3ve is a ring of hackers that presented themselves as legitimate companies delivering advertisements to real human Internet users accessing real Internet webpages. This group of BGP hijackers faked users and webpages by programming computers they controlled to load advertisements on fabricated webpages via an automated program.
Ad Network #1
From September 2014 to December 2016, 3ve ran Ad Network #1, also known as "Methbot." In this scheme, 3ve had business arrangements with advertising networks whereby it received payments in return for placing advertising placeholders (“ad tags”) on websites. 3ve rented more than 1,900 computer servers housed in commercial data centers mainly in Dallas, Texas, and Germany for loading ads on fabricated websites and spoofing over 5,000 domains. The hackers then programmed the data center servers to simulate humans browsing the internet through fake browsers, using fake mouses to move around and scroll down webpages, using video players, and appearing to be signed into Facebook. 3ve also leased over 650,000 IP addresses, which were assigned the data center servers and registered as residential computers belonging to individual subscribers to various internet service providers. 3ve falsified billions of ad views and received over $7 million.
Ad Network #2
From December 2015 to October 2018, 3ve ran "Ad Network #2." In this scheme, the hackers used a global botnet(work) of computers infected with the Malwares known as Kovter and Boaxxe. 3ve used command-and-control servers to direct and monitor infected computers and check whether each one had been flagged by Cybersecurity companies. The hackers accessed more than 1.7 million infected computers that belonged to ordinary individuals and businesses around the world. They were able to use hidden browsers to download fabricated webpages and load ads, which ran in the computers' backgrounds. Through Ad Network #2, the hackers were able to falsify billions of ad views and receive more than $29 million.
At the end of 2016, IAB Tech Lab began developing Ads.txt, which it released in late June 2017, for filtering out unauthorized sellers of a publisher’s inventory, as the FBI gathered evidence to build its case.
U.S. Federal Indictments
On November 27, 2018, with the help of Europol, Interpol, and the governments of Malaysia, Bulgaria, Estonia, Germany, the Netherlands, France, Switzerland, and the U.K., Richard P. Donoghue (United States Attorney for the Eastern District of New York), William F. Sweeney, Jr. (FBI), and James P. O’Neill (Commissioner, NYPD) announced 13 counts of indictment in a U.S. federal court in Brooklyn charging Russians Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Kazakhstani Yevgeniy Timchenko with widespread digital advertising fraud, wire fraud, computer intrusion, aggravated identity theft, and money laundering. Seizure warrants authorizing the FBI to take control of 31 domains and multiple international bank accounts mainly in Switzerland and search warrants authorizing the FBI to take information from 89 computer servers that were part of the infrastructure for the botnets engaged in the criminal activity. The FBI worked with private sector partners, such as Google and WhiteOps, to redirect traffic going to the domains by engaging in DNS sinkholing.
- BGP Hijacking, CloudFlare Glossary
- The Datacenter-Based Scheme (Methbot), U.S. DoJ News
- The Botnet-Based Scheme (3ve.2 Template A), U.S. DoJ News
- Domain Spoofing be Gone, Ad Exchanger
- How Ads.txt Took Down 3ve, Ad Exchanger
- 3ve Indictment Summary, U.S. DoJ News
- Industry collaboration Industry collaboration leads to takedown of the “3ve” ad fraud operation, Google Security Blog
- The hunt for 3ve, WhiteOps