An Inside Look at 3ve

Note: At the time of publication, HUMAN was named White Ops. 

This post is an excerpt from "The Hunt for 3ve," co-authored by White Ops and Google. 

Every year brings new levels of sophistication and innovation in cybercrime, and the last year was no exception.

Over the course of 2018, we investigated one of the most complex and sophisticated ad fraud operations we have seen to date. We named this operation “3ve” (pronounced “Eve”), and we’re sharing what we’ve learned from our investigation into its activity with the broader community to promote collaboration in the ongoing fight against cybercrime. These efforts demonstrate how effective cooperation and collaboration across the digital advertising industry can be in curbing ad fraud.

3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right. Shortly after we began to identify the massive infrastructure (comprised of thousands of servers across many data centers) used to host 3ve’s operation, we found similar activity happening within a network of malware-infected residential computers. These diversified tactics and siloed operations made 3ve’s operators harder to identify than previous operations we’d encountered, and also allowed the larger fraud enterprise to continue when one aspect of it was disrupted. Through its varied and complex machinery, 3ve generated billions of fraudulent ad bid requests (i.e., ad spaces on web pages that advertisers can bid to purchase in an automated way).

3ve’s size and tactics are considerable for an ad fraud operation, but the fact that fraudsters dedicate their time and effort to developing complex ad fraud schemes is hardly a surprise. Ad fraud has been an attractive cybercrime due to its lucrative returns and relatively low risk. The primary risk for most fraudsters has been having their operation discovered and shut down. While that can cost fraudsters thousands – and sometimes millions – of dollars in illicit profits, the prospect of purely financial losses has not effectively deterred fraudsters from simply starting another operation.

Today marks the culmination of a collaborative effort that enabled us to more thoroughly confront and dismantle 3ve. We referred our findings to law enforcement, and today the U.S. Department of Justice announced criminal charges tied to 3ve’s operations. What followed was a collaborative and coordinated effort by both law enforcement and various companies across industries, including ad tech, cyber security, and Internet service providers, to disable the infrastructure and sinkhole botnet command and control servers. The result so far has rendered the operation’s botnets unable to continue to drive fraudulent ad traffic. Protecting the many targets – including our customers – of an operation like 3ve in the context of a multi-stakeholder working group required patience, dedication, diligence, and endurance. Our core objectives were to detect and prevent this fraud on behalf of our customers and Internet users, and to cut this operation off from its sources of profit.

While ad fraud continues to represent a challenge to the advertising industry, the action taken today demonstrates that it is a risky activity with potentially serious consequences for fraudsters. And our efforts won’t stop here — we’re confident that the industry-wide movement to protect the integrity of the digital advertising economy will continue on.

Tamer Hassan Co-Founder & CTO, White Ops

Per Bjorke Senior Product Manager, Google