Satori Threat Intelligence Alert: How NewsJunkie Spoofed Premium CTV Inventory At Scale

Researchers: Will Herbig, Ryan Joye, Christian Segarra, Adam Sell

IVT Taxonomy: False Representation – Device Spoofing

HUMAN’s Satori Threat Intelligence and Research Team has identified a coordinated connected TV (CTV) device spoofing threat—dubbed NewsJunkie—in which a cluster of related sellers transact high-volume, high-IVT inventory under the guise of premium content, including local news apps and premium CTV apps. The operation exploits the limited measurement signals of the connected TV ad ecosystem, flooding the programmatic supply chain with synthetic bid requests engineered to mimic real household viewers.

At its peak, NewsJunkie accounted for hundreds of millions to nearly two billion invalid CTV bid requests per day per seller. During a two month period alone, a single local news app generated more than 42.2 billion bid requests, a volume that is dramatically higher than any other regional news channel and comparable to much larger and more popular apps. For comparison, that’s a volume of ad inventory roughly equal to what HUMAN observes on WebMD[.]com, but it’s all concentrated on a single city’s local news CTV channel.

The name NewsJunkie reflects the operation’s defining characteristic: a large portion of its invalid inventory was dressed up as local news programming, though the sellers have since changed to other apps across multiple CTV platforms.

Customers partnering with HUMAN for Ad Fraud Defense and Ad Fraud Sensor are protected from NewsJunkie. The NewsJunkie operation has been disrupted, and HUMAN continues to monitor for adaptations and migration to new app IDs, device strings, and seller accounts.

Background: Why CTV Is a Target

CTV has been, for a few years now, one of the most coveted segments of digital media; EMARKETER projects ad spending on CTV to surpass $57 billion by 2030. Americans are spending hours streaming video through devices like Amazon Fire TV, Roku, and Apple TV, and advertisers have followed, directing budgets toward this premium channel.

That combination of high demand and limited supply pushes CTV CPMs to levels significantly higher than comparable desktop or mobile inventory. For a fraudster, higher CPMs mean more revenue per synthetic impression. The incentive to spoof CTV viewership is enormous.

CTV is a notoriously difficult environment for detecting invalid traffic. Unlike desktop advertising, in which JavaScript tags execute in the browser and generate rich measurement signals, a substantial proportion of CTV inventory is delivered via Server-Side Ad Insertion (SSAI).

In SSAI, ads are stitched into the video stream at the server level before delivery to the end device, creating a seamless, broadcast-like viewing experience. But because the stitching happens server-side, no JavaScript runs on the device, limiting how much information a detection tool can use for making IVT decisions.

Fraudsters make a habit of exploiting these information gaps.

How NewsJunkie Works

NewsJunkie relies on two threat models, both of which were observed in this operation:

  1. SSAI CTV Device Spoofing: The spoofing threat uses ad-stitching server infrastructure to generate ad requests that fake device, app, and IP details. From the outside, these requests appear to originate from real devices running legitimate local news apps. But in reality, they’re all created server-side with no actual viewer present. The SSAI layer is the cover: because real SSAI traffic legitimately originates server-side rather than device-side, this type of spoofing blends into a supply chain that expects server-originated signals.
  2. Residential-Proxy CTV Device Spoofing: In a separate, more evasive variant, automated or emulated traffic is routed through residential IP addresses and paired with forged CTV device information. Detection systems that check whether IP addresses correspond to residential networks (rather than commercial data centers) are the target of this technique. By routing through residential proxies, the spoofing threat attempts to pass the basic geography and origin checks that would otherwise flag it.

Together, these two methods fill the supply chain with impressions that appear, on the surface, to be premium CTV inventory from genuine households. The scheme unravels when a dedicated IVT detection platform examines the full constellation of available signals—traffic volume, geography, network behavior, and supply chain structure—and finds that all of them point in the wrong direction.

Technical Analysis

Review Mismatch: App Popularity vs Bid Volume

One of the first signals that tipped off our investigators was the significant mismatch between what an app’s real-world popularity would predict and what the programmatic supply chain was seeing.

At one point in time a single CTV app presenting as a local news channel for Jacksonville, Florida was the highest source of traffic for this operation. Over a two month period, this app generated approximately 42.2 billion bid requests — an extraordinary volume by any measure. Yet the same app had only 185 reviews on the app marketplace.

Channel
Bids (millions)
App Store Reviews

Jacksonville News

42,229

185

Kansas City News

117

368

Tampa News

71

1,283

Phoenix News

59

515

Nashville News

30

578

Detroit News

15

337

The relationship between app usage and user reviews is a basic reality of organic app ecosystems: more viewers means more reviews. An app genuinely watched by millions of households accumulates the reviews to show for it. The comparable local news apps in the table above illustrate this pattern: in general, the more bids an app saw, the more reviews the app had. Jacksonville breaks that pattern entirely: roughly 360 times the bid volume of the next-highest local news app, with a fraction of the reviews.

