Unsourced
Original Research · Field Report

Most ‘AI crawlers’ are exactly who they claim. Some are impostors.

We logged 9,543 AI-crawler visits across the sites we monitor and checked every one against the operator's real network identity — its published IP ranges and forward-confirmed reverse DNS. Most were genuine. A measurable slice were impostors, and that slice matched an independent estimate almost exactly.

9,543 crawler visits · 14 AI crawlers · 1,524 unique IPs · 10 Jun–15 Jul 2026 · verified by forward-confirmed reverse DNS + operators' published IP ranges · every figure measured, none simulated

76.9%
verified genuine — IP inside the operator's published range, or forward-confirmed by reverse DNS (7,337 of 9,543)
17.7%
unverifiable — declared no checkable identity, so we flag but never accuse them (1,692)
5.4%
impostors — claimed an AI brand their IP couldn't back up (514). Human Security independently puts fake AI-crawler traffic at 5.7%

Every visit, sorted by whether it could prove itself

Verified genuine 76.9% Unverifiable 17.7% Impostor 5.4%

A verified visit proved its identity by network, not by its user-agent label. An impostor claimed a brand whose published footprint its IP fails. Unverifiable means the crawler publishes nothing we can check it against — we do not count it against anyone.

The impostor rate lines up with independent research. We measured 5.4% impostor traffic from our own logs, with no coordination. Human Security, studying automated traffic at internet scale, reported that roughly 5.7% of AI-crawler traffic is fake. Two very different vantage points, effectively the same number — which is the point of publishing a measured figure instead of a rounded one.

Who came knocking — and how much of it was real

Every AI crawler we saw, by visit count, with its verified / impostor / unverifiable split. Forward-confirmed, per operator.

AI crawlerVisitsVerifiedImpostorUnverifiable
ChatGPT-User (OpenAI, on-demand)6,4756,1852900
ClaudeBot (Anthropic)1,180011,179
GPTBot (OpenAI, training)635576590
Bytespider (ByteDance)380016364
OAI-SearchBot (OpenAI, search)368314540
Amazonbot (Amazon)215189026
PerplexityBot (Perplexity)11343700
CCBot (Common Crawl)950095
YouBot (You.com)252500
Google-Extended180180
anthropic-ai160016
cohere-ai120012
GoogleOther6510
Google-CloudVertexBot5050

Most AI crawling isn't training. It's a user waiting for an answer.

The single biggest source of AI-crawler traffic was ChatGPT-User — the fetch that fires the moment a person asks ChatGPT something and it goes to read a page. It was 68% of everything, and 95.5% of it verified genuine. The training crawler everyone is told to block, GPTBot, was just 7%.

The lesson: block the training bots and you can still be starving the live retrieval that actually puts you in front of a person mid-question.

The most-spoofed brand in our data

Among crawlers that publish a footprint we can check, PerplexityBot had the highest impostor rate by far: of 113 visits presenting the PerplexityBot user-agent, 70 (62%) came from IPs outside Perplexity's published ranges. Our method can't tell you why — it could be third parties spoofing the name, or the operator using undisclosed addresses — only that the network identity didn't match the claim.

This does not stand alone. In August 2025 Cloudflare publicly reported that Perplexity used “stealth, undeclared crawlers” with rotating IPs across networks to reach content that had blocked its declared bots, and delisted it as a Verified Bot. Perplexity's reply was that a user-initiated request made through an AI assistant is not the same thing as a crawler. Our figure sits alongside that debate as one more independent measurement, not a verdict on intent.

Impostors travel without a name

The tell was consistent: 83% of impostor traffic came from IPs with no reverse DNS at all — 425 of 514 hits — with the rest hiding behind cloud providers such as AWS and Google Cloud. Genuine operators run their crawlers from address space they publish and that reverse-resolves to their own domain. Traffic that borrows an AI brand's name but answers to no network is exactly the pattern a spoof leaves behind. Nearly all impostors (497 of 514) failed on the unspoofable test: the IP simply was not in the range the operator publishes.

What this means — in plain English

If you read your server logs, a line that says “GPTBot” or “PerplexityBot” looks like proof an AI read your page. It isn't. A user-agent is just a label any script can type. Here's the honest picture from actually checking:

The takeaway: don't take a crawler's word for who it is any more than you'd take an AI answer's word for its sources. Verify the visitor, then trust the log — never the other way round. Turning that user-agent claim into proof is exactly what Unsourced does on your own site.

How we measured this. Every AI-crawler visit recorded across the sites in Unsourced's monitoring network between 10 June and 15 July 2026 (9,543 visits, 1,524 unique IPs, 14 distinct crawlers) was resolved to a verdict using two independent proofs: whether the IP falls inside the operator's authoritative published ranges, and forward-confirmed reverse DNS (the IP's reverse record must resolve to the operator's domain and that host must resolve back to the same IP — a PTR record alone, being attacker-controllable, is not trusted). Verified = at least one proof matched. Impostor = a positive contradiction only (IP outside the published range, or forward-confirmed reverse DNS owned by someone else) — never inferred from absence. Unverifiable = the crawler publishes no ranges and offers no confirmable reverse DNS, so no decisive check exists; we never label these impostors. The 17.7% unverifiable is dominated by ClaudeBot, Bytespider and CCBot, for which we hold no published-range or reverse-DNS profile — a coverage gap, stated plainly, not an accusation. This is data from the sites we monitor, not an internet-wide census; we report the exact figures and let them stand.
This corroborates a growing body of work. Human Security, measuring automated traffic at scale, estimated roughly 5.7% of AI-crawler traffic is fake; our independent 5.4% lands on the same spot. Cloudflare's August 2025 investigation documented stealth, undeclared AI crawlers evading no-crawl directives across tens of thousands of domains. Verifying a crawler's true identity — rather than trusting its user-agent — is becoming table stakes.

See who's really crawling your site

Unsourced catches AI crawlers server-side and proves each one's true identity — Verified, Impostor or Unverifiable — with the evidence to back it.

© Unsourced — the evidence layer for AI search. Methodology and aggregate data available on request.