rest of China/Singapore accessible to legitimate users.

Rule Name: Block Chinese Cloud Bot ASNs Expression:

(ip.geoip.asnum eq 132203) or 
(ip.geoip.asnum eq 45090) or 
(ip.geoip.asnum eq 45102) or 
(ip.geoip.asnum eq 134963) or 
(ip.geoip.asnum eq 136907) or 
(ip.geoip.asnum eq 55990) or 
(ip.geoip.asnum eq 24429)

Action: Block

Option 2: Country Block (Nuclear Option)

If you don't serve Chinese or Singaporean customers, this is the simplest solution:

Rule Name: Block CN/SG Traffic Expression:

(ip.geoip.country eq "CN") or (ip.geoip.country eq "SG")

Action: Block

⚠️ Warning: This will block ALL traffic from China and Singapore, including legitimate users. Only use this if you're certain you don't need visitors from these regions.

Option 3: Managed Challenge (What We Did First)

This is what we implemented in January 2026 when we first discovered the problem. Let humans prove they're human while stopping bots:

Rule Name: Challenge Suspicious CN/SG Traffic Expression:

(ip.geoip.asnum eq 132203) or (ip.geoip.country in {"CN" "SG"})

Action: Managed Challenge

This worked well as a first step. Real humans can pass the challenge; bots bounce. After monitoring our Cloudflare Security Events for a week and seeing that virtually zero challenged visitors passed (confirming it was almost entirely bots), we escalated to the full ASN block.

Option 4: Advanced Bot Score Filtering

If you're on a paid Cloudflare plan with Bot Management:

Rule Name: Block Low-Score Bots from CN/SG Expression:

(ip.geoip.asnum eq 132203 and cf.threat_score > 25) or
(ip.geoip.country in {"CN" "SG"} and cf.bot_management.score < 30)

Action: Block

Additional Cloudflare Hardening

• Enable Bot Fight Mode: Security → Bots → Toggle on
• Super Bot Fight Mode: Available on Pro+ plans – enable it
• Rate Limiting: Add a rule blocking IPs that hit your homepage more than 30 times per minute
• Configure "Definitely Automated" action: Set to Block under Security → Bots

A Note on Huawei Cloud (AS136907)

Multiple site owners have reported on the Cloudflare Community forums that traffic from AS136907 (Huawei Cloud) has bypassed Cloudflare WAF custom rules. If you're blocking by ASN and still seeing Huawei Cloud traffic in your logs, you're not alone. This appears to be a known edge case. Consider supplementing your ASN rules with IP-range blocks for Huawei's address space as a fallback.

Server-Level Mitigation (No Cloudflare)

Not on Cloudflare? Here's how to implement blocking at the server level.

iptables + ipset (Linux)

# Create ipset for Chinese cloud ASNs
sudo ipset create china_bots hash:net

# Add known bad ranges
sudo ipset add china_bots 49.51.0.0/16
sudo ipset add china_bots 8.134.0.0/16
sudo ipset add china_bots 8.219.0.0/16
sudo ipset add china_bots 8.222.0.0/16
sudo ipset add china_bots 120.53.0.0/16
sudo ipset add china_bots 101.32.0.0/16
sudo ipset add china_bots 119.28.0.0/16
sudo ipset add china_bots 43.128.0.0/14
sudo ipset add china_bots 43.153.0.0/16

# Drop matching traffic
sudo iptables -I INPUT -m set --match-set china_bots src -j DROP

# Make it persistent (Debian/Ubuntu)
sudo ipset save > /etc/ipset.rules
sudo iptables-save > /etc/iptables.rules

nginx Geo-Blocking

# In http block, load GeoIP module
geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip_country_code $block_country {
    default 0;
    CN 1;
    SG 1;  # Optional - remove if you need Singapore traffic
}

# In server block
server {
    if ($block_country) {
        return 444;  # Connection closed without response
    }

    # ... rest of your config
}

Apache .htaccess

# Block known bot IP ranges
<RequireAll>
    Require all granted
    Require not ip 49.51.0.0/16
    Require not ip 8.134.0.0/16
    Require not ip 8.219.0.0/16
    Require not ip 8.222.0.0/16
    Require not ip 120.53.0.0/16
    Require not ip 101.32.0.0/16
    Require not ip 119.28.0.0/16
    Require not ip 43.128.0.0/14
    Require not ip 43.153.0.0/16
</RequireAll>

WordPress Plugins

If you're on WordPress and don't want to touch server configs:

• Wordfence: Supports country blocking with the free tier
• Sucuri: Full geo-blocking on paid plans
• iThemes Security: Rate limiting and basic geo-blocking

Fixing Your Analytics: Clean Up the Damage

Blocking future traffic is only half the battle. Remember – the ghost hits that go directly to GA4's measurement endpoints bypass your server entirely. Your historical data is corrupted regardless of what you block at the infrastructure level. Here's how to create clean segments for analysis.

