LinkedIn has initiated legal action against ProAPIs Inc., its Pakistan-based affiliate Netswift, and founder Rehmat Alam, alleging the operation of an “industrial-scale fake account mill” designed to scrape data from millions of user profiles[1]. The lawsuit, filed in the U.S. District Court for the Northern District of California (Case No. 3:25-cv-8393), claims the defendants created over a million fake accounts to harvest data, including information from behind LinkedIn’s password wall, and sold it via a subscription service for up to $15,000 per month[3], [5]. This case highlights the ongoing technical and legal battle between platforms and entities seeking to monetize user data, particularly in an era where such information is valuable for training artificial intelligence models.
Technical Mechanics of the Scraping Operation
The core of LinkedIn’s complaint details a sophisticated, persistent technical operation. ProAPIs allegedly created and managed a network of millions of fake LinkedIn accounts, which were used to power an automated scraping tool called “iScraper”[5]. These accounts were not typical spam profiles but were engineered specifically for data extraction, using false names and stock photographs to appear legitimate. The operation was characterized by its high volume and resilience; while LinkedIn’s automated defenses would detect and restrict these fake accounts within hours, the defendants reportedly responded by generating hundreds, if not thousands, of new accounts daily to maintain their scraping capacity[5]. This created a continuous “cat-and-mouse” game, forcing LinkedIn to over-invest in server infrastructure to handle the excessive load generated by non-human traffic, which far exceeded normal user activity patterns[3], [5].
The iScraper Service and Commercial Model
The scraped data was commercialized through the iScraper API, which ProAPIs marketed as a tool to “scrape LinkedIn data efficiently in real-time and at scale”[5]. This service provided subscribers with access to a vast repository of LinkedIn member information, including posts, reactions, and comments. Crucially, the service was able to access data that is “only available behind LinkedIn’s password wall,” meaning information from members who had configured their privacy settings to be visible only to logged-in users was also harvested[5]. The business model was subscription-based, with a premium tier costing up to $15,000 per month, which granted customers 5 million API calls at a rate of 150 requests per second[3]. This pricing structure indicates the high value placed on large-scale, fresh LinkedIn data, likely for sales intelligence, recruitment, or AI training purposes.
Legal Claims and Alleged Violations
LinkedIn’s lawsuit presents eight distinct legal claims against the defendants, painting a picture of systematic abuse. The primary allegations include breach of contract, as the scraping and fake account creation directly violate multiple sections of LinkedIn’s User Agreement[5]. The complaint also accuses the defendants of fraud, specifically noting that Rehmat Alam repeatedly signed up for paid LinkedIn services like Premium and Sales Navigator using credit card information that was subsequently declined, granting him temporary access without payment[5]. From a cybersecurity legislation perspective, the lawsuit invokes the Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Data Access and Fraud Act. Furthermore, LinkedIn claims trademark dilution by tarnishment, arguing that ProAPIs’ unauthorized use of LinkedIn logos on its website created a false impression of affiliation and damaged the brand’s reputation for protecting user privacy[5].
“Our goal is simple: keep control of your data where it belongs — with you,” stated Sarah Wight, LinkedIn’s VP of Legal, in an official post. She emphasized that the company is “deeply committed to safeguarding our members’ information” and that “there is no finish line in this fight to protect our members’ information.”[2]
Broader Implications for Data Security and Platform Defense
This lawsuit is part of a larger trend of technology platforms aggressively pursuing legal action against unauthorized data harvesting operations. It follows LinkedIn’s recent legal victory against another data scraping service, ProxyCurl, demonstrating a consistent legal strategy to establish precedent[1]. The case also underscores the economic drivers behind data scraping, particularly with the rising demand for large datasets to train AI models[7]. For platform defenders, this incident illustrates the challenges of distinguishing between legitimate user activity and sophisticated automated systems designed to mimic human behavior. The technical arms race requires continuous investment in detection capabilities, including AI models to identify fake accounts, rate limiting to control request volume, and IP blocking to limit access from suspicious networks[5].
The relevance of this case extends to organizational defense strategies. The methods employed by ProAPIs—using fake identities to gain authorized access to a system—share similarities with tactics used in more malicious attacks. While the goal here was data harvesting rather than network compromise, the underlying technique of creating legitimate-looking but fraudulent identities is a common attack vector. Organizations should review their identity verification processes and monitor for patterns of automated account creation. Defensive measures should include analyzing traffic for non-human patterns, even from seemingly valid accounts, and implementing robust API security controls that can detect and block scraping behavior masquerading as normal usage.
In conclusion, LinkedIn’s lawsuit against ProAPIs represents a significant legal and technical confrontation over data ownership and platform security. The case highlights the sophisticated methods employed by commercial data scrapers and the substantial resources required by platforms to defend against them. As data continues to be a critical asset, these types of legal actions are likely to become more common, establishing important boundaries for data access and usage. The outcome of this case could influence how platforms protect user data and how courts interpret violations of terms of service in the context of automated data collection.
