Hacked - The King of Ad Fraud
Episode Date: March 1, 2023The story of how profitable it can be to serve ads to nobody, featuring Zach Edwards from HUMAN Security. We discuss Methbot, Vastflux, how organized criminals use ad fraud to launder wild sums of mon...ey, and how HUMAN took down some of some of the biggest ad fraud networks online today. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Every couple of years, when a company like ours comes out and says,
Hey, everybody, look, we just took down another giant ad fraud operation.
Shocker, it's connected to another Russian cyber criminal.
Shocker, they've been indicted and when charged with money laundering.
Shocker, the scale of this network would only be possible if you started with a giant pile of cash.
So back in 2017, a guy named Alexander Zhukov gives himself this nickname that, in retrospect,
probably got him more negative attention than it was worth.
Yeah, to be fair, if you do that and you make yourself a little bit of a target when you call
yourself the king of fraud.
The king of fraud.
Is it hubris to self-identify yourself as the king of a kind of crime?
But to be fair, he was pretty good at crime.
He seemed like he was really good at crimes.
He was really good at crime, but also was extremely loud about it.
And briefly, I want to mention one thing.
So his indictment, people can go read the Department of Justice indictment.
You can read tons of open court documents and reports from our company and other folks.
what's important to read as you get into those details,
he was charged with basically an ad fraud scheme and fraud,
but also money laundering and conspiracy to launder money.
And it's crucial for everyone to understand that ad fraud is for many cybercriminals
merely a vehicle for money laundering.
So we make a tech show.
and we've worked in digital advertising
and somehow the idea of even looking into digital ad fraud
never really popped into my head
because I thought it was a little story.
I thought it was like people spoofing websites maybe.
It's kind of interesting, but not enough to hang a whole episode on.
But it's not.
It's way weirder and way bigger than at least I thought.
If you were to draw a diagram of the big categories of ways
that people steal with computers like ransomware, fishing credentials, like scams, you should
probably include ad fraud as its own whole category because it's huge and it's not used for really
what you think.
There's plenty of TV shows and fun narratives where you can understand money laundering.
And the simple process is usually a criminal hand, someone a big bag of money.
that person has to find ways to buy things or push that money into shell companies, and usually
some cut of money disappears.
So let's say you're handed a million bucks, and you can only launder 800,000, because 200,000 had to go to
the various people that helped you take that illicit money and turn it into gold bars.
And so historically, there's been gold money laundering, and all.
all these different cash and currency and precious minerals that resulted in a reduction of money.
But what's scary about ad fraud money laundering is these criminals can be handed $10 million.
And if they have a legit ad fraud operation that triggers dozens of fake auctions, they turn that 10 million into 30 million.
And they're not laundering with a reduction.
they're actually increasing revenue, and it's more like an investment scheme.
It's laundering, but profitable.
Wild.
And it's all happening inside this labyrinthine system that delivers you ads when you consume media online.
It's less common in audio, but even hacked uses a form of programmatic advertising.
So call up the folks at human security because I wanted to talk to whoever took down
that king of fraud. And they said, oh, you want to talk about ad fraud? Just hold on a second. And then
a couple of days later, they dropped this press release, announcing that since that king of fraud,
something even bigger had come along. And now they'd gone to war with it. A campaign called Vast
Flux that pitted human security against a large organized crime syndicate with a lot
it to lose.
So we're going to discuss the history of ad fraud online, the fall of the king of fraud,
and the strange new frontier that is vast flux featuring Zach Edwards of human security
here on Hacked.
How you doing, Scott?
Well, I've been better.
I'm just getting over an illness, as you might be able to tell by a moderate amount of
an increase in my nasal sound, which is normally very high.
but it might be even higher now as I am quite, quite stuffed up.
You turn it up to 11 a little bit on that one.
I live at 9-10, so the last few days it's been, it's definitely been an 11.
Yeah, I'm kind of getting over a little bit of a head cold type thing over here too.
So we're going to have two really, really broadcast ready hosts for this episode.
It's going to be great for listeners.
Well, you know, it's good though.
Like, I don't think either of us have had COVID.
Like, this isn't COVID.
So we're starting to get, you know, the regular, the regular stuff.
again, which is, yeah, I don't know.
For me, was actually worse.
Having had COVID, I actually found COVID easier than strep throat.
You're wistful for the halcyon days of COVID.
Exactly, exactly.
What a time to be alive.
So we typically do our shout out to our patrons on Patreon, best patron on the internet,
at the end of the episode, before we jump into things, you want to mix it up and thank
them up front?
Sure, sure.
I think we do it.
Matt Bo, thank you so much for your support.
John Cordes, Damien Castile, thank you, both of you.
Ryan Thompson, thank you.
Orla, thank you so much.
Emil Perron, thank you.
And Alyssa, thank you for editing your pledge.
And if you want to support your show with all those fine people,
you should check out hackedpodcast.com.
Is it redirects to our Patreon?
And our now very active Discord.
Oh, that's true.
It's a thriving, thriving community.
It went from zero to a to a semi-active little discord pretty quickly.
