Charges laid over 3ve, Methbot ad fraud schemes

Eight men charged over Methbot, 3ve

Eight men from Russia, Kazakhstan and Ukraine have been charged over an alleged digital ad fraud schemes.

A 13-count indictment unsealed in a US Federal Court in Brooklyn alleges that the men “used sophisticated computer programming and infrastructure spread around the world to exploit the digital advertising industry through fraud”.

“They represented to others that they ran legitimate ad networks that delivered advertisements to real human internet users accessing real internet webpages,” the document states.

“In fact, the defendants faked both the users and the webpages: in each of the charged schemes, they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue.”

The charges relate to the Methbot ad fraud operation, first unearthed in 2016, and an operation labelled 3ve by security firm White Ops, which has been working with Google for over a year to analyse and unmask the bot-based scheme.

Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev and Dmitry Novikov face charges relating to Methbot. Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko have been charged in relation to 3ve.

Methbot allegedly reaped US$7 million in revenue, while 3ve delivered its alleged operators $29 million.

“3ve first emerged as a small bot-driven effort that subsequently grew into a large and sophisticated operation,” states a whitepaper issued by Google and White Ops.

3ve used a combination of data centre-based bots that emulated desktop and mobile browser traffic and hidden remotely controlled browsers running on malware-infected PCs.

At its peak, 3ve is believed to have generated up to 12 billion daily ad bid requests and controlled more than 1 million IP addresses — both residential botnet infections and corporate IP spaces, the whitepaper states.

The scheme had three sub-operations: 3ve.1 involved fake ad requests delivered by a network of bots running in European and US data centres. 3ve.2 used counterfeit domains to sell fake ad inventory employing a “custom-built browsing engine installed with the Kovter botnet” that was running on infected PCs. 3ve.3 used data centre-based bots but “used the IP addresses of other data centers instead of residential computers to cover its tracks”.

“3ve was typical of many ad fraud operations in that it generated revenue by selling forgeries of two major assets in high demand from advertisers: human audiences and premium publisher inventory,” states the whitepaper.

“But because 3ve was uniquely effective at counterfeiting the domains of prestigious publishers and sending droves of bots to false inventory, it was able to generate a substantial volume of fake ad bid requests.”

 Ovsyannikov, Zhukov and Timchenko have been arrested and are awaiting extradition, while the remainder are still at large.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareadvertising

More about Google

Show Comments