01 — How I Found It
The Server Was Slow. That Is the Whole Story Until It Isn't.
On the morning of June 16, the CFVA server was slow. Not down. Not broken. Slow. The kind of slow that any production operator recognizes as something is happening that should not be happening. Load average sitting at 3.5 on a two-core box. Two backend workers pinned at fifty-five percent CPU each, twenty-four hours a day, six days running.
Most founders, on most days, would have written it off as growth. Traffic is up. Good problem to have. We'll upgrade the server. That instinct is exactly the instinct an experienced attacker counts on.
I pulled the access logs. I sorted them by IP address. I looked at the top requesters. And I saw a pattern that no human browsing session in the history of the internet has ever produced:
One entity per request. No revisits. No back-button. No related-link clicks. No search. Just a steady, mechanical, alphabetical march down the index, page after page, IP after IP. Z to A. Two thousand requests per IP per day. Ten IP ranges. Six days.
That is not a user. That is not a competitor doing research. That is a scraper, professionally coordinated, designed to copy the entire production database one entity at a time and walk away with it before anyone noticed.
By the time I noticed, they had walked away with 1.94 million records. Twenty percent of the database. The reverse-alphabetical signature meant they had started at the end and were working backwards — they had finished the Z through M range and were grinding through the L's when I shut them down.
02 — The Anatomy of a Coordinated Steal
What Six Days of Sustained Scraping Looks Like in Production
The pattern, once you see it clearly, is a textbook coordinated extraction:
| Dimension |
Measurement |
| Duration |
June 10 through June 16, 2026 — six days |
| Method |
Reverse-alphabetical walk of the entity index, one record per request |
| Coordinated IP ranges |
Ten or more, distributed across multiple networks |
| Top scraper traffic |
~2,000 requests per IP per day, sustained |
| Records extracted |
1,940,000 unique entity records |
| Percentage of database |
~20 percent of 9.5 million total entities |
| Projected completion |
Approximately 14 days from start if uninterrupted |
Single-IP scrapers are amateurs. They get blocked in an afternoon. Coordinated multi-IP scrapers with rate limits below the obvious-attack threshold, walking systematically through the index in a predictable order — that is the work of someone who has done this before, who knows exactly how to stay under whatever monitoring an unsupervised solo founder might have, and who is patient enough to spend two weeks copying a database one record at a time rather than triggering an obvious denial-of-service alert.
This was not vandalism. This was a heist.
03 — Who Steals 1.94 Million Federal Records
Three Plausible Profiles, and Why It Matters
I do not know who did this. Identifying the operators behind a coordinated multi-IP scraping campaign is not something a solo founder can do reliably from the access logs alone. But the profile of who runs this kind of operation is well understood in the data industry, and it narrows quickly to three candidate groups.
First, a competitor or aspiring competitor in the federal accountability data space. Someone planning to launch a similar product who needed a starting database and decided to take mine rather than build their own. This is the most common motivation behind sustained database scraping. The cost of building 9.5 million entities from sixty federal sources, with entity resolution and standing-rule discipline, is months of work. The cost of stealing it is a six-day scraping budget and the ethical flexibility to do so.
Second, a data broker. There is an entire industry of intermediaries who aggregate public data from anywhere they can find it, repackage it, and sell it to enterprise customers who do not know or care where the data came from. For a data broker, the question is not is it legal but is it cheap enough. My free entity pages were the cheapest option in the market.
Third, a researcher or journalist on a deadline. This is the least likely profile, because researchers and journalists generally write me an email rather than running a six-day scraping campaign across ten coordinated IPs. But it is possible. If you are that researcher and you are reading this, you would have been welcome through the front door. The fact that you came through the back door tells me you already knew the answer would have been yes — you just preferred not to be on the record asking.
All three of these profiles share one thing: they considered the data worth the cost of stealing it. That is the most important data point in this entire incident. Not the volume taken. Not the speed of extraction. The market signal that someone, somewhere, decided that 1.94 million CFVA records were worth a coordinated multi-day operation to steal.