Of a lot of people sharing links to the sketchiest stuff on the internet.
The links aren't sketchy.
They're all very safe links, but just to the sketchiest stories.
It's where I want to hang out on the web.
Just people talking about the dodgiest stuff.
Thanks to all the new patrons and all the existing patrons, obviously.
means a lot to us. So much love.
Appreciate your support.
A little bit of an update on our merch stuff.
We're waiting on the first round of designs from our art director.
So hopefully we'll have that stuff soon.
And in that, I think we're going to do our first run of stickers, which many of which are owed
out to patrons.
So thank you for your patience.
And yeah.
So we're talking about the weird world of hacking programmatic advertising.
And when someone says programmatic advertising, what they're really talking about is almost all digital advertising.
And to get your feet under your on that one, it's probably worth starting with a bit of an evolution of where ads came from, starting pretty much all the way back with newspapers.
And what does that sort of mean historically?
Ads were for hundreds and hundreds of years sold in newspapers.
That was the core way that they were being sold.
There's legacy ads that are always fun to explore,
selling everything from horse glue to wagon wheels.
And as we got into the Internet age,
a lot of the newspapers started to make ads on their website.
And so people were basically buying one ad on the print version,
and there would be maybe a page on their website
that had all the ads for that,
week, just sort of listed out. And as sort of this opportunity to show ads on the internet
became better understood, companies started to say, well, how can we have to show the same ad
every time you load that page? What would happen if we had different ads waiting to be shown
and people maybe paid more money to get at the front of that list? And people started to explore
these topics, ad cues, and various simple technologies, until eventually around 2000-ish time,
this concept of basically an auction on the internet was created. Programmatic advertising
is essentially digital ads being auctioned on the internet as soon as you load that website
or app. When you go to a website, you load a page, there's this brief moment before the ad shows up
where this real-time auction is taking place.
That little blip of time different advertisers are bidding for the rights in that moment to show you an ad.
That process, that brief moment where the ads weren't on the page, is known as the programmatic auction or the real-time bidding auction.
There's other sort of technical phrases for it.
But basically just this is the process where a series of companies are,
basically auctioning off your attention and a variety of companies work in this ecosystem
both to secure it, to help monetize it, to support the deployment of these tools.
It is a giant hundreds of billions of dollars ecosystem.
And so when someone says programmatic, you can get really into the weeds and talking about
how it technically works.
But when you take a step back,
it's important to really understand this is,
we're getting close to a trillion dollars
in programmatic advertising revenue
being shared across thousands of companies.
Should we tell everybody that the ads in our podcast are actually programmatic?
I think we probably should.
I think that's what's interesting about it is that pretty much all media,
that anything that isn't hidden behind a paywall,
it's probably being supported by ads.
Absolutely.
The revenue of the internet is ad revenue.
So we, in the hacked podcast,
like our ad insertions are dynamic.
And actually, I think geographical.
Because recently on one of the recent episodes,
one of our listeners, who's a close friend of ours,
actually said that they heard a school board ad
for the regional school board that he laid.
lives in. So that means that they geotargeting their dynamic insertions to people downloading
the episodes within a region. So it's not just, you know, an auction for the space, which does
occur too. So like we have standing ad contracts with companies that we read the ads for, but the ads
that we don't read are dynamically inserted based on an auction. You take that, like that's a relative
amount of complexity for our little podcast. You got all these different ways that ads are ending
in the show. Now rinse and repeat that and scale it to the size of the entire internet.
And you start to get a sense of how big this is.
Well, you go look at Google's income statement and you'll see how big it is.
You sure will.
Because I believe Google is the single largest ad auctioneer on the internet.
Yeah, AdSense is still king.
You got this whole industry.
On one side of it, there's the eyeballs, the viewer, the listener, the consumer.
And on the other side you've got the content, the website they're going to visit pretty much
all media, journalism, and content distributed online.
And this giant, nearly trillion dollar network of ad buyers and sellers right in the middle
of all of it.
Anything that's not behind a paywall, paid for by ads.
And this is the economic relationship, like you said, that kind of pays for the internet.
A good way to think about the importance of the online advertising ecosystem is that
the modern news infrastructure, and we're not going to get into discussions about the different news sources and their trustworthiness, but almost across the board, news organizations in this world are funded through a majority of online advertising.
And so as people sort of start to understand what is programmatic advertising literally funding,
right now, it starts to become clearer that this is an economy on the internet. And when you are
talking about something that is nearly a trillion dollars, it is easily one of the largest global
marketplaces that has ever existed. It is also one of the few marketplaces that are not
restricted by geographic lines in the exact same extent that physical goods are.
A trillion dollar marketplace. So broadly speaking, it's quite substantial. I should say so.
So broadly speaking, how do folks hack it? Off the top of your head, where do you start? You want to
make a buck tomorrow exploiting the vulnerabilities of the system. Where do you begin, Scott?
Well, if you're going to make a dollar and not from selling something, then there has to be some process that allows you to generate funds.
So whether that's crypto mining or whether that's, you know, you name it.
