Botnets in Ad Fraud: Methbot, 3ve, and 2026's AI Networks

Ad-fraud botnets are coordinated networks of compromised devices that generate fake clicks, impressions, and app installs to extract money from digital advertisers. They are the primary infrastructure behind programmatic invalid traffic in 2026, responsible for the majority of fraud losses inside the $172 billion global ad-fraud figure Juniper Research projects for this year. ^[1] Famous historical examples include Methbot, which billed $3 to $5 million per day in fake video views, and 3ve, which infected over 1.7 million machines before its 2018 takedown. ^[2]

What changed in 2026 is the rise of AI-driven botnets that mimic human cursor physics, solve CAPTCHAs, and rotate residential proxies at session level. Standard GIVT filtering catches under 40 percent of this Sophisticated Invalid Traffic, leaving the gap that advertiser-side detection has to close. ^[3] This guide covers what an ad-fraud botnet is, the famous cases (Methbot, 3ve, ZeroAccess, DrainerBot, Vastflux), how modern botnets evade detection, the signal stack advertisers can use, and what to do when your campaigns are hit. The full defense picture sits inside our broader click fraud protection pillar.

What is a botnet, in advertising context?

A botnet is a network of internet-connected devices, computers, phones, smart TVs, routers, IoT cameras, that have been compromised by malware and brought under a single operator’s command and control. In the advertising context, the operator uses that network to manufacture fake ad events at scale: clicks, impressions, video views, app installs, and conversion events that bill real advertiser dollars but represent zero genuine attention. ^[2]

The mechanic separates ad-fraud botnets from generic cybersecurity botnets that serve DDoS attacks or credential stuffing. An ad-fraud botnet has to render ads in a way that looks human to verification vendors. That means real browsers (or convincing emulations of them), real cookies, plausible page navigation, and timing that resembles human attention. The infrastructure overhead is higher than a DDoS network, and the payoff per node is also higher: a compromised device that views 200 video ads per day at $20 CPM is worth more to the operator than the same device firing junk HTTP requests.

The two-tier structure

Most documented ad-fraud botnets have a two-tier architecture. The first tier is the command and control servers the operator runs, which distribute target lists (which sites to visit, which ad slots to render, which clicks to fire). The second tier is the infected fleet itself, which executes the work. In sophisticated cases there is a third intermediate layer of residential proxy egress nodes that wrap the bot traffic in legitimate-looking IP addresses before it hits the advertising stack.

The result, from the advertiser’s vantage point: traffic arrives from real consumer IPs on real ASNs, with real user agents, rendering real ad creatives in real browsers, on pages that may even be legitimate publishers (rented or spoofed). Distinguishing this from a human session requires signals that operate below the layers the bot can fully control. We covered the technical signal stack in detail in our bot traffic detection guide.

Why are botnets the backbone of ad fraud?

Scale is the answer. The economics of digital ad fraud only work when an operator can manufacture millions of impressions or thousands of clicks per day across enough distinct fingerprints that no single signal flags the activity. A solo bot script running on one server gets blocked in hours. A botnet of 500,000 residential nodes rotated across multiple ASNs and device classes can run for years before mitigation, which is what Methbot and 3ve both demonstrated. ^[2]

The programmatic auction model amplifies this further. Real-time bidding evaluates billions of impressions per day. Detection has to happen in single-digit milliseconds per bid request, which structurally favors scale-based fraud over scale-based defense. Any fraud technique that can be replicated across hundreds of thousands of devices simultaneously will outrun rule-based filters that have to be authored, tested, and shipped one signal at a time.

Why distributed beats centralized for the fraudster

The advertising-fraud market is structurally biased toward distributed attackers because the standard verification stack assigns a per-IP reputation. A single attacker IP gets a bad score fast. A distributed attacker spreads the same volume across 500,000 IPs and never accumulates per-IP reputation. The defense cost grows linearly with the number of distinct entities to score, while the attacker cost grows sublinearly, because adding nodes to a botnet is cheap compared to building a per-IP scoring engine.

This is why the industry has moved from IP-based blocklists to fingerprint and behavioral scoring. The IAB/ABC International Spiders & Bots List, the basis for most platform-level GIVT filtering, is a declared-bots list and cannot, by construction, catch undeclared sophisticated traffic. ^[4] The Media Rating Council’s IVT framework names this exact problem: GIVT covers what blocklists can catch, SIVT covers what they cannot. Botnets sit firmly in SIVT.

What are some famous ad-fraud botnets?