04 — What I Did About It
Three Layers, Deployed in Under Two Hours
Once the pattern was identified, the response was technical and rapid. The CFVA platform now sits behind three defensive layers that did not exist when this Signal was first written and that will not be removed.
Layer One — Rate Limiting
Every entity page request, every search query, every autocomplete lookup is now capped at two requests per second per IP address. A coordinated ten-IP scraper that was previously pulling thousands of requests per second is now structurally limited to twenty. The cost-benefit math of stealing CFVA just changed by two orders of magnitude.
Layer Two — IP Blocking
The ten known scraper IP ranges from this campaign are now blocked at the firewall level. They get nothing. The blocks persist across reboot. This is whack-a-mole — scrapers rotate IPs — but it raises the cost of resuming the same operation, and it tells whoever was running it that someone is watching.
Layer Three — Authentication Wall
As of June 16, 2026, all entity pages on CFVA require authentication to view. Unauthenticated requests return a 403 response immediately — no database query, no compute cost, no path forward for a scraper. The free browsing era of CFVA, which lasted from the platform's launch in March 2026 through the discovery of this attack, is over.
Within two hours, the load average dropped from 3.5 to 1.28. The CPU usage on the backend workers dropped from fifty-five percent each to three to five percent. The scrapers, instead of pulling tens of thousands of records per day, are pulling four to six attempts before they get a 403 and move on. The server has been quiet ever since.
3.5 → 1.28
Load average dropped
~166K → 4-6
Hits per scraper IP per day
05 — The Question I Have to Answer Now
Is It Smart to Put Everything Online for Every Competitor to Copy?
This is the real question, and the scraper just answered it for me in the clearest possible way. No, it is not smart, and it never was. The free-everything era of CFVA was not a strategy. It was a default that I had not yet revisited because no attack had forced me to revisit it.
The attack forced the revisit. The answer is now structural.
There is a confusion at the heart of how most people think about public data, and the scraper crystallized it for me. The confusion is the assumption that open and free are the same word. They are not. They mean almost opposite things in the context of a software product, and the difference between them is the difference between a sustainable accountability platform and an asset that gets eaten by the first patient competitor with a scraping budget.
Open means the source is public. The methodology is published. Anyone can verify how the system works. The data is documented, the harvest schedule is known, the standing rules are written down. Open is what builds trust. Open is the precondition of independent verification. Open is what the AIACP Protocol is built around. Free is different. Free is when someone else does all the harvesting, all the cross-referencing, all the cleanup, all the entity resolution — and then hands you the finished product without asking you to pay for the work. Free is what invites the scraper. Open invites the auditor. Those are not the same person.
The mistake CFVA was making, up until June 16, was that it was both open and free. The open part is correct and stays. The methodology will continue to be published. The data sources will continue to be documented. The AIACP Protocol will continue to be available for any qualified party to implement under their own governance. None of that changes.
The free part is what changes. Entity pages — the cross-referenced, deduplicated, standing-rule-validated product surface of the platform — now require authentication. The work that went into producing them is no longer being given away to the first scraper with patience.
This is not a moral position. This is a survival position. A platform that publishes its entire production output for free, with no friction, no authentication, no commercial layer, is a platform that any well-resourced competitor can replace by copying it. A platform that publishes its methodology openly and charges for its finished product is a platform that competitors cannot replace, because the competitor would have to commit to the same operational discipline — every day, indefinitely — to keep their copy fresh.
06 — The Pattern Every Open-Source Company Has Already Solved
What Red Hat, PostgreSQL, and Linux Figured Out Decades Ago
The configuration I am moving CFVA to is not original. It is the well-worn path of every successful open-source-meets-commercial company in the last thirty years.
- Red Hat publishes the Linux source code for free. The world can read it, modify it, run it. Red Hat charges for support, certification, and enterprise distribution. The most valuable Linux company in history was built on this configuration.
- PostgreSQL is free and open source. Amazon, Google, and Microsoft all run paid managed PostgreSQL services that customers gladly pay for, because running PostgreSQL at scale is operational work the customer does not want to do.