There must be some way to leverage the computers or the people looking at the ads to generate revenue.
At least that's to the best of, like my best guess.
Because other than just outright crime and stealing stuff from those companies, maybe putting on random.
ransomware and charging a percentage return on that or something like, you know, something along
those lines. But to me, if you're just doing an ad scam, there must be some way to generate
revenue from the scam. And I'm, I honestly don't know. Once you have a way to generate funds,
you use the ad networks is essentially a delivery vector for the Trojan malware. You know,
you name it, whatever you're trying to put on somebody's computer or use to leverage somebody
else's hardware. You're just using the ad networks as a broadcast system to deliver your attack.
Interesting.
So am I right or am I wrong?
You almost brought up like another way of thinking about it than most of what we talked about,
which is using ads to deliver other exploits to people.
And that does come up.
Botnets are a really big part of this.
But a lot of it has to do not with using ads to deliver something malicious,
but about using malicious techniques to trick the people paying for ads to giving you that
money.
Ah.
Like forcing clicks, things like that.
Exactly.
If we started the simplest version, it's as basic as just spoofing.
Way back when, you want to read the New York Times?
Here's my weird, dodgy fake version that I'm going to spam all over the internet.
Sure.
One of the historic examples of an organization that faced really significant ad fraud
attacks is in New York Times. And so you can imagine the New York Times is a company that their
web infrastructure has always been of some interest to people trying to make money through various
schemes, through comments, spam, and all the different online schemes that could exist. But on the
programmatic advertising space, there's also been the concept of spoofing websites. And so this is
fortunately were a few years past when this was the biggest problem for the industry,
but there was a time five, six years ago, when you could essentially say, I'm the New York
York Times.com. And you could broadcast this information and it could be inaccurate.
And so there were countless bad actors that would look at a website and if it had a good
reputation and what's known as a CPM rate, which is a cost per milay or cost per thousand
advertising impressions, if their rates were high, whereas basically brands would pay a large
amount of money to show their ads on that website, criminals would then pretend to be that
website and take money from major brands who thought their ads would be showing up on the
sidebar of the New York Times, but were showing up on some.
black hold
garbage website.
So wait.
I'm just going to reframe this
because I think it was just reframed for me.
Bingo.
These people aren't making money
using ad networks to exploit people.
These people are using,
they're creating their own ad platforms
and then selling that property
in these dynamic marketplaces.
And they're making money
exactly.
Through set, like through people
thinking they're buying legitimate ad space, but they're actually buying illegitimate ad space.
Exactly. This makes complete sense. And that simple version of a fake site is the like
rubbing two sticks together that eventually scales up to like rocket ships. It's the crudest version of
this idea and it just gets more and more complex from there. Well, Jordan, I don't know how much
sports you watch. If you ever try and find a stream of a, of, of, of, of, of, you know, of, of,
any kind of sporting event online.
Sure.
Usually there's been one,
I'll use the term legitimate streaming site.
Like there will be like somebody or some group has created a site that rebroadcasts
sporting events and stuff like this.
And then there's a 900 million knockoffs of that one legitimate, quote unquote legitimate,
a legitimate source of stolen content.
Then there'll be 900 illegitimate.
copies of it that are just there to force ad clicks and it's mayhem. So I completely see where
you're going now. You're talking about the, to borrow Zach's phrase, black hole of a garbage
website. Yes. I'm trying to name these more literally now for discoverability, but if it wasn't
for that, that is definitely what I would call this episode, black hole of a garbage website.
And we refer to them more in the industry as made for advertising websites, MFA.
So that will be the industry term.
I call them black hole garbage websites because once you hit them, you have no idea where
you're going to end up and they will likely rip your data into a million pieces and then
send it off somewhere to be monetized.
That's approach one, spoofing real sites.
But over time, ad networks and media companies, they start to catch on to that.
So you got to move on.
You've got to complicate it a little bit.
The grift must evolve as we click into the 2000s.
From there, we arrive at this concept of invalid demand and impression fraud.
Because underlying how those ads are served is a little bit of code, a little bit of JavaScript
that kind of defines the terms of how the ad gets served up to the person.
Of course.
Importantly, to start how long the ad displays for.
So maybe you muck with that.
This concept of creating invalid demand or impression fraud can be as simple as a multiplication times two.
So just to catch everyone up, most of the internet sends data in websites and apps through a code language called JavaScript.
And there's countless other languages.
and all the languages have one thing that's pretty much in common.
They can use math.
And so the simplest way to think about the simplest ad fraud scheme
is the appropriate length of time to keep an ad on the page is, let's say, 30 seconds.
This varies depending on the ad, but one of those display ads is just sitting on the page.
and so let's say instead of 30 seconds someone wants to make it go for 10 seconds they could literally do
timer equals 60 divided by whatever the number is they're looking for or throw in a couple
variables to make it spicy make it a little not plain math staring at you but the concept of
what this would result in is it would create impression fraud where they were
only supposed to basically change their ads every 30 seconds, but a developer realized they
had access to do it differently, decided to violate the terms of the network, started refreshing
the ads every 10 seconds.
