White Ops security researchers have exposed the most profitable and advanced ad fraud operation ever seen by the industry. Dubbed “The Methbot Operation” after references to “meth” in the code of the bot itself, a group of operators has siphoned off as much as $180 million from major U.S. media companies and brand advertisers.

Controlled by a single group based in Russia and operating out of data centers in the US and Netherlands, this “bot farm” generates $3 to $5 million in fraudulent revenue per day by targeting the premium video advertising ecosystem, according to cyber security firm White Ops.

They’re doing it by posing as premium brands that you know:  NFL, Fox Sports, Huffington Post, ESPN, Vogue, The Economist, CBS News, Fox News, Oprah, BBC, Food Network, National Geographic, USA Today, ABC Mouse, CNN, ABC, Slate, NBC, Time, AOL… and on and on…
List of sites here


6,111 domains, drawn from the most popular sites on the web, have been victimized this way, according to the report. Unlike typical ad fraud bots that rely on infected residential computers and standard embedded web browser engines, Methbot creates enormous scale by operating hundreds of servers from data centers in the U.S. and Amsterdam and employs a custom-written web browser to reduce the likelihood of detection.

“Methbot is a game changer in ad fraud,” said Michael Tiffany, co-founder and CEO of White Ops.

How big is it? 

Bob Hoffman points out on his Ad Contrarian blog, that the total US income from online video advertising is roughly $7 billion dollars.  Methbot may be responsible for stealing more than $1 billion in annualized ad spend a year from fraudulent online video ads.

The operation has dramatic costs for both advertisers and publishers and abuses a variety of infrastructure providers by offering fraudulent web page visits and ad impressions by convincingly posing as more than 6,000 top Websites.

The Methbot Operation has been targeting premium programmatic video inventory, generating as much as 200-300 million non-human impressions per day. In a unique twist, these impressions appear for sale on programmatic advertising markets as premium ad spots on name brand websites.

“Methbot elevates ad fraud to a whole new level of sophistication and scale. The most expensive advertising on the Internet is full-sized video ads, on name brand sites, shown to users who are logged into social media and who show signs of ‘engagement.’ The Russian operators behind Methbot targeted the most profitable ad categories and publishers. They built their infrastructure and tools and compromised key pieces of architectural Internet systems to maximize their haul.” – Michael Tiffany, co-founder and CEO of White Ops

The Methbot Operation is unprecedented in scale economically due not only to its cultivation of dedicated infrastructure, but also because of the levels to which its operators have studied and gamed the entire value chain across digital advertising and trusted Internet practices.

“… the Methbot operators have worked hard to seem legitimate at every level and to ensure unparalleled levels of control, ownership and resiliency/durability.” – Tamer Hassan, co-founder and CTO of White Ops

Here’s where it gets technical.  The White Ops teams says the group is using a network of proxies running on 571,904 unique IP addresses, camouflaging the traffic to seem legitimate by falsifying IP registrations to impersonate large ISPs including Verizon, Comcast, AT&T, Cox, CenturyLink, TWC and others. For comparison, Facebook currently operates with approximately 270,000 IPv4 addresses. Feeding false information to geolocation information providers. Spoofing the data collected by viewability measurement providers, including video time watched and engagement actions like mouse movements.

“This particular attack highlights the massive scale of the fraudsters and their growing sophistication.” – Mike Zaneis, CEO of the Trustworthy Accountability Group (TAG).

Read the full Methbot Operation report