A Massive Criminal Undertaking
Operating under the codename “3ve,” the fraud scheme was massive in scope and complicated in execution. First detected in 2017, the exact beginnings are uncertain, but it is highly likely the botnet was operating for a significant amount of time earlier than initial discovery. The plot made use of a network of hijacked devices infected through the typical methods: attachments in trapped emails and mislabeled downloads scattered throughout the Internet. The exact size, scope, and location of the botnet and the servers managing it shifted constantly, making it much harder to pin down and hiding the true size of the operation until much later.
Once the 3ve network had its network of bot devices, they got to work on monetizing them by creating thousands of fake websites. Once running, these websites would make automated bids for ad inventory to digital marketing firms, just like most websites on the Internet do to secure ads to their own visitors. Once ads were showing on these fake websites, they would direct their botnet to visit them, counting millions of ad views and collecting paychecks from digital advertising networks without a single human ever viewing an ad.
A “Very Complex, Ever-Shifting Maze”
While the monetization was generally done the same way – generating fake views on real ad inventory to collect the advertising revenue – the specifics shifted enough to make the whole operation much harder to trace than similar, smaller fraud rings. Sometimes the bots were run from massive servers in datacenters and only used spoofed IPs from the devices in the botnet; sometimes the devices themselves sent the request to visit the fake websites; and sometimes they didn’t use hijacked residential devices at all, but instead used datacenter servers as proxies to communicate with other, smaller servers at other datacenters to generate the fraudulent traffic. Any of their techniques on its own would be an extremely complicated endeavor to operate at scale, but all the methods together created a quagmire of confusing data for investigators to sort through.
Taking It Slow
Google first caught a whiff of the botnet in 2017. As they continued investigating and following clues, they realized that the operation was much larger than initially suspected – and that they weren’t the only ones on the case, with various other large tech companies also investigating the suspicious activity, including behemoths like Microsoft and Amazon and including White Ops, a bot detection firm that proved instrumental in the takedown operation. Google invited these groups to work together to discover the extent of the fraud and devise the best way to combat it.
Also on the invitation list were the FBI and the Department of Homeland Security, whose most active role came just recently. As eight men were indicted as primary coconspirators – six Russians and two Kazakhstan nationals – it was revealed that three were already in custody, apprehended in Malaysia, Bulgaria, and Estonia at the request of US officials. While five of the men remain at large, international arrest warrants have been issued.
That doesn’t mean those still free can continue the operation, though. The FBI also obtained warrants to seize control of a number of internet domains and over seven dozen servers used to manage the complicated infrastructure of the fraud network. In just 18 hours, the overwhelming majority of traffic generated by 3ve’s systems ground to a halt. In a statement, White Ops called the cooperation between tech companies like Google and law enforcement “a rather historic turning point in the history of ad fraud.”
The scale of this single operation was large enough to have a surprisingly large effect on the entire digital marketing space. At its peak, Google noted that 3ve maintained over one million IP addresses (hijacked devices), larger than the number of broadband connections in Ireland. These devices worked with over one thousand servers at datacenters to visit over ten thousand counterfeit websites to fraudulently generate over three billion ad requests every single day. While exact numbers have not been released, it’s estimated that advertises lost well into the millions of dollars as a result of this scheme.
Ad Fraud: Easy Money?
It’s easy to see why these men chose advertising fraud as their path to illicit gains: it’s extremely lucrative and hardly ever punished. The digital advertising industry is worth over a quarter of a trillion dollars, but due to the extremely limited oversight and regulation surrounding it, fraud is common, and punishment is rare. The problem is made even more complicated by the international nature of online advertising: often, just like in the case of 3ve, the companies being most harmed by the activity are on the other side of the world as those profiting from it. That means law enforcement must work across international boundaries to locate and apprehend those responsible, a process with all sorts of potential hang-ups and pitfalls.
If it continues at its current pace, advertising fraud is slated to become the second most lucrative crime on the planet by total revenue, eclipsed only by the drug trade. With so many barriers to detection and enforcement, Google has made attempts to limit fraud itself, mostly through their “ads.txt” initiative. Participating ad publishers are able to specify exactly which businesses are allowed to sell their ad inventory, making it much for difficult for fraudsters to receive that inventory and direct non-existent views toward it. But as prevention measures are rolled out, so have the criminals become more creative in their methods to evade detection.
Still, the cooperation between Silicon Valley and the Department of Justice sends a strong message that perpetrators can no longer expect to be free of penalty when their fraud is discovered, wherever on the globe they set up shop.