Our lara them stack six or seven ads on top of each other because nobody's really
checking for visibility.
Like they're visible, but they're just Z-index behind something else.
Totally.
So you could have a million ads on.
a single website that nobody knows that you can't see any of them.
And this is happening at such a massive scale. I think the number everyone
cites is between six to 10,000 ads per day for the average internet user will see, essentially.
This is happening at such a huge scale that probably no one's ever really going to notice.
But over time, if you do it enough at a big enough scale, those networks, which do have a
an incentive to try and catch this behavior will start to catch on because they start to
notice patterns. Wow, this one site is serving up ads at a rate that is kind of impossible.
They're clearly breaching our terms of service, so we're going to nerf this. They come up with
another thing, another exploit like this, we nerf that. So over time, the complexity has to
ramp up again. So it switches. Moves from impersonating a site or fudging the math on how quickly
the ads display and it gets into what Zach calls stealing bandwidth.
Taking control of devices and directing that traffic to wherever you're hosting ads.
Say I want to take control of hundreds, if not thousands, if not millions of devices
and direct their traffic to whatever black hole garbage website I control.
How would you go about doing that?
DNS stack would be my easiest way to do it or like the way that I'd probably start.
if I had to choose
a trajectory to
to force people's legitimate traffic
to go to illegitimate places
to start a DNS attack
or to artificially add people's
modified people's local lookup records
you'd need some form of local access
so it'd be something in the malware space
I would assume.
Well I could develop malware
and so that's been the classic way
that almost every ad fraud investigation
that we've looked into, at least some portion of their traffic were compromised devices.
And one way to think about it is ad fraud is like a big affiliate scheme or an affiliate market.
And specific criminals know that they can create an infrastructure through malware or specific compromises
and then rent it to other criminals.
And so it's a classic scheme of basically crackers, software crackers,
who install basically malicious marketing-as-a-service technologies into it.
And then once they get someone to install that malware,
they can sit back from where they're located,
reach out to other criminals saying,
hey, I've got a couple thousand devices who've installed this malware.
do you want them to do anything? Do you want them to DDoS a website? Do you want them to try and commit account compromises? Do you want them to juice impressions on specific websites or apps? And so a lot of what this impression demand comes back to is who has access to compromise devices or who has code that could be inserted into an online auction to dynamically compromises?
devices, or who has thousands of fake publisher websites that they can install malicious code into.
So there's just basically different places along these supply chains where you could inflate
the impressions in all these different ways, directly on the website, through the banners that
people buy, through malware on the device, and all of the above are basically used by these
malicious networks. And so companies like ours, we are looking for threat actors, what they are
trying to make money from, what they're using to make that money, and who they were targeting.
And it oftentimes can result in large victim lists from real user devices to the publishers
impacted, to the brands who were buying millions in fake ads that never showed, to the
advertising networks that lose credibility or have to fight back from maybe dozens of fake
accounts created by a bad actor group.
In the online legal streaming section, which I know is rampant with this issue.
Yeah.
Not that I spend any time in it, but the, uh, there's, there's always some, at some point,
you always end up clicking something that you isn't.
to be clickable.
And all of a sudden, you're downloading an EXE file.
Like, even if you're on Mac or Linux,
it's like you can tell that they're forcing the delivery of a lot of this malware
through these networks.
A lot of the modern versions of this rely on compromised devices to do it,
but this system is also a fantastic way to compromise devices.
It becomes the snake and its tail in that kind of metaphor.
It's not one hack, it's this whole category.
You can spoof real sites.
to get real eyeballs to watch real ads in the wrong place.
You can trick real ads to run on fake sites that you control.
You can trick ads to work incorrectly.
In this nearly trillion dollar system of unsupervised auctions,
distributing God knows how many ads a day,
there's a lot of ways to make a buck.
And back in 2014,
Alexander Zhukov puts this all together.
And inadvertently ends up having something of an example made of himself.
Zach referenced this earlier, I think.
But the name of Zuccoff's big ad fraud botnet thing was called MethBot.
And I felt like kind of a dummy for a while because I kept reading about this and thinking,
when does meth get involved?
Like, who put the meth in MethBot?
Alexander Zuccov.
Was it the Method man?
A lot cooler if he did.
Sorry, I've been watching the Wutang.
dramatization on Disney Plus.
Oh, yeah, sure.
So Method Man is at the top of my mind these days.
Alexander Zuccoff, who is not,
this is so annoying to Google,
who is not the famous Russian businessman
named Alexander Zuccoff,
or the famous politician named Alexander Zuccoff,
is the founder of a company called
Media Methane.
Methane, Botnet, MethBot.
MethBot.
on. Media methane was supposed to be a digital ad agency dedicated to helping customers deliver
advertisements to internet users. Way back in 2014 when it starts, it began by establishing
pretty much legitimate business arrangements with other legitimate advertising networks. According to
the United States superseding indictment filed on February 2020, MediaMethane received payments
in return for placing ads on behalf of legitimate ad networks. It had this.
This, again, legitimate front end.