An app with 185 reviews and 42.2 billion bid requests in a two month span is not being watched by millions of households. The numbers don’t add up.

Geographic Mismatch: Where's the Audience?

A local news app for Jacksonville, Florida should, almost by definition, draw its audience from northern Florida. Local news is inherently geographic: the viewers of a Jacksonville channel are Jacksonville residents. That expectation is built into the app’s value proposition and its CPMs.

NewsJunkie traffic tells a different story.

City
Bid requests (millions)

Overall

42,229.9

Houston

648.7

Phoenix

618.3

Chicago

495.8

Brooklyn

438.5

Las Vegas

348.8

Los Angeles

335.6

Miami

318.1

New York

317.9

Philadelphia

309.7

Traffic coming from Jacksonville ranked 21st on the list of cities transacting on the app.

Few single signals prove traffic is invalid in isolation. A Jacksonville news app could theoretically have viewers in Chicago, like former residents keeping up with their hometown. But this geographic distribution, combined with the volume-to-review mismatch described above and the additional signals below, is inconsistent with any realistic model of legitimate local viewership.

Network Behavior Points to Residential Proxies, Not Living Rooms

Beyond device strings, network telemetry provides another window into where this traffic is actually coming from.

For the non-SSAI segment of traffic, HUMAN researchers analyzed the round-trip time (RTT) behavior of connections associated with NewsJunkie traffic and compared it to the legitimate non-SSAI CTV background population.

A look at round-trip time (RTT) figures for CTV devices overlaid with the RTT figures for traffic associated with NewsJunkie
A look at round-trip time (RTT) figures for CTV devices overlaid with the RTT figures for traffic associated with NewsJunkie

A real household in Jacksonville watching local news has a residential internet connection with the variability that implies. The latency data reflects obfuscation, not living rooms.

The network picture is further complicated by a significant concentration of residential proxy use in the NewsJunkie-associated traffic. The non-SSAI portion of traffic shows strong evidence of residential proxy routing, a technique that routes data center traffic through residential IP addresses to evade detection. Residential proxy use is not invalid in and of itself, as there are cases where privacy-sensitive users might want to hide their geographic location or avoid tracking. However, residential proxy traffic is uncommon in the wild, so  a heavy concentration of these uncommon residential proxy IPs on a single seller is highly unusual and suggests deliberate obfuscation.

IP Inconsistency Reveals Systematic Obfuscation

A further indicator of CTV spoofing is inconsistency in how traffic represents its network origin. In legitimate CTV supply paths, the IP addresses present in bid requests align with the post-bid impression IP address (including x-forwarded-for IP addresses, in the case of SSAI traffic). That is to say, the reported IP address at the time of the bid request will match with the observed IP addresses in HUMAN’s post-bid data.

When those addresses don’t match, there may be either a configuration issue or intentional obfuscation. HUMAN’s history in the industry shows that across normal CTV supply paths the rate of IP mismatch tends to be low. However, the supply paths associated with NewsJunkie universally had an over 100x concentration of unverified IP addresses, relative to the median CTV seller.

Supply Chain Topology: A Coordinated Network

Threats at this scale go out of their way to obscure the supply chain and flow of cash. NewsJunkie was notable for its use of “ephemeral sellers” (i.e., intermediate sellers fabricated to elongate the supply path). Ephemeral sellers are characterized as those that have been transacting in the global programmatic supply chain for less than 6 months. They’re not inherently fraudulent, but they may pose elevated risk.

Within the NewsJunkie threat, we observed numerous ephemeral sellers which converged on a small number of persistent sellers (i.e., sellers that have been a part of the supply chain for more than six months). Additionally, the apps on which these ephemeral sellers were transacting were almost always app-ads.txt unauthorized, meaning either they sold real traffic they were unauthorized to transact, or the traffic was fabricated.

Using ephemeral sellers offers threat actors two key benefits:

  • The supply chain is elongated, complicating the identification of who is monetizing the transaction
  • The supply chain hop from ephemeral sellers to persistent sellers is often sellers.json-authorized, even though preceding hops were not. This gives the transaction a greater sense of authenticity. Some downstream buyers will only verify the last node’s authorization, rather than the whole supply path.

HUMAN identified multiple instances of ephemeral seller employees’ profile images being lifted from other, unrelated profiles, from Facebook, or showing signs of having been AI-generated.

A (substantially simplified) healthy supply chain in which most sellers are authorized and most sellers have a history of transactions.
A (substantially simplified) healthy supply chain in which most sellers are authorized and most sellers have a history of transactions.
A (substantially simplified) supply chain reflecting convergence and multiple unauthorized steps in the path. (Please note: the full supply path seller permutations in NewsJunkie were substantial and did not all conform to the above simplified relational diagram.)
A (substantially simplified) supply chain reflecting convergence and multiple unauthorized steps in the path. (Please note: the full supply path seller permutations in NewsJunkie were substantial and did not all conform to the above simplified relational diagram.)