Five botnets define the modern history of advertising fraud and illustrate how the techniques evolved between 2011 and 2023. Each was documented in detail by HUMAN Security (formerly White Ops), FBI affidavits, or industry verification vendors. Their combined documented losses exceed $1 billion, and the techniques they pioneered, residential proxy abuse, domain spoofing, SDK hijacking, header bidding manipulation, are still in active use by smaller operators in 2026. ^[2]

Methbot (2016)

Methbot was the first ad-fraud botnet to receive industrial-scale public documentation. White Ops (now HUMAN Security) published the operation’s details in December 2016. ^[2] The operation rented data-center capacity at scale, registered approximately 570,000 fraudulent IPv4 addresses through forged registry records (making them appear residential to ASN lookups), and spoofed roughly 250,000 premium publisher domains.

The operators ran custom-built browser software that simulated human ad viewing across 6,000 spoofed premium-publisher properties, generating between 200 and 300 million fraudulent video impressions per day at peak. Daily revenue estimates ranged from $3 million to $5 million. The technical innovation was the IP-registry forgery, which let data-center traffic pass IP-based residential checks. Today’s residential proxy ecosystem is in part the heir to that approach, scaled and commercialized.

3ve (Eve) (2017-2018)

3ve was named for its three operational subnetworks: 3ve.1, 3ve.2, and 3ve.3. The U.S. Department of Justice, FBI, and HUMAN Security coordinated the takedown announced in November 2018. ^[2] At peak, 3ve infected over 1.7 million Windows machines with the Kovter and Boaxxe malware families, used those machines as residential proxies, and ran headless Chrome browsers to render ads on spoofed publisher domains.

The financial scale was eight to ten million dollars per month at maximum, and the operation generated three to twelve billion daily bid requests across its sub-networks. Eight defendants were indicted, with two extradited and convicted. 3ve’s significance is that it combined three techniques, malware infection, residential proxy abuse, and domain spoofing, into one coordinated operation. Every major ad-fraud botnet since has used some variation of the 3ve playbook.

ZeroAccess and Bamital (2011-2013)

ZeroAccess and Bamital are the older generation, peer-to-peer botnets that pre-date the modern programmatic ecosystem. ZeroAccess at peak controlled over 1.9 million infected machines and conducted click fraud against search ads, costing advertisers an estimated $2.7 million per month by Microsoft’s 2013 estimate before partial takedown. Bamital, taken down by Microsoft and Symantec in 2013, hijacked search results on infected machines to redirect users through affiliate URLs, earning the operators commissions on what looked like legitimate user traffic.

These two cases established the legal precedent for civil and criminal action against ad-fraud operators and pioneered the click-injection and search-hijack techniques that affiliate fraud rings still use in 2026. We cover the affiliate-side mechanics separately in our SDK spoofing detection coverage.

DrainerBot (2019)

DrainerBot is the case study for SDK-level ad fraud. Researchers at Oracle Dyn (then Moat) disclosed in early 2019 that a malicious SDK embedded in hundreds of Android apps was loading hidden video ads on user devices, draining battery and mobile data while generating fraudulent video ad impressions for the operators. The SDK was distributed through a single fraudulent advertiser network that paid app developers to include it. Estimated losses ranged in the tens of millions of dollars, and Google removed the affected apps from the Play Store after disclosure.

DrainerBot matters because it shifted the fraud surface from the consumer device’s malware infection to the app supply chain. The user never installed malware. They installed a legitimate game from an SDK that contained the ad-fraud component. This is also the model click injection and click flooding fraud uses against mobile attribution, which we cover in click injection vs click flooding.

Vastflux (2022-2023)

Vastflux is the modern reference case. HUMAN Security’s Satori Threat Intelligence team disclosed the operation in January 2023, with attribution to a campaign that peaked in mid-2022. ^[2] Vastflux ran inside the VAST video ad rendering tag, injecting code into legitimate in-app placements that stacked up to 25 hidden video ads in a single slot. The operation spoofed 1,700 apps, targeted 120 publishers, and generated 12 billion fraudulent bid requests per day at peak across iOS and Android.

The Vastflux technique combined ad stacking, which we cover in ad stacking fraud, with VAST tag manipulation specific to video. It demonstrates how modern operators target the most lucrative inventory format (in-app video CPMs run two to five times display CPMs) and use a rendering trick that bypasses both pre-bid and most post-bid verification.

How do modern botnets evade detection?

Modern ad-fraud botnets evade detection by layering four evasion techniques that each defeat a specific industry filter. Residential proxy networks defeat IP and ASN classification, browser stealth plugins defeat fingerprint checks, AI-driven cursor physics defeat behavioral biometrics, and on-device emulation defeats device attestation. The combined effect is the under-40-percent SIVT catch rate that Integral Ad Science’s annual Media Quality Report has documented across the industry. ^[3]

The defender’s challenge is that any single evasion technique can be matched by a single detection signal. Five evasion techniques in combination require five orthogonal detection signals, and any signal correlation a defender finds gets reverse-engineered into the next botnet revision within months. The evolution since Methbot is the move from technique-specific evasion to AI-driven adaptive evasion.