But instead of taking those ads and serving them on real sites that they had deals with,
with real eyeballs going to them, we'll quote that document again,
Zoukov and others rented thousands of computer servers located at commercial data centers in
the US and elsewhere and use those data center computers to simulate humans viewing ads on fabricated
web pages.
To convince these systems that the ads were being washed by humans, because again, this is all the way in 2014,
these networks have been dealing with this for a while.
They're pretty sophisticated.
Quote that document.
Zuccov and Co. Developed programming code that caused the data center computer
servers to operate an automated browser, click on online advertisements a randomly
determined number of times, simulate mouse movement, scrolling around on a website,
pausing, getting back to it, controlling and monitoring video playback, including the length
of time the video was watched, all while being falsely signed into popular social media service.
like Facebook. All of this to create this illusion of a real person and trick their customers,
these ad networks, into thinking they were serving their ads to real people. So you've got
these real ad networks in the States contracting out ad placement to Zuccov's company,
spending the money of their real clients who are trying to get ads served somewhere,
which Zukov was then serving to his fake sites and tricking into appear real
with this whole smokescreen of fake activity. The result?
Media methane falsified billions of ad impressions.
Victims of the scheme include companies like New York Post, Comcast, Nestle, Purena, Time Warner, Cable, all of which paid millions in advertising fees for this fraudulent traffic, some of which he reinvested to keep the fraud going, and most of which he just sort of took out, transferring to offshore accounts and international bank accounts.
So funny enough, at around the same time, we were doing a campaign for a company in our ads.
ad agency. And we got approached by somebody who we used to do business with. They were, I think,
an ad sales rep for a local media company, TV, radio. Somebody trustworthy. And they had just
started working with a new online digital ad network. And they were like, hey, you know, we're setting up
this big thing and we help a lot of like local businesses and stuff like that. Would you be interested?
We'll give you a very favorable rate for your first few campaigns, for your first few customers.
Sure.
So we were like, sure.
So we ran some kickoff campaigns for them.
I remember requesting the, like, sheets to justify the,
justify where they serve the ads, all of the legals that usually you get in the back end from this stuff.
As you pay money for it, so you expect it.
And I remember after a while of back and forth, they finally delivered them.
And it was mostly to, like, all of the same kind of stuff.
Illegimate copies of websites.
Oh, weird.
And things like that.
And I was like, and the other thing is that the conversion rate per click was very high.
Hmm.
But the, but the conversion from click was very low.
So you had a lot of the ads being clicked on.
Oh.
But then once that traffic came to the website, the traffic would just go away.
It ends.
Yeah, sure.
I was like, I was like, I'm pretty sure we're being boughted.
Like this is just bought traffic on these like illegitimate sites.
So we actually ended up getting in a fight with this company,
pulled all of our revenue about them or from them and all of our clients from them.
And it ended poorly.
But I think, and I'm not sure what they're doing today,
but I feel like they were kind of caught up in the same scheme.
Interesting.
So you kind of glimpsed firsthand into this.
Yeah, yeah.
And they were just trying to do it at a massive national level.
And the other thing is, is like we were one of the few,
agencies that they approached, but they were typically direct to consumers. So they were going
into small businesses and selling it like you would a traditional newspaper ad or a traditional
radio spot. And I think they were having and gaining a lot of traction. But I'm sure,
you know, after some time, you know, you're just not making any money. Because you're not
showing any value, serving ads to bots. And like that was the other thing is I remember
getting the geographical report of where a lot of the traffic was coming from.
And it was all coming from Florida.
Sure.
So our local ads being served about local businesses within region,
supposed to be targeting people within region,
we're all getting clicked from Florida and predominantly from the same IP address.
Yeah, like a server farm somewhere where the whole thing was just unfolding on a computer
system, falsifying all of that traffic.
And I was just like, hold up.
I was like, hold up.
This is fake.
Like, we're not paying for this.
And our clients are not going to be a part of this.
So anyway, I'm not sure what ended up happening to them.
It's been, you know, whatever, six, eight years.
But I'd be intrigued to know.
But that sales rep's name was Alexander Sukon.
Exactly.
Crazy.
Anyway, yeah.
So firsthand experience of this exact thing and the exact kind of in the similar era
too. I think that was 2013, 2014.
Yeah. Well, back then it wasn't really,
um,
this whole story ends with him having kind of a big example made of him.
Because this wasn't really,
it was certainly illegal,
but no one was going after it.
Um,
and it's about that point when human,
at the time known as White Ops,
gets involved.
White Ops was aware of MethBot's fraudulent activity,
but it was pretty tricky to stop,
especially because MethBot was
updating their system constantly to avoid detection.
Eventually, they make a mistake, and it was not a technical mistake.
It was a very human mistake, which raises the question of how long this would have gone on
for had they not made this mistake.
At some point, a deal between medium methane and one of their customers goes wrong.
We don't know how.
But Zhukov decides to retaliate and spams the customer's inventory, generating millions
of fraudulent and presumably very expensive views.
But this giant spike in traffic as this very expensive FU to their ex-client that they were beefing with was ultimately how human caught them.