This convergence illustrates precisely why supply chain visibility is a security issue, not just a compliance exercise: without the ability to see every intermediary in a bid request’s path, this structural signature would be invisible.

How NewsJunkie Exploits CTV Inventory

To understand why NewsJunkie is hard to catch without dedicated supply chain analysis, it helps to trace a legitimate CTV ad transaction and identify where the spoofing ring inserts itself.

When a real viewer opens a streaming app, the app sends an ad request to an SSAI server. That server sends a bid request through the supply chain: to SSPs, ad exchanges, and ultimately DSPs bidding on behalf of advertisers. The bid request contains key information about the viewing context: what device, what app, what content, what location. Advertisers bid to reach that viewer. The winning creative is stitched into the stream before delivery.

NewsJunkie forges the first step. Instead of a real device generating an ad request, the spoofing infrastructure fabricates a bid request—dressed in forged device headers, fake IP addresses, and falsely declared app context—and injects it into the supply chain. From the perspective of an SSP or exchange receiving that request, it looks like premium local news CTV inventory, because every piece of declared metadata says it is.

Diagram showing the transaction paths of legitimate traffic
Diagram showing the transaction paths of legitimate traffic
Diagram showing the transaction paths of spoofed, NewsJunkie-associated invalid traffic
Diagram showing the transaction paths of spoofed, NewsJunkie-associated invalid traffic

What it doesn’t say, and what can only be seen with access to the full signal set, is that the network origin shows signs of deliberate obfuscation, and that this supply path has converged, repeatedly, on the same small cluster of intermediaries as every other request in the ring.

HUMAN’s end-to-end supply chain visibility is specifically designed to detect this kind of intrusion. By cross-referencing every node in a bid request’s supply path against publisher-authorized seller lists like ads.txt/app-ads.txt and sellers.json, and by applying device, network, and IP telemetry at the impression level, HUMAN can identify the disconnect between what a bid request claims and what the underlying signals reveal.

How HUMAN Protects Against NewsJunkie

Customers partnering with HUMAN for Ad Fraud Defense and Ad Fraud Sensor are protected from the impact of NewsJunkie. HUMAN’s Ad Fraud Defense integrates supply chain intelligence directly into its IVT protection platform through capabilities designed precisely for threats like this one:

Compliance Dashboard: Automated monitoring of industry transparency standards—ads.txt/app-ads.txt, sellers.json, and the OpenRTB SupplyChain Object (SCO)—across the full supply path. When intermediaries are unauthorized, nodes are missing, or supply chain sequences are broken, HUMAN’s Compliance Dashboard flags the discrepancy immediately, transforming raw compliance data into actionable intelligence without the manual burden of standards monitoring. Operations like NewsJunkie, which funnel traffic through a small cluster of recognizable intermediaries, produce characteristic patterns in supply chain data that compliance monitoring can surface.

SCO Validation: HUMAN parses the OpenRTB SupplyChain Object from every bid request and validates every intermediary against publisher-authorized seller lists. Full, unbroken supply chains with verifiable nodes at each step are the gold standard; missing nodes, unauthorized sellers, or broken sequences are a red flag. The converging, recognizable topology of the NewsJunkie supply chain is exactly the structural anomaly SCO validation is designed to catch.

Together, these capabilities create a unified view of supply chain integrity, one that combines HUMAN’s market-leading IVT detection with the structural analysis needed to identify operations that exploit the supply chain itself rather than individual devices or apps.

The Compliance Dashboard is the right starting point for any organization looking to understand its exposure to threats like NewsJunkie. It surfaces unauthorized intermediaries, broken supply chains, and anomalous convergence patterns in the supply path automatically. If you’re not sure where your supply chain stands, that’s exactly where to begin. Contact HUMAN to learn how Ad Fraud Defense and Ad Fraud Sensor can be configured for your organization.

Conclusion

NewsJunkie is a case study in how the structural features of the CTV advertising ecosystem can be turned against the buyers who invest in it. The threat actors targeted a premium, high-CPM channel precisely because it offers the best return on “investment” per impression. The operation’s infrastructure was sophisticated enough to route traffic through residential proxies, fabricate device fingerprints, and flow through a coordinated network of intermediary sellers. Everything about it was designed to look like the real thing.

What gave it away was the totality of the evidence:

  • an app with 185 reviews generating 42.2 billion bid requests in a two month span
  • local news traffic concentrated in cities thousands of miles from Jacksonville
  • network latency profiles that belong to data centers, not living rooms
  • IP inconsistency rates running dramatically above the industry norm
  • and a supply chain topology that converges, again and again, on the same small cluster of intermediaries.

HUMAN’s approach to detection combines behavioral signals that catch invalid traffic in the act with supply chain intelligence that maps how it travels, protecting the ecosystem from complex threats like NewsJunkie.

Spread the Word
Spread the Word