[floatingatoll]

They consider those requests to be "bad actors". It's not necessarily about the volume of traffic, it's that they are compromised VPSes configured to perform unknown malicious activity that takes advantage of a free endpoint in support of unknown malicious intent. See also "Why do bad actors abuse this endpoint?" discussion elsethread: https://news.ycombinator.com/item?id=20480230

[wolco]

Wouldn't most api traffic come from vps's regardless of the intent?

[floatingatoll]

The article notes that the VPS providers indicated that those top API traffic consumers were all a specific cron.php on compromised VPSes, so while in theory your statement is true, in reality the issue here was maliciously-compromises VPSes, not VPSes in general.