Click fraud occurs when fake or incentivized clicks are generated to mimic genuine user interest—like bots or click farms triggering clicks without any real engagement or intent.
In this Satori Perspective, we’ll look at how threat actors actually perform click fraud by examining three methods that Satori sees threat actors frequently employ and look at their presence in the larger cybersecurity landscape.
Why Professional Click-Fraud Operators Chase High-Payout Clicks
At the center of most large-scale click fraud schemes are professional fraud operators. These entities range from individual actors to well-resourced organizations. Threat actors engage in click fraud because it’s lucrative—while this is true for almost all forms of ad fraud, click fraud is particularly profitable. Generally, when someone views an ad, the payout is on the order of cents to tens of cents for each view which, when done at scale, can lead to significant profits for a threat actor. However, when a user actually clicks on the ad, the payout is much higher, on the order of dollars to tens of dollars per click. As you can imagine, when a threat actor abuses ads through click fraud at scale, the potential profit escalates significantly. But, how exactly do threat actors perform click fraud at a technical level?
The Tactics Powering Modern Click-Fraud
Advanced Bots
While some threat actors have historically used primitive bots to generate fraudulent clicks, we have seen an overall move towards the use of advanced bots with increased sophistication in response to improved detection capabilities across the market. These bots employ more complex detection evasion techniques, such as the use of custom TLS fingerprinting, obfuscation techniques, and residential proxy networks to conduct their attacks.
Specifically, Satori is seeing these bots combine automated clicks on ads, often designed to target competitor ads, with new technologies such as AI-enabled browsing and more sophisticated anti-fingerprinting techniques. As defenses become stronger, we’ll likely continue to see click fraud tools continue to employ techniques more often associated with advanced bots and use residential proxy networks to increase the difficulty of detection. HUMAN’s Satori Threat Intelligence team has previously published research on threat actors using malicious apps to turn devices into residential proxy nodes—check out our research on PROXYLIB, and BADBOX 2.0 (more on that later!).
Click Farms Offering Click-as-a-Service
Satori has observed criminal groups offering full or partial solutions to bypass click fraud defenses. Unlike many of the other tools, techniques, and procedures (TTPs) HUMAN observes fraudsters using to perform click fraud, click farms involve large groups of individuals employed to manually click on ads or other targets. In some cases, the human clickers are augmented by automated systems (which generate datacenter-based invalid traffic) to further boost click volumes. The result is a high-volume fraud infrastructure that entities can hire to inflate ad engagement or drain competitors’ ad budgets. Part of what makes click farming/click-as-a-service so insidious is that because the farms are made up of real humans operating real devices, differentiating between authentic, human clicks versus robotic clicks can be extremely challenging. As a result, detection becomes difficult for any product.
Phone Farm Kits and The Click Fraud Cottage Industry
Video: A seller promotes phone farm boxes, for sale via Telegram, on a popular social media platform.
Not all click farms are massive enterprises. There is a thriving cottage industry of small-scale phone farms. In these setups, individuals or small groups run dozens of devices in a scaled-down side hustle version of a click farm, often operating out of their homes, in the backrooms of legitimate businesses, or in small offices. A variety of kits and tools are available to individuals running these operations. Specialized hardware chassis that can hold and control 10-20 phone motherboards at once are marketed as “phone farm boxes” on social media sites (see above video) and sold via telegram and on international ecommerce sites (Figure 1).
Figure 1: Screenshot of phone farm boxes for sale on a popular ecommerce website.
These devices let the operator control all of the devices at once, making it easy to fraudulently create clicks in bulk on advertisements.
A lone operator might use one of these phone farms for their own click fraud purposes or might offer their farm’s output for hire. Essentially, a motivated individual with a $1,000 kit can effectively become a click-as-a-service provider on a modest scale. And, compared to large-scale click farms, the lower, slower volume of fake clicks can make detection more difficult.
Bots-as-a-Service Platforms
Some threat actors also offer bots-as-a-service for click fraud, renting out automated click bots with simple user interfaces via online platforms. These services mimic legitimate software-as-a-service offerings: they have polished websites and dashboards, self-service subscription pricing plans, and customer support. One such service offers a one-month package for roughly $300, with discounts for multi-month commitments. Certain platforms even advertise the ability to “drain your competitors’ ad budget automatically.”(Figure 2)
Figure 2: A website styled like a typical B2B SaaS company offers click-fraud-as-a-service.
The operators of these platforms essentially package sophisticated botnets into a rental service, lowering the barrier for other criminals (or unethical advertisers) to conduct on-demand click fraud. Many of these botnets are powered by fleets of compromised or low-cost mobile devices, as we will discuss in the next section.
Mobile Web Click Fraud
During our BADBOX 2.0 investigation, click fraud was a major component of the sophisticated, large-scale attack uncovered by HUMAN in 2025. At the core of BADBOX 2.0 were Android Open Source Project devices, such as TV boxes, lower-end tablets, phones, and projectors, containing one of several versions of a backdoor that allowed the threat actor to deploy different fraudulent modules, among them, those to conduct ad fraud. The BADBOX 2.0 botnet comprised one million Android devices that allowed the threat actors to conduct this ad fraud at scale. We found that the devices visited a set of domains owned by a threat actor behind BADBOX 2.0 for the sole purpose of clicking on and viewing the ads hosted there. Here, the malware behind the attack used Hidden WebViews in order to conduct fraud without the user’s awareness.
The Future of Click Fraud
Click fraud persists not just because it is technically feasible, but because it is profitable. An overarching theme in the evolution of click fraud TTPs is the increase in sophistication employed to help threat actors evade detections as they improve. Because click fraud presents such a lucrative opportunity for cybercriminals, it will continue to be a key facet of ad fraud campaigns. However, we can expect that the way in which they conduct this type of fraud will change, so it’s critical to ensure that we protect digital advertising from the most current threats. Which is why we’ve recently launched our latest solution to combat this very topic, with Ad Click Defense.
When you partner with HUMAN, you get more than just our products—you also gain access to our Satori Threat Intelligence team. This specialized team continuously monitors emerging threats and enhances our solutions’ ability to protect your digital assets, ensuring you stay ahead of the latest attack methods. To learn more about how HUMAN can protect your organization, we invite you to schedule a call with our team so you can see firsthand how our Ad Click Defense solution can safeguard your platform revenue by detecting invalid clicks in real-time.
This post is part of our Satori Perspectives series, where HUMAN’s threat researchers share timely insights into the tools, tactics, and procedures shaping the threat landscape.
Explore more research and intelligence from the Satori team here.