Russian ‘methbot’ fraud steals $180 million in online ads

NEW YORK, NY—(Marketwired - Dec 20, 2016) - White Ops, the leading provider of human verification services for the digital advertising market, announced today that its security researchers have exposed the most profitable and advanced ad fraud operation ever seen by the industry. Dubbed “The Methbot Operation” after references to “meth” in the code of the bot itself, this single group of Russian-based operators is stealing as much as $3-5 million per day from major U.S. media companies and brand advertisers. In a coordinated effort to help the industry eradicate this fraud operation, White Ops has published the results of its research, including detailed information that ad tech companies can use to end Methbot’s ability to profit.

The Methbot Operation has been targeting premium programmatic video inventory, generating as much as 200-300 million non-human impressions per day. In a unique twist, these impressions appear for sale on programmatic advertising markets as premium ad spots on name brand websites. 6,111 domains, drawn from the most popular sites on the web, have been victimized this way. Unlike typical ad fraud bots that rely on infected residential computers and standard embedded web browser engines, Methbot creates enormous scale by operating hundreds of servers from data centers in the U.S. and Amsterdam and employs a custom-written web browser to reduce the likelihood of detection.

“Methbot elevates ad fraud to a whole new level of sophistication and scale,” said Michael Tiffany, co-founder and CEO of White Ops. “The most expensive advertising on the Internet is full-sized video ads, on name brand sites, shown to users who are logged into social media and who show signs of ‘engagement.’ The Russian operators behind Methbot targeted the most profitable ad categories and publishers. They built their infrastructure and tools and compromised key pieces of architectural Internet systems to maximize their haul. Methbot is a game changer in ad fraud and further evidence that the issue of human verification is constantly evolving and innovating, not abating.”

The Methbot Operation is unprecedented in scale economically due not only to its cultivation of dedicated infrastructure, but also because of the levels to which its operators have studied and gamed the entire value chain across digital advertising and trusted Internet practices. “The Methbot operators clearly have invested research and development time, money and operational know how to create such a large-scale and effective ad fraud operation,” stated Tamer Hassan, co-founder and CTO of White Ops. “Whether it’s the acquisition of IP addresses and domain names, the deep understanding of real-time bidding in programmatic video, or the characteristics of buyers and sellers in the market, the Methbot operators have worked hard to seem legitimate at every level and to ensure unparalleled levels of control, ownership and resiliency/durability.”

The operation has dramatic costs for both advertisers and publishers and abuses a variety of infrastructure providers by: Offering fraudulent web page visits and ad impressions by convincingly posing as more than 6,000 top Websites. Using a network of proxies running on 571,904 unique IP addresses, camouflaging the traffic to seem legitimate by falsifying IP registrations to impersonate large ISPs including Verizon, Comcast, AT&T, Cox, CenturyLink, TWC and others. For comparison, Facebook currently operates with approximately 270,000 IPv4 addresses. Feeding false information to geolocation information providers. Spoofing the data collected by viewability measurement providers, including video time watched and engagement actions like mouse movements.

Forging data analyzed by fraud detection providers, including faking social network logins.

Interestingly, the group is not using a shared cyberattack infrastructure or black market bots/compromised end devices. Their operation is based on custom software and generated completely out of data centers.

“This particular attack highlights the massive scale of the fraudsters and their growing sophistication,” said Mike Zaneis, CEO of the Trustworthy Accountability Group (TAG). “This fraud operation represents a significant threat to the integrity of the ecosystem and we appreciate White Ops’ leadership in sharing this intelligence with the broader digital advertising community. Given the most advanced feature of this operation — its forged IP space — we believe TAG’s information sharing platform will allow responsible industry actors to mitigate the threat quickly and effectively.” For the full Methbot Operation report, please visit

About White Ops: White Ops is a global leader in advertising fraud protection and human verification. Combining data science with advanced security solutions designed to detect and prevent fraudulent advertising activity, our company’s mission is to stop the spread of advertising fraud through our human verification techniques. White Ops works collaboratively with industry groups globally who are dedicated to preventing malicious activity in the advertising space and promoting transparency for the industry as a whole. White Ops is headquartered in New York City with satellite nodes operating in countries around the world. To learn more please visit

Jennifer Torode
for White Ops Email Contact 781.672.3119
For press and media requests, please contact