The dismantling of 3ve was a big win for everyone in the digital advertising ecosystem. This is the first-time consequences of this magnitude were brought to bear on cybercriminals who chose to perpetrate online ad fraud. The industry came together to hold these operators accountable.
The Alliance that Brought Down 3ve
The untold story behind the hunting and dismantling of 3ve is as remarkable as the announcement itself. When we saw the first signs of what ultimately became 3ve, it looked like any low-to-modestly-sized bot fraud operation. We proactively deployed countermeasures to protect our customers and Internet users.
As we continued to investigate further, it became clear that the degree of complexity and sophistication exhibited by 3ve was unlike anything we had seen before. 3ve felt like an ever-evasive, ever-shifting chameleon, ingenious in the ways it spread, the ways it camouflaged its bots as humans, the way it covered its own tracks (to learn more about the scale and sophistication of 3ve, please read our white paper: The Hunt for 3ve).
Due to 3ve’s aggressive and dynamic nature, mere blacklisting and blocking 3ve traffic would not have been sufficient to neutralize the adversary. 3ve was capable of thwarting the integrity of the entire ecosystem. We needed a more permanent solution to dismantle it and prevent its return.
To take down the largest ad fraud operation in history, an alliance was created that was equally historic.
Nearly 20 global companies, including global platforms, global ISPs, antivirus companies, global backbone providers and law enforcement came together to form an investigative coalition. Companies that traditionally compete with each other put aside their individual agendas for the common good. We all worked diligently and quietly to identify 3ve’s global infrastructure and operations without its operators getting a whiff that their cover was blown. The day that the coordinated takedown of 3ve’s largest sub-operation began, its activities dwindled down to near-zero levels within 18 hours.
When I think about how the world’s leading platforms worked endlessly and covertly to defeat 3ve, I am reminded of my favorite phrase from Michael Tiffany (a White Ops co-founder): “Never underestimate the power of a silent alarm.”
The industry stood united in taking down the most sophisticated ad fraud operation to date. The great alliance of unity.
On behalf of White Ops, I want to convey our sincere gratitude and appreciation to everyone involved with this takedown effort.
Focusing on the War, Not the Battle
Why spend time and energy trying to quietly dismantle 3ve’s operations? Why spend the effort on apprehending the operators? Isn’t it easier to merely “out” the bot fraud when you find it?
Yes, exposing fraud on the spot as soon as it was discovered would indeed have been a more convenient choice, but 3ve’s sophistication, speed and scale required something more. 3ve was capable of inducing instability and distrust on a scale that reverberated through the entire online advertising ecosystem and beyond. Merely exposing the operation would have been a tempting – but purely temporary – victory, as long as the syndicate that masterminded the apparatus was not held accountable.
We’ve all seen the pattern before: Bot fraud is exposed, everyone celebrates the “victory” and the operators immediately go underground, regroup, retool and destroy any shred of evidence along the way. The operators inevitably come back with a vengeance, setting up a next-gen operation that’s bigger, better, smarter and stronger. The proverbial game of Whack-a-Mole.
3ve required a lasting solution, not a transient one. We played the long game.
The idea of lasting consequences is not new to White Ops. We believe online fraud can be defeated through three actions: making fraud less profitable, increasing the costs of building (and rebuilding) a fraud apparatus and elevating the risks for perpetrators through real consequences. Instead of simply taking tools away from the operators, why not take the operators away from the tools once and for all?
With 3ve, we not only shut down and cleaned up key parts of 3ve’s infrastructure -- we also helped catch the bad actors in the act to hold them accountable. Dismantling 3ve completely, both its operations along with its operators, will hopefully serve as a significant deterrent for the next batch of cybercriminals looking to run an at-scale ad fraud operation.
The Force that Binds Us All
The fall of 3ve is an important milestone for businesses because these bots stole from marketers and robbed the publishers who provide the content we love (often for free). There is a strong downstream effect, as well; every dollar obtained through cybercrime only helps to breed smarter, more sophisticated attacks. When we as an industry take down such operations, we curtail the flow of capital that funds future black hat R&D and new, perhaps more sinister innovations.
This struggle is central to the future well-being of the Internet. The Internet is the force that binds us all. It connects us, educates us and moves us all forward. Bots erode the trust and safety of an open Internet that billions of humans rely on. Bots can steal our identities, manipulate any metric, pollute any action and skew any algorithm. When we stop trusting what is on the other side of any interaction, transaction or authentication, the very idea of the Internet gets distorted. And when that happens, our Internet loses. Theirs wins.
We can’t let that happen. We have a moral obligation to hand off a safe and trustable Internet to our children, so they can experience the same magic we experienced. As Dan Kaminsky (a White Ops co-founder) says, “We can have the Internet that's good for bots or we can have the Internet that's good for people. We choose people."
3ve built the Internet infrastructure that was good for bots. It was the first and the largest bot operation of its kind, and it won’t be the last. It threatened the very integrity of our industry.
Until it didn’t.
This is why White Ops focuses on the long game.