Eight Indicted for Causing Tens of Millions in Losses in Ad Fraud Scheme

Brian Blondy, December 9, 2018

The United States Department of Justice (DOJ) presented a wide-ranging indictment charging eight individuals with 13-counts of wire fraud, computer intrusion, aggravated identity theft, and money laundering for allegedly masterminding and operating the 3ve (pronounced “eve”) and Methbot digital ad fraud scams.

The DOJ charged the individuals with amassing in upwards of $30 million of fraudulently earned ad revenue from advertisers seeking to place ads on prominent global websites.

The defendants allegedly used a server farm and a sophisticated botnet of computers to simulate the delivery of billions of impressions which never appeared on websites or were ever viewed by actual internet users.

The accused are Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko. Ovsyannikov was arrested in October 2018 in Malaysia; Zhukov was arrested in November 2018 in Bulgaria; Timchenko was arrested in November 2018 in Estonia, all under provisional arrest warrants issued at the request of the United States.

All of the arrested await extradition to the US, while the other five remaining defendants remain at large. (DOJ)

The DOJ indictment also includes seizure warrants authorizing the FBI to take control of Swiss bank accounts, 31 internet domains, as well as search warrants authorizing the FBI to extract information from 89 computer servers which formed the infrastructure of the botnet network of computers which engaged in the digital advertising fraud.

How The Ad Scam Worked

Between the years of 2014 to 2016, the accused individuals operated a purported advertising network (Methbot) to carry out the digital ad fraud operation.

The defendants arranged partnerships with global SSPs to place ad tags across their network of websites in exchange for ad revenue payments.

Rather than placing the ad tags on actual websites, the defendants instead utilized nearly 2,000 US-based computer servers to load ads onto fake websites by “spoofing” the ad impressions across more than 5,000 domains.

In order to create the illusion that actual human beings were interacting with the ads, the accused programmed datacenter servers to simulate internet activity – fake mouse movement, the starting and stopping of video players, and falsely showing users signed into Facebook on the websites.

An agency or advertisers looking to purchase inventory on premium websites would see the name of the prominent publishers on the ad exchange even though the site was, in fact, a masquerading as a legitimate version of a website. The bots would then visit the fake site and view the impressed ad to generate revenue.

The internet scheme falsified billions of ad impressions and caused defrauded advertisers more than $7 million for ads that were never actually viewed.

The defendants leased over 650,000 IP addresses, assigned multiple IP addresses to each datacenter and then fraudulently registered the IP addresses to create the illusion that the datacenter servers were residential computers belonging to internet users subscribers to local internet service providers.

In parallel, the accused are purported to have also operated an additional, and more profitable, advertising network (3ve) to carry out another advertising fraud scheme in addition to the Methbot operation.

The defendants operated a global botnet of 1.7 million malware-infected computers – each infected with hidden browsers which downloaded fabricated webpages and loaded ads onto these websites.

The actual owners of the infected computers were unaware that the ad fraud process was running in the background of their computer.

In total, the internet scheme falsified billions of ad impressions and caused defrauded advertisers more than $29 million for ads that were never actually viewed.

According to security firm Proofpoint, a vast majority of the millions of infected computers acquired the malware after being tricked by misleading ads shown on websites such as Pornhub.com, which stated that their browser or Adobe Flash required a “critical” update.

Industry experts believe that the malware included “anti-forensic” characteristics which prevented it from being detected or removed from infected computers as well as having digital self-awareness not to load itself onto already malware-infected computers which might by association blow their cover upon discovery.

How the Ad Scam Was Stopped

According to Buzzfeed News, Google and WhiteOps partnered together to begin analyzing information about a botnet they were both tracking in the first months of 2017.  The bots by design were programmed to visit specific websites in order to generate page views and ad impressions that resulted in ad revenue for the fraudsters.

In the following months, the botnet managed to evolve and modify its behavior after measures were taken to filter out the traffic from the advertising systems.

By summer 2017, Google and WhiteOps approached industry partners to address the botnet.  Industry leaders were leery that the Botnet’s size and power to defraud advertisers would begin eroding confidence, stability, and trust in the entire ad ecosystem.

The FBI organized a meeting of digital advertising and cybersecurity experts in August 2017 to build out a robust response to a massive ad fraud scheme which presented an existential risk to the stability of the global digital advertising industry.

The meeting would set in motion a criminal investigation into confronting the “largest and most sophisticated digital ad fraud operation experts have ever encountered.”

By October 2018, the FBI, working alongside and briefing its private sector partners, privately informed the group that it was ready to take down 3ve.

On Oct. 22, the number of bids for ads submitted to ad systems from sites associated with 3ve went from 375,000 at 12 am to 0 by 6 pm the same day. The FBI killed the 3ve operation in 18 hours.

Can You Avoid Getting Scammed by Ad Fraud?

According to the World Federation of Advertisers, ad fraud is currently only superseded by the illegal drug trade in annual revenue.

In 2018 alone, an estimated USD 19 billion stolen from advertisers and publishers by ad fraud — a staggering figure which mostly contributes to reducing advertiser confidence in the industry.

Is there a way to avoid being defrauded by fake inventory? We asked our in-house media buying agency, MediaTraderz, whether it is even possible to avoid purchasing fake inventory.

“It is always challenging to be 100% certain that the traffic you are interested in purchasing is indeed legitimate and not fraudulent. In our experience, our first step is to usually look for abnormal behavioral originating from the publisher in order to understand the source of the inventory,” said Gadi Elias, Programmatic Team Leader at MediaTraderz.

“When we see unusually low prices for what is usually premium inventory, we tend to view that opportunity with a sense of skepticism and primarily avoid it. Also when we see abnormal volumes of inventory for usually low traffic domains or apps we often use several of the industry’s best fraudulent authentications tools (WhiteOps, ProtectedMedia, and DoubleVerify) as solutions for better understanding what we are seeing on the exchange,” said Elias.