I work with Andrew Waugh on the same Discourse site. I finally had some time to start digging into this, and soon discovered that a whole bunch of the requests came from one IP, 220.127.116.11, and that they all included our API key.
That IP belongs to Digital Ocean, and since the requests included our API key, I’m assuming this is coming from Discourse Metrics. We’ve turned Metrics off now, but here’s a redacted sample from our “outer” nginx log:
18.104.22.168 - - [31/Mar/2017:19:00:22 +0000] "GET /users/SomeUser.json?api_key=sekrit&api_username=system HTTP/1.1" 200 1343 "-" "Ruby"
We’ll see in a day or two if this makes our user profile views go down by a significant amount.