GA4 Exploration Segment

1. Go to GA4 → Explore → Create new exploration
2. Click "Segments" → Create new segment
3. Choose "Session segment"
4. Add conditions:
   • Country does not equal China
   • Country does not equal Singapore
   • Engaged session equals true
5. Name it "Clean Traffic (No Bots)" and apply to all your explorations

GA4 Admin Data Filters

1. Go to Admin → Data Settings → Data Filters
2. Create a new filter: "Include only valid hostname"
3. Filter type: Internal traffic
4. This blocks ghost hits sent with spoofed hostnames

BigQuery SQL (If Connected)

For those with BigQuery integration, here's a query to export only clean data:

SELECT *
FROM `your-project.analytics_XXXXXX.events_*`
WHERE geo.country NOT IN ('China', 'Singapore')
  AND (
    SELECT value.int_value 
    FROM UNNEST(event_params) 
    WHERE key = 'engaged_session_event'
  ) = 1
  AND _TABLE_SUFFIX BETWEEN '20250901' AND '20261231'

Google's Response (Or Lack Thereof)

Google Analytics Product Experts have acknowledged this is "inauthentic traffic" and a "known issue." They say they're working on filtering updates, but no timeline has been provided. A major thread on the Google Analytics support forum titled "Google Analytics 4 bot traffic increase from China/Singapore" has become the central hub for reports. Given that this has been happening for over five months with no automated fix, don't hold your breath. Defend yourself.

Why This Matters: The Real Cost of Bot Traffic

"It's just fake traffic, what's the harm?"

More than you think. We know firsthand.

Financial Impact

• Ad network removal: We were dropped from Ezoic because of bot-inflated traffic metrics that looked fraudulent. This is happening to publishers across the web.
• Bandwidth costs: Cloud hosting is metered. Bots consume your quota.
• AdSense penalties: Google may flag your site as bot-heavy and reduce ad revenue
• CDN overages: Even Cloudflare free tier has practical limits; bots burn through them
• Hosting suspensions: Some hosts will suspend you for excessive resource usage

Data Quality Disaster

• Analytics become useless: When a significant percentage of your traffic is bots, you can't make data-driven decisions
• Conversion rates tank: Your actual conversion rate might be 5%, but it looks like 0.5% when diluted by bot sessions
• A/B tests fail: Polluted data produces invalid results
• Attribution breaks: Marketing spend looks ineffective because engagement is diluted

Operational Chaos

• Alert fatigue: Your monitoring tools cry wolf constantly
• Investigation time: Hours spent figuring out if you're "under attack"
• Performance degradation: Even lightweight bots consume resources during surge periods

Strategic Damage

• Bad decisions: You might kill a successful campaign because the data looks bad
• Wasted optimization: SEO and CRO work based on bot behavior patterns
• Investor presentations: Your metrics look terrible when they're diluted by fake sessions
• Competitive disadvantage: While you're fighting bots, competitors with clean data move faster

What's Really Going On: The AI Training Theory

Let's address the elephant in the room: who is behind this, and why?

The prevailing theory, supported by circumstantial evidence and timing, is that this is large-scale AI training data harvesting by Chinese tech companies and/or state-affiliated entities.

The Evidence

• Timing: The surge became widespread around September 2025, coinciding with China's aggressive push to close the gap in the AI race
• Scale: The industrial volume suggests state-level or major enterprise resources, not individual bad actors
• Stealth: Unlike GPTBot, ClaudeBot, or Googlebot, these crawlers don't identify themselves – they disguise themselves as normal human users from the start. As Akamai's Brent Maynard noted, legitimate AI companies usually only try to disguise their bots after a website blocks the front door. These bots came disguised from day one.
• Targets: Every type of website is hit – paranormal blogs, Canadian community news sites, US government portals, Indian lifestyle magazines, weather platforms, eCommerce stores. This is consistent with broad training data needs, not targeted intelligence gathering.
• Infrastructure: Traffic routes through Tencent, Alibaba, and Huawei cloud networks, confirmed by Known Agents research and cited in Wired's reporting

The Reconnaissance Theory

Not everyone buys the AI training explanation, and it's worth considering alternatives seriously. Some security analysts have flagged that the coordinated nature of the traffic – hitting both federal agencies and commercial sites simultaneously – could indicate systematic infrastructure mapping rather than pure data harvesting. This could represent:

• Pre-positioning: Mapping web infrastructure for potential future operations
• Detection R&D: Testing bot evasion techniques against various WAF and bot management solutions at scale
• Infrastructure reconnaissance: Identifying server types, CDN configurations, and security postures across the web

These theories aren't mutually exclusive with AI training – the same operation could serve multiple purposes.

The Silence

Notably:

• Tencent: No response to Wired
• Alibaba: No response to Wired
• Huawei: No response to Wired
• Chinese government: No acknowledgment
• WordPress: Acknowledged seeing reports but offered no mitigation beyond noting their sites have good structure for indexing

The silence, combined with the scale and persistence, suggests this isn't a rogue operation. It's either sanctioned or deliberately ignored.

Our Results: What Happened After We Blocked the Bots

We implemented mitigation in phases. First, Managed Challenges for CN/SG traffic in late January 2026, then escalating to full ASN blocks after confirming virtually all challenged traffic was automated.

