We've seen similar things where spammers scrape our sites, put them up slightly modified and use cloudflare to block access to most of the web. They're obviously letting Googlebot through, but I've tried accessing it from dozens of countries and they're always straight up denied. I don't know what they're doing exactly, maybe it's an SEO attack, or they might be running ads and allowing that traffic to pass through.
If CF had a simple way to get (verified!) customer details, much of the crime using CF would go away while the pure DDOS-protection and CDN-usage wouldn't be impacted. Legitimate companies have their legal info on their websites anyhow, they don't care if you also can query CF about who they are.
I believe that once you put your website behind cloudflare it's really hard, if not imposible to get content using requests. Don't know about scraping tho.
Also, I think it's better to block unknown free domains, because (public) IPs can have thousands of devices asociated with them. Once you block a domain, the "scammer" has to buy a new one.
If CF had a simple way to get (verified!) customer details, much of the crime using CF would go away while the pure DDOS-protection and CDN-usage wouldn't be impacted. Legitimate companies have their legal info on their websites anyhow, they don't care if you also can query CF about who they are.