You sure they’re skimming results? I saw what looks like a filter to add to an adblocker …

see I don’t have a smoking gun on this, but if it is a garden variety adblocker and whatever the accelerator does (it’s extremely unclear) running on cloudflare workers, they at least have the ability to MiTM and modify DNS queries, and open proxies are always a security nightmare. my impression is the filter list they link is either what that endpoint uses to filter, or it’s LLM vomit they kept in because it felt more legitimate.

this might be worth poking at more in a controlled setting — a command line DNS-over-HTTP client using their endpoints and some exploration of the open proxy with curl (especially with sites that utilize credentials, with great care taken to use disposable accounts for this) might be illuminating

and the “mirrors” bit is basically an open proxy

could test this by setting up a simple example page and seeing the originating source for the traffic

same technique as previous, using an http (not https) canary:

geo_info: {'loc': '51.5085,-0.1257', 'org': 'AS13335 Cloudflare, Inc.', 'city': 'London', 'country': 'GB', 'region': 'England', 'ip': '141.101.98.196', 'timezone': 'Europe/London', 'postal': 'E1W', 'asn': {'route': '141.101.98.0/24', 'type': 'hosting', 'asn': 'AS13335', 'domain': 'cloudflare.com', 'name': 'Cloudflare, Inc.'}}
useragent: (no user-agent specified)
request_headers: {'Host': 'canarytokens.com', 'X-Real-Ip': '141.101.98.196', 'X-Forwarded-For': '2a06:98c0:3600::103, 141.101.98.196', 'X-Forwarded-Host': 'canarytokens.org', 'Connection': 'close', 'Accept-Encoding': 'gzip', 'Cf-Ray': '89f1a3a114752508-LHR', 'X-Forwarded-Proto': 'https', 'Cf-Visitor': '{"scheme":"https"}', 'Cf-Ew-Via': '15', 'Cdn-Loop': 'cloudflare; subreqs=1', 'Cf-Connecting-Ip': '2a06:98c0:3600::103'}
request_args: {}