Proxycurl was doing $10M a year. Then LinkedIn sued.
In January 2025, LinkedIn and Microsoft filed a federal lawsuit against Proxycurl and its founder Steven Goh. The allegation: hundreds of thousands of fake accounts used to pull millions of LinkedIn profiles. By July 2025, Proxycurl - one of the most commercially successful LinkedIn data operations ever, with $10 million in annual recurring revenue - was shut down permanently.
The founder was candid about why. As Goh explained, they'd built the company organically without VC funding and simply couldn't afford to fight a multi-billion dollar corporation in court. The settlement required deleting all LinkedIn data obtained through unauthorized means.
This wasn't the first time LinkedIn went after unauthorized data operations. But Proxycurl's scale and public profile made it the most visible example yet of what happens when LinkedIn decides to enforce.
If you work with LinkedIn data for prospecting, this matters. The legal landscape has shifted dramatically since the hiQ ruling that everyone cites as proof that public data is fair game.
The hiQ case doesn't say what people think it says
The hiQ Labs v. LinkedIn case gets referenced constantly as evidence that working with LinkedIn data is legal. Here's what actually happened.
The ruling everyone cites
In April 2022, the Ninth Circuit ruled that collecting publicly accessible data doesn't violate the Computer Fraud and Abuse Act (CFAA). The court's logic: public websites impose no access authorization requirements - "there were no gates to lift or lower in the first place."
This was a genuine legal milestone. It established that accessing public data isn't "hacking" under federal law.
What happened next (the part people skip)
Later that same year, the district court found that hiQ had breached LinkedIn's user agreement - the Terms of Service. The court also found hiQ had failed to preserve evidence and awarded sanctions.
The parties settled. hiQ, which had lost funding, clients, and employees during years of litigation, closed down.
The practical lesson: you probably won't go to prison for collecting public LinkedIn data, but LinkedIn can still sue you for breach of contract, close your account, and make running your business impossible.
Where the law stands now
The critical distinction: CFAA legality is not the same as "safe to do." LinkedIn has the resources and willingness to pursue unauthorized data operations through civil litigation, and the hiQ case itself proves that winning the CFAA argument doesn't save your business.
Why LinkedIn's enforcement is escalating
LinkedIn has gotten much more aggressive about enforcement since 2024. The Proxycurl lawsuit wasn't an isolated incident.
The AI factor. Bloomberg Law reported that LinkedIn's enforcement has ramped up specifically because AI companies want LinkedIn data for training models. The volume of unauthorized data operations has increased dramatically, and LinkedIn is investing in enforcement to match.
The fake account problem. Proxycurl's downfall wasn't just the volume of data - it was operating hundreds of thousands of fake accounts. LinkedIn's lawsuit highlighted this specifically. Creating fake accounts to access data is a much clearer violation than collecting public data, and it's what LinkedIn has been most aggressive about prosecuting.
What actually works (without the legal risk)
Most LinkedIn data needs can be met responsibly. Here are the approaches practitioners actually use, ranked by risk.
Zero risk: LinkedIn's own export
Most people don't know this exists. Go to Settings > Data Privacy > Get a copy of your data. LinkedIn emails you an archive of your connections, including names, companies, titles, and emails (when shared).
It's your data, so it keeps you in control of your own data. And for many use cases - importing your network into a CRM, building a list of warm contacts to reach out to - it's all you need.
Limitation: You only get your own connections, and the export is manual.
Low risk: third-party data providers
Companies like Apollo.io, ZoomInfo, and Cognism build professional contact data through legitimate means - partnerships, public filings, user opt-ins, and licensed databases. You're buying data from a provider that handles the compliance.
Bright Data is worth noting specifically: they won court cases against Meta and X in 2024, becoming the first public-data company to be thoroughly examined in U.S. courts and win twice. That legal validation matters if compliance is your priority.
The trade-off: You're paying for data someone else collected. The data quality and freshness varies. And you're trusting the provider's compliance claims.
Medium risk: outreach tools tied to your own account
Tools that work through your own LinkedIn account, rather than fake accounts, occupy a gray area. They technically violate LinkedIn's Terms of Service, but they keep you working from a single real account that's genuinely yours.
The key distinction from Proxycurl's approach: you're using your real account to do the outreach you'd do by hand, just with the repetitive parts handled for you. The activity is your own genuine engagement, not bulk data operations across hundreds of fake profiles.
BeReach takes this approach - your BeReach account is tied to your own LinkedIn account, and the BeReach agent handles the repetitive parts for you. Starting at EUR49/month, it helps you reach the right people through your own account rather than fake accounts.