- MongoDB, Elastic, and Redis all open-sourced their core technology and built billion-dollar businesses charging for the hosted, managed, supported, enterprise-grade product. The model is so well understood that there are entire venture capital strategies built around it.
In every one of these cases, the source is open and the product is paid. The pattern is identical. The reason it is identical is that the pattern works.
CFVA, as of June 16, 2026, is adopting the same pattern. The methodology stays open. The Protocol stays open. The data sources stay documented. But the production output — the work product that took months of operator discipline to build — is now a commercial product behind authentication.
The first commercial application will be the OIG exclusion screening service for small healthcare organizations: automated monthly reports, fresh exclusion lists, legal-grade documentation. The scraper's stolen snapshot is worthless for this product because it goes stale the moment OIG publishes the next monthly update — and that is the entire point. Fresh data is the product. Stale data is the souvenir.
07 — What I Wish I Had Known Three Months Ago
The Standing Rules That Should Have Been in Place From Day One
Every operational mistake that becomes a Signal entry produces a standing rule. The scraper attack produced four. They are now permanent.
Standing Rule Twelve — Rate Limit Everything
Every public API endpoint, every page route, every search query gets a rate limit at the proxy layer. The default for unauthenticated requests is two per second per IP, with reasonable burst allowance. No public production endpoint ships without this rule applied.
Standing Rule Thirteen — Monitor for Mechanical Access Patterns
Daily review of access logs for the signature of automated extraction: one request per URL with no revisits, sequential or alphabetical traversal, sustained high request rate from a small number of source IPs. These signatures are unambiguous and they are not generated by humans. Catching them in one day instead of six days is the difference between a footnote and a heist.
Standing Rule Fourteen — Production Output Behind Authentication
Cross-referenced, deduplicated, entity-resolved data is the product. It is not the methodology. The methodology is published. The product is paid. There is no scenario in which the production work product is exposed unauthenticated at scale.
Standing Rule Fifteen — Stale Data Is the Souvenir
Any data product whose value depends on freshness — exclusion lists, sanctions, enforcement actions, regulatory updates — has natural defensibility because a stolen snapshot decays automatically. Build the product around the freshness, not around the snapshot. The competitor who steals the snapshot has the souvenir. The platform that ships the next update has the customer.
08 — What This Changes About CFVA Going Forward
The Free Browsing Era Is Over. The Real Product Begins.
Three months into building CFVA in public, I have learned something I did not know when I started. The platform is more valuable than I realized. Someone proved that by stealing twenty percent of it. The platform is also more vulnerable than I realized, because the configuration I had chosen — free access, no friction, no commercial layer — was a configuration that any competitor with patience could replicate by extraction.
What I am building from this week forward is the version of CFVA that should have existed from the beginning. The methodology stays open. The Signal blog stays open. The AIACP Protocol stays open. The data sources stay documented. The entity pages stay searchable, but for authenticated users only — citizens, researchers, customers, partners. The production output that took months of operator discipline to build is no longer given away to anyone with a scraping budget.
The first paid product, shipping this week, is the OIG exclusion screening service for small healthcare organizations. The methodology behind it is published in the Signal series and in the AIACP documentation. The product itself — automated monthly screening reports, fresh exclusion data, legally documented audit trail — is paid. That is the model from here forward.
The scraper accelerated the timeline. It did not change the direction. It just made the direction obvious.
I built CFVA because I believed that federal accountability data belongs in citizens' hands, not locked behind enterprise subscriptions that only large institutions can afford. I still believe that. The methodology and the framework will remain open for exactly that reason.
What I learned the hard way, in six days of someone trying to walk off with the database, is that open and free are not the same word. The first builds trust. The second invites theft. The configuration that defends the mission is the one that publishes the method and charges for the work.
The free browsing era of CFVA ended on June 16, 2026. The real product begins now.
Christian Fuhrmann
Founder & CEO, CFAISolutions LLC
Sacramento, California — June 16, 2026