A warrant gets put out for Zhukov's arrest.
He flees to Bulgaria in 2018 to try to remain free, is eventually extradited back to New York.
And in late May of last year, Zukov goes on trial and is found guilty of money laundering, wire fraud, money laundering conspiracy and fraud conspiracy.
Though he pleads not guilty, they find him guilty.
And he is sentenced to 10 years in prison in order to pay millions in forfeiture.
What everyone needs to appreciate is every couple of years when a company like ours comes out and says,
Hey, everybody, look, we just took down another giant ad fraud operation.
Shocker, it's connected to another Russian cyber criminal.
Shocker, they've been indicted and when charged with money laundering.
Shocker, the scale of this network would only be possible if you started with a giant pile of cash.
And so as people start to get through these facts and understand that, and then they say,
okay, wait, so this vast fraud thing that you just took down a few months ago was conducting 12 billion fraudulent auctions a day?
How much money is that?
How much money would you need to start that operation?
Where would someone get that money?
And then what would you do with the profits you made?
And so as people start to mentally work through, oh, fraud, we have billions of dollars
that are knowingly going through ad fraud schemes.
Yet we are connecting that dot to who's funding this?
and then once that money is generated,
what are they doing with it?
What type of operation are they building
with the proceeds that are in the bees?
And so more and more folks need to be understanding
that when we say Russian cyber criminals
and the Department of Justice says Russian cyber criminals
and the gentleman is,
he has hubris, as folks would like to say,
but he's the king of fraud and he openly would brag about various things and we would appear.
We need to basically start connecting the dots to what are other Russian cyber criminals involved in?
Ransomware.
Once you get ransomware money, what do you need to do?
Oh, launder it.
And there's a series of money flows and crimes where we're investigating one crime, we're investigating another crime.
and we are aware that there's large amount of money flowing through these ecosystems,
but not enough people are trying to connect the dots for how the money got there in the first place
and what people are doing once they've generated the illicit money.
And so hopefully more folks can start to wrap their heads around.
This is an economy of crime.
And ad fraud both can generate illicit revenue,
but it also can be a vehicle for money laundering
and that money could have come from other illicit proceeds.
So wild.
So human takes down this guy, who in a text unearthed by the Department of Justice,
refers to himself as the king of fraud.
But in light of what Zach just said about how operations of this scale require large institutional capital to set up,
essentially require large organized crime venture capitalists looking for a return on their investment
and a way to launder money, you arrive at the obvious question.
Now that they've taken down the king of fraud, where do those financiers point all that money?
Bringing us to vast flux.
And the answer to that question, which seems to be, pump more money into this than anyone ever else has in the history of advertising or computers after the break.
Never stop pumping money in.
This episode of Hacked is brought to you by massive scale.
ad fraud. With traditional money laundering, for every dollar you put in, you might hope to get out
80, maybe 90 cents. But with unprecedented scale digital advertising fraud, not only can your large
organized crime syndicate launder funds, but you can expect to see a two to 300% return on the
money you were laundering. It's laundering, but profitable. Right now, you can vanish unfathomable
sums of money into the nebulous pit that is our attention economy, using the promo code hacked
podcast to get 10% off. That's promo code hacked podcast for 10% off massive international advertising
fraud. Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late, an alert buried, a signal missed, an SOC that just couldn't
keep up. Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop
to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine
fueled by more than 9 trillion telemetry event,
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SC that is agent-led-by-design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like, go to Arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
I just pulled up the data from that.
I don't want to say the company's name.
No, no.
But I just pulled up the data from all of that stuff from that, like, ad campaign.
That just triggered it in my mind.
And I went through.
And, yeah, we had, I remember one of the issues was that it ruined Google Analytics
because all of a sudden we had this, like, massive discrepancy in traffic coming in from Windermere, Florida.
Hmm.
A den of fraud and crime.
Yeah, exactly.
everything that goes on in Florida is always very up and up, you know?
Especially in Winderman.
So anyway, yeah, very, very interesting.
So let's discuss the big guys and what they got up to next.
So far, most of the stuff we've talked about has involved tricking the ad networks into serving ads somewhere they shouldn't.
Or tricking people into looking at ads on a place they didn't mean to.
But hypothetically, if you had the resources, there's this other option.
If you could throw the resources at it, throw just like the human capital at this,
you could go after all of these networks and actually hack them, going one by one down the
list and spend the time and money developing basically zero days for all of these different
ad networks.
And once you've gotten control of them, use that to, you know,
to direct the traffic flow of ads, really, wherever you want.
And if you had enough resources to be constantly cycling every element of this plan, it would
be exceptionally hard to stop.
Until someone were to come along and point a lot of resources at stopping you, you've essentially
opened this money spigot.
That's fast flux.
Every time I tried to condense or summarize this, I was losing a lot of
technical detail. So I'm just going to hand it over to Zach to explain how this worked,
how it ran, and how ultimately human kind of mapped and was able to stop fast flux. And it all
starts with this technical exploit, the one that inspired that name, vast flux. Vast flux is named
after a DNS evasion technique called fast flux with an F instead of a V. And
And so the brief technical description of this is you rotate your domains and the IP address that those domains are hosted on extremely fast.