Here's what we saw at CISO Marketplace:

• Bot traffic dropped 95%+ within 24 hours of ASN blocking
• Bounce rate normalized from 98% to our historical ~55%
• Engaged sessions recovered – we could actually see what real users were doing
• Conversion data became trustworthy again
• Zero complaints from legitimate users (we don't target CN/SG markets)
• Ghost hits persisted in GA4 until we applied the analytics filtering described above – confirming the dual nature of this problem

The whole process took about 30 minutes for infrastructure blocking. Analytics cleanup took another hour. The impact was immediate.

Future Outlook: This Is Going to Get Worse

Here's the bad news: there's no reason to expect this will stop.

The AI arms race is accelerating. Training data is the new oil. TollBit's data shows the trajectory clearly – bot-to-human ratios have shifted from 1:200 to 1:31 in under a year, and their own analysis notes these numbers are likely conservative because many bots are now indistinguishable from human visitors.

Meanwhile, click-through rates from AI tools back to publisher sites collapsed from 0.8% to 0.27% over the course of 2025. Even publishers with AI licensing deals saw their referral CTRs drop over 6x. The value exchange is broken and getting worse.

We should expect:

• More sophisticated evasion: Bots will continue to improve at mimicking human behavior – varying click speeds, scrolling patterns, and session durations
• New infrastructure: As Tencent/Alibaba/Huawei ASNs get widely blocked, traffic will shift to new cloud providers and regions
• Residential proxy abuse: Traffic will increasingly come from compromised home devices, making geographic and ASN blocking less effective
• Ghost hit evolution: Direct attacks on analytics measurement endpoints may become more sophisticated, potentially spoofing legitimate hostnames and engagement data
• More than 40 companies now market web-scraping services tailored for AI applications, according to TollBit's latest report – the tooling to do this at scale is becoming commoditized

The cat-and-mouse game has only begun.

Your Action Plan: Do This Today

1. Check your GA4 for Lanzhou/Singapore traffic (Reports → Demographics → Location)
2. Implement Cloudflare ASN blocking using the rules above (or equivalent server-side blocks)
3. Enable Bot Fight Mode in Cloudflare security settings
4. Create clean GA4 segments for accurate historical analysis – remember this is necessary even with server-side blocking due to ghost hits
5. Check your ad network status – if you're running Ezoic, AdSense, or Mediavine, verify your account hasn't been flagged
6. Monitor your blocks – check Cloudflare Analytics → Security Events to see how much traffic you're stopping and what percentage passes challenges
7. Share this guide – the more sites that block this traffic, the less valuable the operation becomes

The Bottom Line

In January 2026, before Wired published their investigation, we were just another website operator staring at corrupted analytics, wondering what the hell was happening, and getting dropped by our ad network because of it. Now we know: we're all targets in what appears to be the largest coordinated web scraping operation in history.

The bots from Lanzhou aren't going away. The infrastructure behind them is well-funded, persistent, and being actively maintained across multiple major Chinese cloud providers. The only question is whether you're going to let them poison your analytics and potentially cost you revenue while they do it.

Block the ASNs. Filter the ghost hits. Clean your data. Move on.

The tools are in this guide. Implementation takes 30 minutes. The sooner you act, the less corrupted data you'll have to clean up later.

Because whatever they're building with your content, you're not going to like it.

Resources & Further Reading

Primary Sources

• Wired: "A Wave of Unexplained Bot Traffic Is Sweeping the Web" (Feb 12, 2026) – Zeyi Yang & Louise Matsakis
• TollBit State of the Bots Q4 2025 – Bot traffic ratio data, robots.txt bypass statistics
• Analytics.usa.gov – US government website traffic data showing Lanzhou/Singapore as top cities
• Known Agents (Gavin King) – ASN 132203 identification, traffic routing analysis

Community Guides

• DefiniteSEO: GA4 Bot Traffic Spike From China and Singapore – Comprehensive technical analysis
• Cortes Currents: From Lanzhou To BC – First-person impact documentation (32,969 bot visits logged)

Tools

• Cloudflare Radar: AS132203 – Track Tencent traffic patterns in real time
• IPinfo.io – ASN lookups and IP intelligence
• GitHub: cloudflare-bot-blocker – Multi-layer Cloudflare Worker for automated blocking

Community Discussions

• Google Analytics Support: "Google Analytics 4 bot traffic increase from China/Singapore" (thread #378622882)
• r/GoogleAnalytics – "This Lanzhou-Singapore bot traffic is getting worse"
• r/CloudFlare – "AS136907 Huawei Cloud bypassing all Security rules"
• Cloudflare Community – Multiple threads documenting Huawei Cloud WAF bypass behavior

Andrew is the founder of CISO Marketplace and a cybersecurity consultant with 15+ years of experience and 400+ security assessments completed. He operates a network of cybersecurity publications and produces a daily cybersecurity podcast reaching listeners across 103 countries. Follow his work at CISOMarketplace.com.