They mention a single user downloading a 20GB file thousands of times on a single day, why not just rate limit the endpoint?

Their download service does not require authentication, and they are kind enough to be hesitant about blocking IPs (one IP could be half of a university campus, for example). So that leaves chasing around to find an individual culprit and hoping they'll be nice and fix it.