Residential proxies

The largest residential proxy networks advertise over 100 million IP addresses across consumer ISPs in every populated country. These IPs come from devices enrolled in proxy networks through bundled SDKs in free apps, free VPN services that monetize by selling the user’s bandwidth, or outright malware infection. From the ad platform’s perspective, traffic exits these networks on a real Comcast or BT IP, with a real consumer ASN, geolocated to a real residential ZIP code.

The defender’s response is fingerprinting the exit nodes. Companies like Spur and IPQS maintain residential-proxy IP lists by running honeypots across the proxy marketplaces and recording which IPs forward their probe traffic. The list is never complete, because new IPs enter the proxy networks daily, but it cuts the cheapest tier of botnet traffic.

Browser stealth plugins

The standard automation frameworks, Puppeteer, Playwright, Selenium, all expose tells: navigator.webdriver === true, missing chrome.runtime, distinctive WebGL renderer strings, and so on. Open-source stealth plugins (puppeteer-extra-plugin-stealth, undetected-chromedriver) patch the visible tells. AI-driven botnets in 2026 go further: they ship per-session fingerprint randomization that produces a coherent fingerprint matching a real device class (a specific Samsung Galaxy A12 with a specific Android version and a specific carrier) for the duration of the session.

In our field testing, the gap between detecting “default Puppeteer” (trivially easy) and detecting “stealth Puppeteer running on residential proxy with randomized fingerprint” (genuinely hard) is the gap between a usable in-house bot filter and needing a commercial multi-signal stack.

AI-driven cursor and interaction physics

Earlier bots either skipped mouse movement entirely (instant click on the ad) or used Bezier-curve mouse simulation (too smooth, too consistent). Behavioral biometrics caught both. Modern AI-driven botnets train cursor models on real human session recordings and produce mouse paths with the right micro-jitter, velocity profiles, and pause patterns to match the distribution of real users on the same device class.

The defender’s response has shifted from cursor entropy thresholds to cursor distribution analysis. A single AI-generated path looks human. The aggregate distribution across 10,000 sessions from the same botnet still shows characteristic clustering. This is one of the signals where commercial cross-tenant detection beats single-site detection, because the cluster needs cross-customer volume to surface.

On-device emulation

The most expensive evasion class. The operator runs real Android devices in farms (cloud-controlled or physical), or runs convincing Android emulators with hardware-level attestation spoofing. From the ad SDK’s perspective, the traffic is coming from a real Pixel 8 with a valid Play Integrity attestation. This is the class of fraud documented in click-farm and incentivized-traffic networks, which we cover in click farms targeting Google Ads.

How do you detect botnet traffic from the advertiser side?

Advertiser-side botnet detection works by stacking signals across the request lifecycle so no single evasion technique passes alone. The working stack in 2026 is six layers: pre-bid filtering, real-time impression scoring, real-time click scoring, post-click behavioral verification, conversion-window analysis, and cross-source reconciliation against verification vendors. ^[4] No single layer catches a sophisticated botnet on its own, the value is in the correlation across all six.

The signal stack below is what shows up in production deployments. For the underlying detection signals, the full server-and-client breakdown is in our bot traffic detection guide. For the broader fraud landscape, see the types of ad fraud overview.

The six-layer signal stack

1. Pre-bid filtering at the DSP. Block bid requests from data-center ASNs, declared-bot user agents, and IPs on real-time threat feeds before bidding.
2. Real-time impression scoring. Score the impression on JA3/JA4 fingerprint, device-fingerprint coherence, and known-bot canvas/WebGL hash matches at render time.
3. Real-time click scoring. Apply the same signal stack at click time, plus click-timing heuristics (sub-300ms time-on-page before click, no scroll, no mousemove).
4. Post-click behavioral verification. Once the user lands, instrument the landing page to score mouse entropy, scroll velocity, and time-to-interaction. Bots that pass impression and click checks often fail behavior.
5. Conversion-window analysis. Track click-to-conversion ratios per source and flag drops above 30 percent versus baseline as suspect traffic.
6. Cross-source reconciliation. Reconcile DSP-reported impressions and clicks with verification vendor data (DV, IAS, MOAT) weekly. Gaps above 5 percent indicate invalid traffic the upstream filters missed.

Across the Adsafee Research deployments we have visibility into, advertisers running all six layers report invalid-traffic detection rates two to three times higher than advertisers running only DSP-side pre-bid filtering, with the largest deltas in programmatic video and connected TV inventory. The full detection methodology, with code samples, lives in our click fraud detection guide.

