Ad Fraud

5 disruptive ad fraud schemes that siphoned millions of dollars

Oracle Advertising and CX


Open Mic article

This content is produced by a publishing partner of Open Mic.

Open Mic is the self-publishing platform for the marketing industry, allowing members to publish news, opinion and insights on

Find out more

January 29, 2021 | 6 min read

By: Sam Mansour, Principal Product Manager, Oracle Moat

By: Sam Mansour, Principal Product Manager, Oracle Moat

Criminals will always find glitches and compromise systems to track down ad dollars, and as a new year begins, fraudsters are upping the ante and continuing to funnel millions of dollars into their personal accounts.

According to Juniper Research, by 2023 there will be more than $100 billion in global revenue lost to ad fraud. In addition, the current global climate has likely only encouraged the surge of these sophisticated crimes. More companies are transitioning to digital environments so that workers can do their jobs from home, but criminals see this shift as an opportunity to increase the number of potential targets. Many companies struggle to detect abnormal activity since “the new normal” has changed the behaviors of a number of consumers.

Oracle and the adtech industry at large is staying ahead of these crooks and exposing several sophisticated ad fraud schemes. We’ve narrowed in on suspicious nonhuman activity using advanced invalid traffic (IVT) detection capabilities and lead the way in protecting vulnerable, emerging-format connected TV (CTV).

The following is a recap of some of Oracle Moat’s most notable recent discoveries.


Brief overview: The culprits in the StreamScam operation used vulnerabilities in CTV ad-serving technology to trick advertisers into paying for ads that were never delivered.

The fraud mechanism: The fraudsters forged household IP addresses, app IDs, and device models to make it look as if the ads were playing in digital environments, but that never happened. Oracle Moat’s technology revealed the operation by identifying the fake impressions and classifying them as invalid.

How we caught it: Our IVT team found that criminals created a network of servers that requested ads with spoofed information and sent ad-impression events to Oracle Moat and advertisers. Neither ads nor video content was sent to any users. Both advertisers and publishers were tricked by this scam.

The impact: The con cheated advertisers out of an estimated $14.5 million and stole that revenue from legitimate publishers whose apps were being spoofed.


Brief overview: Criminals used malware-infected Android phones to generate fraudulent ad impressions.

The fraud mechanism: The fraudsters were able to leverage malware-infected devices to spoof ad impressions. The botnet underwent three pivotal changes in its evolution as it tried to evade detection.

How we caught it: Our IVT team detected this threat through a series of mistakes the fraudsters left behind. These errors allowed us to develop the first round of detection. Oracle Moat also joined the effort led by Trustworthy Accountability Group (TAG) to eliminate the threat. Combining our findings with Protected Media and White Ops allowed us to take disparately reported threats and merge them into a single botnet signature.

The impact: This ad fraud botnet is estimated to have stolen more than $100 million in in-app ad spend from players across the digital ad industry over the past year.


Brief overview: Criminals used a fake URL and showed a 404 webpage so that they could siphon advertising dollars.

The fraud mechanism: The perpetrators were able to spoof URLs on popular websites by utilizing a botnet that was distributed by malware. This was first reported as a 404bot due to the originally spoofed URLs resulting in 404 errors for anyone who bothered to check. However, the scheme evolved to spoof URLs that did not result in 404 errors, if checked.

How we caught it: Oracle Moat researchers caught on to the perpetrators’ scheme. IVT researchers investigated the evolution of 404bot and pinpointed the actual proxy software distributing the malware, taking it apart in our clean room and developing customized protections.

The impact: It’s estimated that the 404bot scheme robbed advertisers of more than $15 million and wasted at least a billion video ads.

In-game advertising operation

Brief overview: In a malicious in-game advertising scheme, criminals tricked advertisers into giving away money through a popular video game.

The fraud mechanism: Often, players of various games watch paid advertising to earn virtual rewards such as currency. However, in this scheme, a bot viewed the ads instead, using real gamers’ IDs taken from public forums. Advertisers thought they were engaging gamers; instead, they were engaging a bot.

How we caught it: The bot used User Agent spoofing to make it look as if traffic came from several browsers, but Oracle Moat researchers figured out that the underlying features across all the User Agents were the same.

The impact: Compared to other schemes that milked millions, this one wasn’t as profitable.

An update on 2019’s DrainerBot

Brief overview: Although we uncovered it in 2019, in 2020 we recapped the DrainerBot ad fraud scheme with a deep-dive podcast. DrainerBot was among the first ad fraud operations to financially compromise consumers.

The fraud mechanism: The infected code consumed hidden and unseen video ads on smartphones. The owners never saw the ads. Meanwhile, the app told the ad network that the video ad appeared on a legitimate publisher site, but the site, ultimately, wasn’t real.

How we caught it: Oracle Moat and Oracle Cloud Infrastructure edge services picked up on the suspicious activity. They found that an infected SDK from Tapcore, a Dutch mobile monetization company, distributed the DrainerBot into popular Android apps.

The impact: DrainerBot infected consumers’ mobile apps using up as much as 10 gigabytes of data a month. The malicious bot drove up data charges on mobile devices, slowed the devices, and drained their batteries.

Protect your 2021 ad spend

Fraudsters will leverage channels that they know are popular so they can tap into engaged audiences and hide their devious activities among numerous real users. However, in a landscape full of risks and opportunities, IVT detection capabilities can expose and stop these fraudulent activities from wreaking havoc, and weed out the nonhuman internet traffic that’s intended to cause harm.

Ad Fraud


Industry insights

View all
Add your own content +