Risk mitigation:
- Keep to reasonable usage limits and a respectful pace
- Use your own real account
- Focus on genuine outreach, not bulk data operations
- Accept that ToS violation risk exists
No-risk alternative: earn the data
The approaches above all involve sourcing data from LinkedIn. There's a fundamentally different strategy: create content that makes prospects come to you.
Lead magnets, webinars, and gated tools gather LinkedIn-equivalent data with explicit consent. A "Free LinkedIn Profile Audit" tool that asks for a profile URL gives you the same data you'd otherwise have to source yourself - but the prospect handed it to you voluntarily.
This doesn't scale the same way, and it requires content investment. But the data you gather is higher quality (they opted in), built on consent, and comes with built-in buying intent.
GDPR: the constraint most articles underestimate
If any of your prospects are EU residents, GDPR applies regardless of where your company is based. And GDPR treats collected personal data seriously.
Legitimate interest is the legal basis most B2B companies rely on for outreach. It can work, but it requires:
- A documented assessment that your business interest outweighs the individual's privacy rights
- A clear opt-out mechanism in every communication
- Data minimization - only gather what you need
- Deletion on request - and you need a process for this
What GDPR doesn't allow: gathering personal data in bulk, storing it indefinitely, or using it without transparency about how you got it.
The Clearview AI settlement in 2025 - roughly $51 million and 23% company equity to plaintiffs - shows what happens when facial recognition and bulk personal data intersect with privacy law. LinkedIn data is less sensitive than facial scans, but the regulatory direction is clear.
If you're collecting LinkedIn profiles of EU residents and storing that data without a valid GDPR legal basis, you're exposed. The fines can reach 4% of annual revenue or EUR20 million, whichever is higher. This isn't theoretical - enforcement is increasing.
The shift from bulk data to real engagement
The Proxycurl shutdown signals a broader trend: the era of large-scale LinkedIn data operations is ending. LinkedIn is too well-resourced, too motivated (especially with AI training data concerns), and too legally aggressive for bulk data operations to be a sustainable business model.
What's replacing it is engagement-based prospecting. Instead of pulling thousands of profiles into a database, you interact with prospects on LinkedIn - visit their profiles, engage with their content, send connection requests - and learn about them through those interactions.
This is fundamentally what tools like BeReach do. You're using LinkedIn as LinkedIn intended, just with the repetitive parts handled for you. What you get is fresher (it comes from real-time interactions), more relevant (you're already engaging with the prospect), and less legally exposed (you're operating within the platform, through your own account).
The trade-off is speed. You can't build a database of 50,000 prospects overnight this way. But you can build a pipeline of 50 genuinely warm prospects per week, which is what most B2B teams actually need.
Every viral post is 100+ warm conversations waiting.
Tell your agent who you want to reach. It finds leads, qualifies them, sends personalized outreach, and follows up.
Frequently asked questions
Is working with LinkedIn data legal in 2026?
Collecting publicly visible LinkedIn data doesn't violate the U.S. Computer Fraud and Abuse Act (per the hiQ v. LinkedIn ruling, Ninth Circuit 2022). But it does violate LinkedIn's Terms of Service, which is a breach of contract. LinkedIn actively sues unauthorized data operations - Proxycurl was shut down in 2025 after a federal lawsuit. GDPR adds further constraints for EU data. Legal but risky is the practical answer.
What happened to Proxycurl?
LinkedIn and Microsoft filed a federal lawsuit in January 2025 alleging Proxycurl operated hundreds of thousands of fake accounts to pull millions of profiles. Despite $10M in annual revenue, Proxycurl couldn't afford to fight and shut down by July 2025. The settlement required permanent deletion of all the data obtained. It's the highest-profile LinkedIn data enforcement action to date.
What are compliant alternatives for sourcing LinkedIn data?
Four main approaches: (1) LinkedIn's own data export for your connections (your own data, fully in your control), (2) third-party data providers like Apollo.io or ZoomInfo that handle compliance, (3) outreach tools like BeReach that work through your own real account rather than fake accounts, (4) inbound lead magnets that gather prospect data with consent. Most teams combine two or three of these.
Does the hiQ ruling mean working with LinkedIn data is safe?
No. The hiQ ruling only addressed the CFAA (federal hacking law). The same case found hiQ breached LinkedIn's Terms of Service (contract law). hiQ ultimately closed down after years of litigation. The ruling means collecting public data isn't a federal crime, but LinkedIn can still sue you for breach of contract, close your account, and make running your business extremely difficult.
Can I use LinkedIn data under GDPR?
B2B prospecting can use "legitimate interest" as a legal basis under GDPR, but you must document why your business interest outweighs the individual's privacy rights, provide opt-out mechanisms, minimize the data you gather, and honor deletion requests. Gathering data in bulk without these safeguards exposes you to fines up to 4% of annual revenue or EUR20 million. Using compliant data providers is the safer path.
