ad fraud rings cover

The Biggest Online Ad Fraud Rings Discovered (So Far)

November 10th, 2020

Digital ad fraud is an increasingly significant problem that is continually growing year on year. With advertisers willing to spend billions on adverts every single year, this has attracted a large number of fraudsters.

We’re not just talking about a few people clicking on other people’s ads; we’re talking about huge ad fraud rings that have their eyes set on the big bucks.

These shady, underground groups, are continually thinking up elaborate fraud schemes to defraud advertisers out of millions. Usually, in the form of malware or botnets, these fraudsters infect other people’s computer to do the clicking for them.

To shed some light on the dark side of the web, we’re looking at the biggest online ad fraud rings that have been discovered. Currently, there have been plenty of high-profile ad fraud rings identified with new ones being found every few months.

To give you an idea of how much these ad fraud rings are costing advertisers, (and you!) we’ve compiled a list of the biggest ad fraud rings ever seen.

Here are the biggest online ad fraud rings discovered so far. Let’s start with the smallest on the list, Clickbot.A.

Clickbot.A (2006)

lines of code
  • 100,000+ infected machines
  • $10,000+ fraudulent earnings per day (estimated)
  • Dismantled in 2006

The first ad fraud ring on our list is Clickbot.A, a piece of malware purposely designed to actively click on pay per click internet ads. Discovered way back in 2006 by researcher Swa Frantzen, at the time the malware infected only 100 computers but quickly grew to over 100,000 machines.

The bot was written as a plugin to Internet Explorer and used victim’s computers to automatically click on pay-per-click adverts. The actual figure of how much this fraud group cost advertisers is unknown, but it has been estimated to be around $10,000 a day.

Apart from the number of machines infected, there is little else known about the group behind the running of the botnet. As of today, there have been no arrests or charges made by any law enforcement officials and the creators remain unknown.

However, what we do know is the RSA and Panda Software worked together to dismantle it and as of today it is no longer a threat to advertisers.

DNSChanger (2006)

dns charger logo
  • 4,000,000+ infected machines
  • $6,000+ fraudulent earnings per day
  • Shutdown by the FBI in 2012

The next ad fraud group on our list is a gang of Estonians who created a computer program in order to force adverts upon unsuspecting users.
Discovered in 2006 and still active today, DNSChanger is a piece of malware which infects users computers and injects them with advertisements.

Designed to spread itself to neighbouring computers on networks, this piece of malware infected over 4 million computers at its peak. Since being raided by the FBI the number has reduced significantly, but the program is still active today on some computers.

Once a computer was infected, the malware worked by sending adverts to the user and counting their unique IP as an impression. With a vast collection of infected users, the gang would then sell fake traffic and impressions to unsuspecting clients by posing as a fake digital marketing agency, Rove Digital.

Clients thought they were buying quality traffic and advertising space for their adverts, when in fact their adverts were just being viewed by robots. The client would pay for the service and then receive a huge amount of fake and fraudulent views. Many large government organisations and multinational companies were frauded, including NASA to the tune of $60,000.

Over the years it was active, Rove Digital managed to charge clients over $14 million dollars in advertising fees. This works out at around $6,000 a day in fraudulent revenue which although is the smallest amount on our list, it all adds up to a lot of money over the years.

The ringleader behind the group, Estonian Vladimir Tsastsin who was arrested and extradited to the US for his crimes was sentenced to 87 months for his involvement. Other members of the group also received sentences ranging from 40 to 48 months.

DrainerBot (2019)

what is drainerbot
  • Estimated $40,000+ earnings per day
  • Infected 1,000,000+ Android phones

One of the most recently discovered ad fraud rings goes by the name of DrainerBot and gets its name from draining both data and battery from mobile devices.

Originally discovered by Oracle in February of 2019, there are no exact figures on how many devices are infected, but it’s undoubtedly over 1 million. Found in a software development kit (SDK) aimed at helping app developers monetize illegally downloaded version of their apps, it’s also unknown how much money the bot has made.

Once a device has been infected by DrainerBot, the bot continually runs video ads within the background of the device. Each video ad is recorded as a legitimate view by the ad network when in reality, no human saw the video.

This drains the device’s mobile data at an extremely fast rate while using up to 10GB of mobile data a month. As the device is running video ads in the background non-stop, the battery is also used incredibly fast and often leaves the device hot to touch.

Nobody has claimed responsibility or has been prosecuted for the malware, as it seems to be shrouded in mystery.

Hummingbad (2016)

toxic bot
  • 10,000,000+ infected Android phones
  • $10,000+ fraudulent earnings per day
  • Still active today

Moving on to a different type of fraud ring, this next group focuses primarily on mobile ads as opposed to desktop ads.

Discovered in 2016 by security firm Check Point, Hummingbad is the name of a type of mobile malware that specifically targets Android users. Researchers estimated that the malware fraudulently viewed over 20 million ads a day and downloaded 50,000 apps to unsuspecting mobile users in its prime.

All of this fraudulent activity resulted in daily profits of around $10,000 for the fraud ring and helped them expand their network. With earnings of $300,000 per month, this is a huge amount of money lost to fraud.

As of today, the malware is still active on some Android devices and still generates thousands daily in fraudulent profits. Although making users aware of the malware has helped reduce the number significantly, it’s likely the malware will never be completely removed, especially with 10 million infected devices.

ZeroAccess (2011)

norton security alert
  • 2,000,000+ infected machines
  • $100,000+ fraudulent earnings per day

Next on our list is a secretive trojan horse virus that managed to infect over 2 million computers throughout 2011 and 2012. Discovered in May of 2011, once the trojan infected a computer, it would start downloading malware and other programs while remaining anonymous from the user.