Every minute, every five minutes.
And so basically the way that it would look would be, let's say you load up ESPN.com.
if someone, if a bad actor was in control of it and there was this fast flux infrastructure on it,
every few minutes as you reload the page could be a totally different experience.
And so there have been criminal actors who have built malicious infrastructure that constantly rotates.
And so this name was created to describe this technique.
And ad fraud operators basically said, oh shit, that looks like a really good way
to hide your infrastructure, to keep it from being blocked, and to also, for whatever the purpose,
to keep your infrastructure up longer.
And so the vast flux bad operators registered a huge amount of lookalike domains, or at first
glance, it may look like an advertising company that you've been working with for years.
And they registered a host of domains that they basically used in a giant fraudulent AB testing infrastructure.
And so the simplest way to think about it is these bad actors had access to a large amount of money and at some point developed what some folks would call it.
call zero days against advertising systems.
So they theoretically investigated dozens of first-tier,
tier, second-tier, and third-tier advertising partners.
They looked for any literal technical weaknesses, cross-site scripting, various injection
schemes, looking for any defensive holes.
And then once they had established that specific companies had
a minor problem here or minor problem there,
they crafted specific code to exploit that,
and they basically created code that would exploit the weaknesses
and then trigger fake auctions on someone's device
that no one else would see.
And so the apps, the advertising partners,
whole bunch of people in the ecosystem
were targeted
and these bad actors
sort of saw a door
and then created a closet
and then filled that closet with
bots and monetizing
devices
and no one even knew this
door existed and no one even knew
there was a closet behind it
until some of our researchers through the specific methods that we use that we don't really get into
basically saw that some apps that should have been totally fine
were generating large amounts of auctions
that seemingly were not connected to the legitimate auction systems.
And so when we first saw this, the initial collections you could imagine would be maybe two or three domains.
Let's just for the simplification stake.
And so as we sort of say, oh, look, this one app, it appears that some advertiser is aggressively buying the ads.
And wow, they're doing something really funny here.
I wonder if this exists anywhere else.
And we basically posed the question through data science means, and the answer that we got back was shocking, horrifying.
It was this giant dynamic infrastructure of constantly rotating domains, constantly rotating shell companies,
a fake sort of series of companies within the supply chain
where major brands were interacting with these fake companies
thinking they were legitimate and basically giving them money,
thinking they were buying ads that were never showing up anywhere.
And this infrastructure, we started to make,
map all of the domains they were using, all the IPs, all of this constantly rotating infrastructure,
we basically throw up a magnifying glass on it, captured it, and then we deployed defenses
across our infrastructure and across all of our ad tech partners where not only were we
explicitly blocking various infrastructure they may have, but we knew these
bad actors, there's an unlimited amount of domains. So if to stop a scheme like this, you can't just
block the infrastructure they're using because we block it 24 hours later, they have 500 new domains
and everything is back up and running. And so this type of infrastructure really requires
dynamic, rule-based understanding of these fraud schemes, so that we can basically create
detections where when a malicious actor somehow can create dozens of fake auctions, we now have
detections to see that before people and to stop it so that less and less money are
going to these bad actors. But it's important to understand, and your audience as they're hearing my
voice may not be able to visualize this, but our company released some graphs showing exactly what
the takedown looked like, the literal time, the days, and the volume of the fraudulent requests.
And the narrative, which is important for folks to understand is we were tracking 12 billion
requests a day that were fraudulent. We broke.
this scheme and then
almost immediately
they tried to relaunch it targeting
new devices and new
infrastructure and then
another 48 hours later we
break that but
the volume of these
bad actors has never
gone to zero
and these types of
actors who could have spent
months or years
not only developing the infrastructure
or developing the plans, but writing the code to exploit specific systems,
they absolutely, everyone in the industry should expect them to take their infrastructure
and now go look for exploits on even lower quality or more niche ad networks
that maybe a company like ours doesn't defend on.
And so folks who have digital ads and have these ecosystems of money
where brands exchange with a publisher
and there are end users
that are requesting those ads
and generating the volume
and frequency that that money is leaving the brand's coffers,
they all need to be aware
that bad actors like this exist.
They have schemes
to create fake impressions, fake auctions.
And if you are not looking for it,
you could have a large amount of your money sort of disappear.
The fact that there's probably just networks of like proxy servers
and other technical pieces of infrastructure that allow them to do this
probably becomes a big mess of cataloging, itemizing,
and removing pieces of that infrastructure.
There's probably so many snakes on Medusa's head that it's hard to get them all.
So I imagine it's quite the process.
Quite the process.
So I included the meth bot king of fraud guy because that story has a really nice cohesive ending.
And it's satisfying, right?
The guy who self-identifies as the king of fraud gets charged with fraud.
Because otherwise, this is kind of a story with no end.
In this case, fast flux, the bad guy's system does get taken down one by one in that giant feet of cataloging as you described it.
but it still made them a bunch of money.
