Skip to Content

How Russian Hackers Stole $5 Million a Day from U.S. Advertisers

Using clever bots to reinvent an old click fraud technique turned out to be lucrative.
December 21, 2016

American advertisers have been duped into paying for millions of dollars of online ad placement every day by Russian criminals armed with a network of bots.

Security research company White Ops has uncovered what it calls the “largest and most profitable ad fraud operation to strike digital advertising to date.” Hackers created an automated system for racking up ad views that was sophisticated enough for nobody to notice the problem for two months—costing advertisers as much as $180 million in the process.

The trick was simple. The criminals acted as an advertising firm, promising to host ads on sites like Fox News, ESPN, or CBS Sports. In reality, they built fake Web pages that no real person would visit. Then they used a sophisticated army of bots, known as Methbot, scattered across 500,000 different U.S. IP addresses, to view the ads.

The smart part is that those bots were programmed to be active during the daytime, appeared to be using Chrome on a Mac, and even had fake Facebook accounts. To anyone checking stats, they looked like real people. "[It] is a beautiful simulacrum of a real browser," explained White Ops CEO Michael Tiffany to CNN. "This is the kind of theft in which nothing has gone missing."

Fake traffic is bad news for advertisers, because they have to pay up without a human eye ever seeing the promotion. And in this case, it really hurt: the approach netted the hackers between $3 million and $5 million per day.

It’s by no means a new idea, of course. Hijacking ads using robotic clicks has been a problem for as long as pay-per-click advertising has been online. Way back in in 2005, New Scientist suggested that Google’s AdWords platform could be at risk from such attacks. But the latest scam is notable for its scale and smarts.

Trouble-making bots have run amok in 2016. Over the past few months, an army of Internet-connected devices has been corralled and controlled to take down large swaths of the Internet. The bad news is that, unlike the ad-scamming bots,  they’re growing in number, up for hire—and dangerous.

(Read more: White Ops, CNN, “IoT Botnets Are Growing—and Up for Hire,” “Security Experts Warn Congress That the Internet of Things Could Kill People”)

Keep Reading

Most Popular

Workers disinfect the street outside Shijiazhuang Railway Station
Workers disinfect the street outside Shijiazhuang Railway Station

Why China is still obsessed with disinfecting everything

Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.