GA4 Bot Traffic from China and Singapore: Why Country Filters Don't Work (and the 3-Layer Fix)

Quick answer: The China/Singapore bot wave that hit GA4 properties in late 2025 cannot be stopped by country-level filters alone. The bots either spoof referrers, hit your Measurement Protocol endpoint directly, or rotate through residential proxies that bypass IP-based geo. The real fix is a 3-layer audit: (1) referrer + URL parameter filtering, (2) ASN-level blocking on your server-side stack, and (3) rotating your GA4 Measurement Protocol API secret. Below is the complete playbook.

What's happening

Starting around September 2025, thousands of GA4 properties saw sudden traffic spikes from China and Singapore — often 5–10× normal volume, frequently with high bounce rates and zero conversions. The traffic shows up under direct or referral in the channel report, with no obvious source.

This is not standard scraping or competitor monitoring. The pattern matches a coordinated effort to either: (a) spoof hits to skew your data, (b) probe for exposed Measurement Protocol endpoints, or (c) test your bot defenses for downstream attacks. The bots are sophisticated enough to fire realistic page_view, scroll, and engagement events.

Why standard fixes don't work

Country filter via GA4 admin → Internal Traffic → ignores the bots

Internal Traffic filters require IP ranges. The bots rotate through residential proxies and consumer ISPs in Hong Kong, Taiwan, and Singapore — IPs that look indistinguishable from legitimate users.

"Exclude Unknown URLs" filter → too aggressive

Catches some bots but also legitimate traffic from sites that strip the referer header (most major email clients, AI assistants, and link shorteners).

Bot Filtering toggle in GA4 → only catches IAB-listed bots

Already enabled by default. The China/Singapore bots aren't on the IAB list and pass through unfiltered.

The 3-layer audit and fix

Layer 1: Referrer + URL parameter filtering

Many of the bot hits include a tell — a specific referrer or URL parameter pattern. Pull your last 30 days of "direct" and "referral" traffic from these regions:

1. GA4 → Reports → User → Demographic details → Country = China OR Singapore
2. Add secondary dimension: Page referrer
3. Look for patterns: common referrer hostnames, URL query parameters that don't match your real campaigns

Common patterns we've seen: referrers ending in .icu, .top, or random subdomain on googleapis.com (spoofed). URL parameters with ?utm_source=GA4_bot or random base64 strings.

Create exclusion filters in Admin → Data Streams → Configure tag settings → List unwanted referrals. Add the bad referrer domains. This catches the lazier bots.

Layer 2: ASN-level blocking (the real fix)

The bots concentrate on a handful of cloud and proxy ASNs:

• AS113220 — known proxy network
• AS113203 — bot infrastructure
• AS45899 — VNPT (Vietnam), heavily used by the wave
• AS4837, AS4134 — China Telecom, China Unicom (consumer ISPs but heavily proxy-rented)

You cannot block ASNs at the GA4 level. You have to do this before the hit reaches Google. Options:

• Cloudflare WAF rule: Firewall → Rules → "Block if ASN in {113220, 113203, 45899}". Free tier supports this.
• Server-side GTM: Add a transform that drops requests originating from these ASNs before forwarding to GA4.
• Edge function (Vercel, Netlify, Cloudflare Workers): Check the ASN of incoming requests and respond with a 403 if matched.

This stops the bots from ever reaching your gtag/GTM container, which means they never generate GA4 hits.

Layer 3: Rotate your Measurement Protocol API secret

The most overlooked attack vector: bots scrape exposed GA4 measurement IDs and hit the Measurement Protocol endpoint directly with spoofed events. They don't need your gtag — they just need your measurement_id and api_secret.

If your API secret leaked (committed to a public repo, exposed in a client-side bundle, scraped from your gtag.js network call), bots can fire arbitrary events into your property forever.

How to rotate:

1. GA4 Admin → Data Streams → your stream → Measurement Protocol API secrets
2. Click "Create" → name the new secret → copy the value
3. Update your server-side code (custom integrations, sGTM, webhook senders) to use the new secret
4. After 24 hours of confirming clean data, delete the old secret

Rotate every 90 days as a baseline. If you suspect a leak, rotate immediately.

The audit method: how to check if you're actually affected

1. GA4 → Explore → Free Form → Dimensions: Country, Session source/medium → Metric: Sessions
2. Filter: Country = China OR Singapore
3. Compare to 60-day baseline. If today's volume is >3× the September 2025 baseline, you're affected.
4. Add Page path as dimension. Bots typically hit a small set of pages repeatedly, often including /, /admin, /wp-admin, or random paths.
5. Engagement rate on bot sessions is almost always <5%. Use this to validate.

What NOT to do

Don't disable your GA4 property. You'll lose real data with the bots.

Don't block all of China/Singapore at the firewall. Legitimate users (and Google's own crawlers for some regions) come from these countries.

Don't trust "Bot Filtering" alone. It's enabled by default and the China/Singapore wave isn't filtered.

Audit your full GA4 setup for bot exposure and data integrity

The China/Singapore wave is one of dozens of data-quality issues that quietly corrupt GA4 reports. Run a free Snifflytics audit to check your property for: bot traffic patterns, leaked Measurement Protocol secrets, unfiltered referral sources, and the rest of the 100+ checks agencies use on production GA4 implementations.