Satori Threat Intelligence Alert: Low5 Apps and Domains Launder Multiple Ad Fraud Schemes

Researchers: Louisa Abel, Nico Agnese, João Marques, Vikas Parthasarathy, João Santos, Christian Segarra, Adam Sell, Mikhail Venkov

IVT Taxonomy: False Representation, Manipulated Behavior, Automated Browsing

HUMAN’s Satori Threat Intelligence and Research Team has identified a collection of more than 3,000 domains and 63 Android apps that together comprise one of the largest ad fraud laundering marketplaces ever uncovered. This operation, dubbed Low5 for its use of HTML5-based game and news sites, monetizes these threat actor-owned domains as cashout sites for multiple complex fraud schemes, including last year’s BADBOX 2.0. The operation peaked at roughly 2 billion bid requests a day and may have operated on as many as 40 million devices* worldwide.

(* a “device” is defined by “device ID”, a unique and anonymous identifier used for advertising purposes, and which changes periodically)

Apps associated with Low5 include code that instructs user devices to visit one of the domains connected with the scheme and click on ads found there. Researchers have reported the Low5-associated apps to Google’s Play Store, and several of the apps have been removed from the marketplace. Customers partnering with HUMAN for Ad Fraud Defense and Ad Click Defense are protected from Low5.

Monetizing fraud is a complex proposition; it’s the publisher who benefits when an ad is viewed, not the fraudster. A bot visiting a publisher’s site doesn’t make any money for the fraudster unless the fraudster also owns the publisher. That’s what cashout domains are: websites owned by threat actors that act as publishers in the supply chain. Fraudsters direct their bots (or, in some sophisticated operations, human-operated devices with apps running out of sight) to visit these cashout domains to view or click on ads, funneling money into the fraudsters’ accounts. It’s a similar setup to money laundering schemes in the movies, using a legitimate business (in this case, a website with real ad modules in the supply chain) to turn malicious activity into cash. 

Historically, many cashout domains identified by HUMAN researchers have been relatively unsophisticated, often consisting of pages densely populated with ads or templated articles surrounded by numerous ad placements. Over the years, these domains have become significantly more sophisticated. The Scallywag operation, for example, consisted of malicious WordPress extensions that monetized digital piracy through intermediary cashout sites packed with ads.

The Low5 scheme hinges on a network of more than 3,000 domains used as cashout sites for a variety of ad fraud operations. Most of the cashout sites are HTML5 game pages that look something like the below:

Games hosted on cashout sites like these are playable, but they are not original. Instead, they are pulled directly from other publishers, primarily free online gaming platforms. These cashout sites function more as aggregation layers than as legitimate publishers. Before gameplay begins, players are often required to watch a 30-second ad.

All of the cashout sites associated with Low5 are built from just a few dozen templates. Although each game has its own site with a unique domain name—often ending in .top, .today, or .cloud—the content across the sites is nearly identical.

Not all of the cashout domains hosted HTML5 games; some hosted low-quality articles instead. The type of content on the cashout site, however, is irrelevant: these sites exist to provide a ready-made monetization layer, with advertising integrations already embedded, that threat actors can call upon for a cashout mechanism. 

When presented under a gaming or news-related domain name, these sites appear legitimate enough to avoid immediate scrutiny from advertisers. In effect, it is a perfect monetization marketplace, one that multiple fraudsters have been able to replicate and use.

Traditionally, cashout domains were used by a single threat actor or operation. Low5 breaks that pattern: researchers have observed multiple distinct threats using these cashout domains. Over time, there has emerged a trend of threat actors developing and releasing large clusters of apps in quick succession, potentially using AI to accelerate publication. 

These apps frequently monetize through networks of cashout domains, often in the style of the HTML5 gaming sites connected to this operation. Our 2025 SlopAds investigation uncovered similar patterns, serving as another example of this type of fraud. Across multiple threat cases, apps include code to parse pages and click on ads.

Researchers have identified a collection of 63 Android apps monetizing through these cashout domains:

In addition to the technical anomalies detected in these apps, many have between 1,000 and 1 million downloads in the Play Store with no reviews, as shown below. It is likely these apps have no legitimate users.

Low5-associated domains also surfaced during researchers’ continued investigation into BADBOX 2.0. Researchers believe some BADBOX 2.0-infected devices are currently monetizing through these domains. Many infected devices are in consumers’ homes, yet are controlled by an external threat actor, allowing the threat actor to generate ad fraud without a user’s knowledge, conduct numerous other fraud schemes, and do so with the device’s IP address.

At its peak, Low5 domains and the apps that used them generated roughly 2 billion bid requests per day. To date, researchers have uncovered 3,000 domains associated with this scheme, but the scheme may continue to grow as associated apps and domains become ineffective tools for the threat actors (after being taken down from app marketplaces or blocked by protections like HUMAN’s) and new apps and domains are spun up.

To protect customers from these threats, HUMAN deploys protections that target both the overall cashout domains and the individual threats that use them. A key strength of HUMAN’s approach is collective protection: having data at different points in the programmatic supply chains, from a variety of players in the industry, enables us to not only protect against individual attacks like malicious apps and compromised CTV devices, but to see the whole picture of how they’re monetized. 

By leveraging the largest and most sophisticated bot detection network globally, HUMAN gains unparalleled visibility into threats and can determine the validity of the full SupplyChain Object based on the analysis of these nodes. This allows us to implement mitigations against not just the apps and infected devices, but also the domains they use to generate revenue, cutting the supply off at the source.

A shared monetization layer spanning more than 3,000 domains allows multiple threat actors to plug into the same infrastructure, creating a distributed laundering system that increases threat resilience, complicates attribution, and enables rapid replication.

When fraudulent activity is routed through legitimate-looking domains, it can distort performance metrics, influence optimization algorithms, and contaminate measurement models. SIVT designed to mimic human behavior makes detection harder and reduces the reliability of surface-level signals in the bidstream.

A key takeaway from this research is that monetization infrastructure can survive even after a specific fraud campaign is shut down. If one malicious app or device network is removed, the same cashout domains can still be reused by other actors. Low5 reinforces the need for continuous, aggressive threat intelligence and detection expertise to hunt down cashout domains and flag them pre-bid.

Finally, Low5 highlights the value of post-bid visibility. Analyzing impressions as they occur, collecting device, network, and behavioral signals beyond what is declared in the bid request allows HUMAN to assess the true quality of the traffic and identify sophisticated invalid activity.

In this case, HUMAN’s Advertising Protection detected apps opening WebViews to load cashout domains, even when bid requests claimed the impressions were served directly on those domains. By looking beyond reported inventory and validating what is actually happening at the impression level, Advertising Protection helps protect customers from complex fraud schemes like Low5.

By connecting the dots across domains, app behavior, and back-end activity, Satori researchers can spot patterns earlier and act faster. Those findings don’t just stay in a report: they directly shape the protections we deploy, helping defend customers not only from Low5 but from new variants built on the same model.

Staying ahead of fraud requires continuous investigation, visibility into how these systems operate, and the ability to disrupt monetization before it scales.

Low5 App List (CSV)

Low5 Domain List (CSV)