Criminal group’s methbot scheme rented more than 1,900 computer servers hosted in Dallas data centres to load ads on fabricated websites

A major fraud operation which caused businesses millions of dollars in losses from falsified ad revenue has been dismantled by US authorities.

Two global cybercrime rings were uncovered resulting in the indictment of eight men on charges related to widespread digital advertising fraud.

Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko, were all indicted for a variety of charges including wire fraud, computer intrusion, aggravated identity theft and money laundering.

Ovsyannikov was arrested last month in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested earlier this month in Estonia. All men await extradition, with the remaining defendants still at large.

Data centre methbot

One of the groups – which US authorities have creatively dubbed “Ad Network#1” – used a data centre methbot scheme to pose as advertising companies delivering ads to real internet users accessing actual websites.

In reality, they ran automated programs on a network of 1,900 rented computer servers hosted in commercial data centres in Dallas to load ads on fabricated webpages, and sat back as digital ad revenue came flowing in. In total, the group spoofed more than 5000 domains. The data centres in question have not been revealed.

Robots suspiciously receptive to ad campaigns

Loading the ads on fabricated websites was only one half of the operation. The group also had to persuade its customers that humans were viewing or engaging with the content, as digital advertising revenue is based on user clicks and views. The group also used its data centre network to create the illusion of human activity.

Using the methbot, the group programmed data centre servers to simulate internet browsing through a decoy browser, scrolling using a decoy mouse, the starting and stopping of video ads, and the appearance of being signed into Facebook.

The group also leased 650,000 IP addresses, assigned multiple IP addresses to each data centre server, and then registered the IPs to create the illusion that the servers belonged to homeowners subscribed to consumer ISPs.

“Ad Network #1” falsified billions of ad views, receiving a tidy $7 million sum of ads that were never actually viewed.