Just announced: HUMAN’s Satori Threat Intelligence and Research team has disrupted a cunning mobile advertising fraud campaign dubbed Konfety.

How to Request 3ve IPs – Indicators of Compromise


3ve evaded detection by falsely representing millions of IP addresses of unsuspecting real people, churning tens of thousands of those addresses daily and building sophisticated measures for avoiding third party verification tags. As a result, any attempt to retroactively estimate the revenue impact of 3ve will have significant inaccuracies and inconsistencies.

1. 3ve infected IPs where human and bot activity could have occurred simultaneously at any given time. The average duration of an infection is unknown.

2. 3ve demonstrated high frequency IP churn, 30-40k new IPs per day at its peak. This resulted in a continuously moving fraud surface where machines could have invalid 3ve activity one day and valid human activity the next.

3. 3ve skillfully administered tag evasion - the act of suppressing third party verification calls while making ad requests. The commonly collected supporting indicators to measure invalid traffic may not be available for this traffic in historical logs of various platforms.

White Ops will provide a list of IP addresses used by 3ve to serve as indicators that some invalid activity may have been present during the last two months before it was shut down. Our goal in sharing these addresses is to provide empirical evidence of the operation and so that it may be used by security researchers seeking to thwart future operations like 3ve.

If you are interested in receiving IPs associated with 3ve, please email 3ve@whiteops.com, specifying your name and company as part of the request.