They still got the Lambo.
And this whole system will now just move,
trickling down to sketchier and sketchier ad networks
as they work to come up with some new exploit
to target those first second and third tier ones.
But what's neat about it,
and we'll wrap up here with the clip from Zach to this effect,
is that once you zoom out,
you basically have a large organized crime syndicate
on one side of it that is,
invested a ton of money into developing these zero-day exploits that would serve, they hope,
as the foundation of a money-making enterprise long into the future.
And on the other side, you've got this group of security researchers that was able to take
what those criminals had hoped was going to be this long-term structure and just burn it down.
All of that time and money that went into building this giant fraud machine and they just shoved
to wrench into it and it tore itself apart.
That is a lot of sunk cost for these actors,
like businesses and businesses worth of it.
Will they build new ones?
Certainly.
Of course.
Yeah, it's profitable.
The infrastructure, too, is reproducible.
So it's like you tear it down, you still have the recipe.
You still have the code.
You still have, you know, you can spin up a hundred more proxy servers
and a hundred more web servers that serve ill.
legitimate content. It's not hard. I think that as long as there's a financial, you know,
as long as there's demand, there'll be supply. For sure. I guess the easier way to say that.
For sure. And I think that we see this, given our advertising side of our lives, we always have a
client that's like, hey, you know what? I know of a discount online brokerage. We can buy,
we can, you know, instead of paying, you know, X dollars, TPM or X dollars, or X dollars, or,
X cents per click, we can pay, you know, a tenth of that.
You know, these guys called me.
They got all this great network inventory and stuff like that.
It's going to be super good.
You know, every time I hear somebody say that, the hair is on my neck stand up because I kind of know what's going on.
Yeah, sure, sure.
I kind of feel like those people are buying space at a discount or who's selling it at a discount.
probably people that don't own.
Yeah, New York Times.
New York Times is not selling you their space at a discount.
No.
So you're buying,
you're still buying space
and you still might buy space
that gets legitimate traffic
through deceptive ways sometimes.
But yeah, anyway.
I think the,
I think to truly stop this problem,
it's weird to say and sound even more, you know,
monopolistic.
But like trusting, trusting the bigger players in the market, I don't know.
I don't know if that's the solution or a bigger part of the problem.
But it seems like the more that we let the free market rip at this, the more, the more that fraud gets tossed around in it.
I think the solution is kind of a multi-prong thing.
Because like you said, that economic, like that quick math of, well, as long as this is profitable, it sucks that our old thing got taken down.
But we'll just build a new one.
There's this other variable in that, that quick math, which is, but we know that there's someone
kind of crawling behind us trying to patch these vulnerabilities.
And now they sort of know how we did the last batch.
So they're probably going to be even quicker at figuring out the next batch.
So as long as you have that additional disincentive, it won't stop them from doing this again.
They're going to do this again.
But it maybe changes how much they're willing to invest in doing it, knowing that it might
not be around as long as they'd hoped for.
True.
Reduce the future revenues by shortening the time frame.
Maybe instead of two or three hundred percent returns,
they'll only see 100 percent returns.
I guess if you can get that number down to sub 100,
you're just as good off converting it into gold bars
or whatever people used to do for money laundering.
Yeah, buy laundromats.
So let's end there.
I asked Zach whether this kind of thing will ever really end,
what this vast fucks crackdown really changed
and how this can be stopped.
So that fine, fine media products like hacked and the New York Times can continue to thrive,
brought to you by drop shipping mattress companies.
We burned a bunch of their zero days.
And taking down infrastructure like this oftentimes requires blocking their monetization sources.
Modern defense is really about.
understanding that these threat actors are relying on the lack of transparency to defraud systems
like these ad tech ecosystem. And a modern defense requires communicating to impacted organizations
agreeing on what a wall or a appropriate blocker could be. And in many instances, it's either a
let's deploy our walls at X time and date,
or in our instance,
we help with that coordination
on behalf of our clients
and deploy those blockers.
And so,
an entity like VastFlux
is run by a criminal group
that are still on the streets.
They're still enjoying their espresso.
They're still maybe driving their Lambo.
They are still
probably
happy as a claim
that maybe this worked for weeks
on end, or months
if it to be generous.
But
they also probably spent
a ton of money on the infrastructure,
a ton of money developing
the exploits. And
they are back to ground
zero, but
ground zero with a bank account full of
millions is
a dangerous place
for the industry to sit back
and be like, we got them.
Another one bites the dust.
And yes, we got these bad actors.
Yes, this is something we should all be super proud.
And this is really special collaboration across a large amount of companies.
But the bad actors that profit from these games probably still felt like it was some degree a success or learned something about that.
and we'll just try and evolve and do it in a more sophisticated way and with even more obfuscation.
So this time was a vast flux, fast flux, dynamic, hundreds of domains orchestration techniques.
The next time, it'll probably be something that I don't even want to allude to and give people bad ideas.
So let's just say the bad actors will continue doing what they're doing until we increase the railifications on their bad behavior.