@waffles
Being behind Cloudflare, it's not that easy. I only see which reverse proxy people come in from. I don't have their originating IP address.
And if they are doing something like this, they probably used a VPN to login and set up an account to hide their IP.
There's an ID though in one of the API calls, and I'm wondering if it is actually an ID that could be used to identify the account in the database they are trying to referene, which might be their own? I was thinking of investigating this on the weekend.