5 disruptive ad fraud schemes that siphoned millions of dollars (and how we caught them)

December 1, 2021 | 5 minute read
Sam Mansour
Principal Product Manager for Moat Analytics
Text Size 100%:

Oracle Moat discovers disruptive ad fraud schemesA version of this article was originally published on The Drum.

According to Juniper Research, by 2023, there will be more than $100 billion in global revenue lost to ad fraud. The current global climate has likely only encouraged the surge of these sophisticated crimes.

More companies have been transitioning to digital environments so that workers can do their jobs from home. However, this shift that has been so beneficial to employees increases the number of potential targets for criminal ad fraud. Many companies struggle to detect abnormal activity since “the new normal” has changed the behaviors of people online.

Oracle Moat is staying ahead of these crooks by exposing several sophisticated ad fraud schemes. We’ve narrowed in on suspicious nonhuman activity using advanced invalid traffic (IVT) detection capabilities and lead the way in protecting the vulnerable, emerging-format connected TV (CTV).

The following is a recap of some of Oracle Moat’s most notable discoveries.

1. StreamScam

The scam

The culprits in the StreamScam operation used vulnerabilities in CTV ad-serving technology to trick advertisers into paying for ads that were never delivered.

How the scam worked

The fraudsters forged household IP addresses, app IDs, and device models to make it look as if the ads were playing in digital environments, but that never happened. Oracle Moat’s technology revealed the operation by identifying the fake impressions and classifying them as invalid.

The impact of the StreamScam fraud

The con cheated advertisers out of an estimated $14.5 million and stole that revenue from legitimate publishers whose apps were being spoofed.

How we caught it

Our IVT team found that criminals created a network of servers that requested ads with spoofed information and sent ad-impression events to Oracle Moat and advertisers. Neither ads nor videos were served to any users. Both advertisers and publishers were tricked by this scam.

2. Hydra and Terracotta

The scams

Criminals used malware-infected Android phones to generate fraudulent ad impressions.

How the scam worked

The fraudsters were able to leverage malware-infected devices to spoof ad impressions. The botnet underwent three pivotal changes in its evolution as it tried to evade detection.

The impact of the Hydra and Terracotta frauds

These ad fraud botnets are estimated to have stolen more than $100 million in in-app ad spend from players across the digital ad industry over the past year.

How we caught it

Our IVT team detected this threat through a series of mistakes the fraudsters left behind. These errors allowed us to develop the first round of detection. Oracle Moat also joined the effort led by Trustworthy Accountability Group (TAG) to eliminate the threat. Combining our findings with Protected Media and White Ops allowed us to take disparately reported threats and merge them into a single botnet signature.

3. 404bot

The scam

Criminals used a fake URL and showed a 404 webpage so that they could siphon advertising dollars.

How the scam worked

The perpetrators were able to spoof URLs on popular websites by utilizing a botnet that was distributed by malware. This was first reported as a 404bot due to the originally spoofed URLs resulting in 404 errors for anyone who bothered to check. However, the scheme evolved to spoof URLs that did not result in 404 errors, if checked.

The impact of the 404bot scam

It’s estimated that the 404bot scheme robbed advertisers of more than $15 million and wasted at least a billion video ads.

How we caught it

Oracle Moat researchers caught on to the perpetrators’ scheme. IVT researchers investigated the evolution of 404bot and pinpointed the actual proxy software distributing the malware, taking it apart in our clean room and developing customized protections.

4. In-game advertising operations

The scam

In a malicious in-game advertising scheme, criminals tricked advertisers into giving away money through a popular video game.

How the scam worked

Often, players of various games watch paid advertising to earn virtual rewards such as currency. However, in this scheme, a bot viewed the ads instead, using real gamers’ IDs taken from public forums. Advertisers thought they were engaging gamers; instead, they were engaging a bot.

The impact of in-game advertising ad fraud

Compared to other schemes that milked millions, this one wasn’t as profitable.

How we caught it

The bot used User Agent spoofing to make it look as if traffic came from several browsers, but Oracle Moat researchers figured out that the underlying features across all the User Agents were the same.

5. An update on 2019’s DrainerBot

The scam

Although we uncovered it in 2019, in 2020, we recapped the DrainerBot ad fraud scheme with a deep-dive podcast. DrainerBot was among the first ad fraud operations to financially compromise consumers.

How it worked

The infected code consumed hidden and unseen video ads on smartphones. The owners never saw the ads. Meanwhile, the app told the ad network that the video ad appeared on a legitimate publisher site, but the site, ultimately, wasn’t real.

Impact of the DrainerBot scam

DrainerBot infected consumers’ mobile apps using up as much as 10 gigabytes of data a month. The malicious bot drove up data charges on mobile devices, slowed the devices, and drained their batteries.

How we caught it

Oracle Moat and Oracle Cloud Infrastructure edge services picked up on the suspicious activity. They found that an infected SDK from Tapcore, a Dutch mobile monetization company, distributed the DrainerBot into popular Android apps.

Protect your future ad spend

Fraudsters will leverage channels they know are popular so they can tap into engaged audiences and hide their devious activities among real users. However, in a landscape full of risks and opportunities, IVT detection capabilities can expose and stop these fraudsters from wreaking havoc, and weed out the nonhuman traffic that’s intended to cause harm.


Want to learn more about how Oracle Moat can help you maximize ad spend and digital performance with measurement you can trust? Visit our website or schedule a demo today.

To hear more about how Server-Side Ad Insertion (SSAI) servers are used to spoof users, devices, and apps and the road to Oracle Moat's StreamScam discovery, watch the replay of "StreamScam Exposed: How Oracle Moat Uncovered CTV's Largest Ad-Fraud Scheme."

Sam Mansour

Principal Product Manager for Moat Analytics

Sam Mansour is Principal Product Manager for Moat Analytics. Moat provides an ad verification platform for brands, agencies, publishers and technology platforms to measure and optimize their advertising. With a history of developing cutting edge ad products for both the advertiser and publisher sides of the ecosystem, Sam is well versed in the tools and technologies of the trade. He applies his experience to his focus on General and Sophisticated Invalid Traffic (IVT) detection at Moat.

Previous Post

The Pulse: Holiday shopping, the resurgence of travel, ad fraud, and more

Oracle Advertising | 2 min read

Next Post

Is the advertising industry growing or declining?

Karma Bennett | 6 min read