There have been various estimates of the size of the botnet ranging from as little as 1 million to as high as 9 million. Once the botnet has infected the system, it will start to either mine cryptocurrencies such as Bitcoin, or start clicking ads fraudulently.

The amount of money earned by the fraud ring has been estimated at around $100,000 per day. With millions of computers affected, there’s no doubt that this is one of the largest botnets ever discovered. Combine this with the fact that it is being used to actively click PPC ads and it also makes it one of the largest ad fraud rings found.

Since its discovery, there have been plenty of patches and antivirus tools released that are helping fix infected computers. As of today the botnet is still active but is nowhere big as it used to be. Having been discovered over 6 years ago, almost every antivirus software is capable of detecting it and removing it from infected computers.

The creators of the bot are still unknown and most likely will never be identified. However, with the prospect of being able to make $100,000 or more a day, there’s a good chance the fraud ring could return in the future.

Chameleon (2013)

a chameleon
  • 120,000+ infected machines
  • $200,000+ fraudulent earnings per day

If you thought $3,000,000 a month was a lot of money lost to fraud, then try $6,000,000. That’s the amount of fraudulent revenue generated by the botnet dubbed Chameleon which has been around since 2013.

Discovered by, the botnet is currently installed on over 120,000 different machines and emulates billions of human visitors every day. Research from estimated that the botnet serves over 9 billion ad impressions a month. With an average cost per mile of around 69 cents, this equals over $6 million in fraudulent earnings every single month.

The botnet itself is installed onto computers with a simple javascript program and runs continuously in the background. Since its discovery, there has been little additional information released. Normally when a botnet gets discovered the number of infected computers quickly decreases as anti-virus software starts to detect them.

Currently, the actual size of the Chameleon network is unknown, but it’s very likely to be a lot smaller compared to what it used to be. As of today it’s unknown who is responsible for the network and who operates it. Like most other ad fraud rings on our list, so far there have been no arrests by any international authorities.

SilentFade (2020)

silentfade facebook malware
  • Over 10,000 compromised Facebook accounts
  • $4 million+ in fraudulent ad spend

If you thought ad fraud was only limited to Google Ads, then think again. One of the newer ad fraud schemes on this list, the malware SilentFade caused havoc for Facebook and many advertisers during its operation.

Discovered by Facebook themselves in 2020, the ad fraud ring had been in operation since 2018 and had gone through many different variations. The name SilentFade is Facebook’s internal name for the malware which stands for “silently running Facebook Ads with exploits.

Compared to other types of malware on this list, SilentFade is pretty unique. Instead of creating some automated bot to click on other people’s Facebook Ads, this malware did something entirely different.

By using an exploit within Facebook’s system, this malware would actually hijack users accounts and begin running paid ads on them without them even noticing. This meant the hackers behind the group could run ads to practically any website for free by using other people’s money.

Overall it is reported that the group managed to spend over $4 million of user’s money on Facebook Ads. Although it’s unknown how much money they made from advertising the many goods and services they were promoting, when the advertising is free, any return is a profit!

As of 2020, the scheme has been shut down and the exploit it took advantage of has been fixed. Not only does this malware show that hackers are interested in exploiting networks besides Google Ads, it’s also a good indication of what ad fraud malware could do in the future.

Methbot (2016)

  • 852,992 unique IP addresses
  • $3,000,000+ fraudulent earnings per day

Coming in at the top of our list is the daddy of the fraud rings. Known as Methbot due to its references to “meth” in its code, this unique type of fraud network grown to become the largest ad fraud ring ever discovered.
Discovered in mid-2016 by White Ops, the network has grown exponentially to the point where it is now fraudulently watching over 300 million video ads per day.

Unlike the other fraud rings mentioned on this list, this one is unique in the way it does the fraud. Instead of installing itself onto unsuspecting victims PC’s, the group use dedicated servers with proxies to view video ads fraudulently.

Another problem with this operation is that it is incredibly hard to detect. With over 852,992 unique IP addresses part of the network, most of these are leased from legitimate ISPs such as Verizon, Comcast and Spectrum. This makes distinguishing between a fraudulent viewer and a real viewer very hard.

With cost per miles on display ads ranging from $3.27 to $36.72, the network is able to generate $3 to $5 million in revenue per day. This is without a doubt the largest click fraud group discovered to date. With over 200 – 400 million impressions generated per day, the size of this fraud ring is basically unheard of.

Since its discovery, the fraud group has hit the headlines in plenty of newspapers and has drawn a lot of attention. In addition to releasing a white paper on the Methbot operation, White Ops also released a huge list of blacklisted IP addresses to help advertisers block the operation from affecting their ads.

With the help of various security firms researching this operation, the fraud ring is shrinking by the day.

This unique fraud ring shows that fraudsters are constantly thinking up new ways to evade detection and make themselves look legitimate. Learning from this group will give researchers valuable information on how future ad rings might decide to operate.

So there you have it, the top fraud rings discovered so far. With the size of fraud increasing almost every year, there’s a good chance new ad fraud rings will be discovered in the future. However, thanks to the constant efforts of many security research firms, they’ll be keeping us up to date with all the latest developments.

Protect Yourself From the Next Methbot

Have botnets and ad fraud groups left you paranoid? Don’t live in fear of fraudsters clicking your ads, protect yourself today with the world’s best click fraud prevention software.

Sign up below for your free 14-day trial with no credit card information required.

Fight Ad Fraud Rings

Implement our 14-day trial to engage genuine users and protect your campaigns from ad fraud rings.

Related Posts

You may also like...

Stop All Advertising Fraud in Seconds