MethBot advertising fraud campaign is making up to $5M Revenue per Day

Pierluigi Paganini December 21, 2016

A criminal gang dubbed AFT13 is making between $3 Million to $5 Million per day from US and media companies in biggest advertising fraud ever dubbed Methbot

This is a case study, a criminal gang dubbed AFT13 is making between $3 Million to $5 Million per day from US and media companies in biggest advertising fraud ever.

Experts from the online fraud-prevention firm White Ops who discovered the Ad fraud campaign dubbed it as Methbot. The structure implemented by the criminal organization is able to generate more than 300 Million fraudulent video ad impressions every day.

What is Methbot?

“Controlled by a single group based in Russia and operating out of data centers in the US and Netherlands, this “bot farm” generates $3 to $5 million in fraudulent revenue per day by targeting the premium video advertising ecosystem. We continue to detect and block fraudulent activity generated by Methbot on behalf of all of our customers.” states the report published by White Op.

The AFT13 gang has built an army of automated browsers that spoof fraudulently acquired IP addresses that is able to “watch” as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory.

“More than 6,000 premium domains were targeted and spoofed, enabling the operation to attract millions in real advertising dollars.” states the report.

According to the researchers, the criminal organization has registered more than 6,000 domains and 250,267 distinct URLs impersonating major brands and high-profile websites like Vogue, CBS Sports, Fox News and the Huffington Post, and selling fake video ad slots.

White Ops spotted the fraudulent activity associated to Methbot last year in September, but in October 2016 they observed a significant increase of their activities.

The gang seems to have Russian origin and used servers hosted in Texas and Amsterdam to power more than 570,000 bots with forged IP addresses.

Below a Snapshot of the Methbot Operation:

The cyber criminals used a sort of inventory of video-ad to display to its fake media websites for money, with this simple mechanism it was fooling the ad marketplace into thinking that ad content it was proposing was being watched by legitimate website visitors.

The video ads were viewed by Methbot bots, the software was developed to mimic a user interaction while watching ads (i.e. social network login information and mouse movements).

“Since both human audiences and premium publisher inventory are in high demand, Methbot focuses on manufacturing both of these as its product. By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory, Methbot is able to siphon away millions in real advertising dollars.” continues the report.


The Methbot bots watched as many as 300 Million ads per day, with an average payout of $13.04 per 1000 faked views for each compromised IP address, and they used 570,000 compromised IP addresses.

White Ops generates between $3 Million and $5 Million in revenue every 24 hours.

White Ops reported its findings to the FBI and it is supporting authorities during the investigation.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  cybercrime, Methbot)

you might also like

leave a comment