Scenario 02 — Logged-In Mobile API Abuse
Scenario
Yesterday, the Phantom Feed security team received a report from a partner
indicating that some kind of automated scraping activity
may be occurring against the mobile site m.phantomfeed.io.
To investigate, you have been handed three days of HTTP logs
(~300,000 entries) captured during the suspected activity window.
Your goal
Identify the bad actor and determine what they are doing. You are not being told what endpoint or dataset is being targeted. Your task is to:
- Discover patterns in the traffic
- Isolate suspicious behavior
- Arrive at a defensible conclusion and justify your findings with SQL
What you may assume
- Logs represent real user and partner traffic mixed with noise.
- Suspicious traffic is present but not labeled.
- All requests are authenticated — every row has a real
userID. - IPs are intentionally non-routable / synthetic for safety.
The dataset
You will be querying a single SQLite table named
phantomfeed_logs_logged_in. The console will auto-load it
when you select this scenario. Click the Schema tab
in the sidebar to see all columns with hints, or click
Sample queries to load starter SQL.
Why this one is harder
In an authenticated scrape, every row has a userID. That means:
- You can't filter by "missing cookies" — every request has a real session.
- JA4 reuse across IPs is normal because real users with the same browser share JA4s.
- The scraper has a stolen or farmed account — or rotates through many.
You'll need to look at the relationship between users, devices, and the endpoints being hit. Once you find the suspect cluster, characterize the automation signals that distinguish it from heavy human use.