Evaluating the Impact of Methbot – The ‘Most Profitable Ad Fraud Operation’ in History

In December 2016, the cybersecurity firm White Ops introduced the world to Methbot – “the largest and most profitable ad fraud operation to strike digital advertising to date.” White Ops’ report said the Methbot operation, which got its name from drug references in the bot’s code, had been tricking advertisers into buying 200-300 million bogus video ad impressions a day at an average cost per thousand impressions (CPM) of $13.04. Add it all up and that’s an estimated $5 million a day worth of fabricated video ad impressions. The report sent shockwaves through the digital advertising community and was picked up by major media outlets like CNN, Forbes, The New York Times and others. Despite the media coverage, it’s still unclear how much damage Methbot actually inflicted on digital advertisers.

So, how does Methbot work?

When someone visits a website or app with unsold ad space it sparks an auction between advertisers. In most programmatic transactions, there is no direct contact between advertiser and publisher. Multiple third parties work to automate the buys by bundling up ad impressions and selling them a thousand at a time.

Check out the White Ops report  for an in-depth look at Methbot.

Methbot avoided all that by removing publishers and audiences from the equation. First, the Methbot operation fabricated thousands of webpages with just the elements needed to serve video ads using the domain names of premium publishers. Each time someone visited one of the faux pages, a video player would send a request to an ad network with an available impression from what looked like a legitimate website. That took care of the publishers, but Methbot’s operators still needed an audience to populate their digital Potemkin village. Most ad fraud operations manufacture bogus impressions by hacking existing IP addresses (the ID linking users to their online activity) and force residential computers to visit sites without the user knowing. But the method is outdated and easy for advertisers to catch. That’s why Methbot’s operators decided to buy about $4 million of new IP addresses which they used to create fake web sessions with elements a real user would have like browser history and social login information. Along the way, Methbot’s creators incorporated a variety of additional tactics to mask their activity, but digital advertisers have been dealing with fraud for years and know how to spot it.

Methbot, or ‘Mehbot?’

Despite the reported impact of Methbot, the ad industry response has ranged from indifferent to dismissive. Many in the industry believe the sophistication and impact of the operation were overblown. “It’s pretty clear that we shut down this particular scheme long ago. While it was sophisticated in some ways, it wasn’t very hard to stop,” the CEO of AppNexus Brian O’Kelley wrote in a post on Medium. “I’m incredibly frustrated that we continue to fire off huge numbers… and then when you actually run the numbers, the impact is dramatically less.” Integral Ad Science’s (IAS) Jason Shaw published a blog post titled “Methbot? More Like Mehbot” echoing O’Kelley’s sentiment on Methbot’s sophistication, or lack thereof, and also questioned the financial windfall of the operation. “Have the fraudsters behind Methbot recouped their ($4 million) investment in IP address allocation? Probably,” Shaw said. “Have they extracted over a billion dollars? Doubtful.” This seems like a good place to point out that a lot of programmatic ad inventory goes unsold. White Ops based their $3-$5 million per day estimate on the auction value of the bid requests, not actual sales. If fraud detection tools spot dubious signals, they shut down the transaction and no money changes hands.

The industry response to Methbot

White Ops didn’t release a list of companies hit by Methbot, but a number of digital ad companies have stepped forward to share their findings.

PubMatic

“After conducting our own analysis, we’re pleased to report that the inventory and ad quality tools and processes we have in place mitigated the impact of Methbot on our publishers and demand partners. In fact, less than 0.002 percent of the impressions on our platform were affected…”

– Anand Das – Co-founder and CTO, company blog post

DataXu

“During a rigorous discovery process to determine the impact of Methbot on advertisers using the DataXu platform, the company found that only .08 percent of daily media spend in December could be attributed to fraudulent Methbot IP addresses.”

– Company press release

Index Exchange

“(Index Exchange has only seen) 14 impressions against the 571,904 IP addresses identified by White Ops, over a December platform wide log pull, relative to billions of impressions delivered on the platform in the same timeframe.”

– Andrew Casale – President and CEO, company blog post

Simpli.fi

“The impact on our advertisers is very low. We have been seeing significantly less than 1/10th of one percent of spend on our platform to the IP ranges affected.”

– Company blog post

*Disclosure: Simpli.fi is a Mindstream agency partner Other companies have released similar findings – including comScore, OpenX and The Trade Desk – but it doesn’t mean that Methbot didn’t have an impact on the industry as a whole. It’s a small sample and there are a variety of factors that make it difficult for any company to judge how many ad transactions were compromised by Methbot.

How big of a deal is this?

It’s difficult to gauge the total damage Methbot inflicted. On one side, we have major ad companies – who have a serious incentive to not fall victim to ad fraud – claiming that Methbot’s impact was minimal (at least on their platforms). On the other side, there’s White Ops – an ad fraud detection company whose business model depends on advertisers falling victim to fraud – claiming that Methbot is the “most profitable ad fraud operation” in history. It’s likely that the ad companies with up-to-date technologies were able to mitigate most of the damage, but there are thousands of ad platforms, exchanges and networks that carry out ad buys, each with varying levels of detection capabilities. So, unless the group behind Methbot decides to open their books, we may never know the full impact.