Can Google Ads’ IVT filter catch botnets?

Google Ads’ invalid-traffic filter catches GIVT consistently but misses most SIVT, which is where modern botnets operate. Google publishes credit refunds for invalid clicks identified after the fact, but the public refund rate hovers around one to three percent of paid clicks on most accounts, well below the IAS Media Quality Report’s industry-wide SIVT estimate. ^[3] The gap is the advertiser’s exposure.

The mechanic is the same as GA4’s bot filter, which we discussed in detail in bot traffic detection. Google’s filter compares incoming activity against declared-bot signatures, known data-center ranges, and obvious crawler patterns. Sophisticated ad-fraud botnets are designed to evade exactly this layer. The traffic arrives on residential proxies, with real Chrome user agents, with plausible fingerprints, executing real ad renders. Google’s post-hoc filter catches some of it via behavioral aggregation, but the catch rate is consistent with the industry’s sub-40-percent SIVT rate.

What Google Ads does catch

Google Ads’ IVT filter is genuinely strong on:

• Data-center IP ranges and known cloud provider egress
• Declared-bot user agents (Googlebot, crawler strings)
• Click farms producing identical click patterns across thousands of accounts
• Obvious automation tells (Selenium defaults, headless markers)
• Repeat clickers from the same fingerprint within short windows

What Google Ads does not catch

The systematic gaps:

• Residential-proxy traffic with coherent fingerprints
• AI-driven behavioral simulation that matches human distributions
• Slow-burn click fraud spread across hundreds of thousands of distinct fingerprints
• SDK-level fraud where the click event is generated client-side with valid attribution data
• Botnet traffic that converts at a low rate to mimic real user behavior

The practical implication for advertisers: relying on Google Ads’ IVT filter alone leaves the SIVT bucket fully exposed. Advertiser-side detection on top of the platform filter is the working approach in 2026, covered in our click fraud protection for Google Ads coverage.

What do you do if you’re hit by a botnet?

The response sequence has three phases: immediate containment, refund recovery, and structural defense. Each phase has a specific time window and specific deliverables. The Media Rating Council’s invalid-traffic guidelines support the refund-recovery framework, and platform-level refund policies at Google, Meta, and the major DSPs follow MRC standards in most jurisdictions. ^[4]

Phase one: containment (first 48 hours)

Stop the bleed. Identify the traffic sources, placements, or campaigns showing the suspect signals (collapsed conversion ratio, gap between DSP and verification impressions, unusual ASN concentration). Pause those segments. Pull a clean 30-day baseline of the affected metrics. Snapshot raw access logs, DSP delivery reports, and verification vendor data while it’s still queryable, refund disputes require evidence and platform retention windows are not generous.

Phase two: refund recovery (next 30 days)

File refund requests with the platforms holding the spend. Google Ads, Meta, the major DSPs (TTD, DV360, Amazon DSP) all have invalid-traffic credit processes. The evidence package that works: paired DSP and third-party verification data showing measurable invalid-traffic concentration, the time window, the placements or audience segments affected, and a clean baseline for comparison. Refunds are not automatic and rarely cover the full exposure, but the typical recovery on a documented case is 30 to 70 percent of the disputed spend.

Phase three: structural defense (ongoing)

Implement the six-layer signal stack covered in the detection section. Add the affected traffic sources to a hard blocklist if your DSP supports source-level exclusions. Move toward TAG-certified or supply-path-optimized inventory where possible. Run weekly reconciliation between DSP-reported and verification-measured metrics, with a documented threshold (commonly 5 percent) that triggers investigation.

The structural changes are what prevent the next event. The containment and refund phases are reactive. Most advertisers we see going through this cycle add the structural defense only after the second or third event, by which point the cumulative loss is well above the cost of the detection stack they could have deployed initially.

Where Adsafee fits

Adsafee operates the real-time scoring layer between your DSP or ad platform and your conversion measurement, returning a per-event verdict in under 100 ms via JavaScript tag, S2S postback, or REST API. We maintain the JA3/JA4 corpus, residential-proxy IP map, and cross-customer fingerprint reputation that single-tenant detection cannot reasonably build. Our customers run the in-house signal baseline (server-log filtering, navigator.webdriver checks, behavioral instrumentation) and layer our scoring API on top for the signals that need cross-tenant volume.

For advertisers running paid acquisition above $5,000 per month or operating in high-fraud verticals (iGaming affiliate, mobile install attribution, programmatic CTV), real-time scoring tied to refund-grade evidence pays back quickly. To benchmark your current detection coverage, start a free trial. The first audit returns same-day and includes a per-source breakdown of the SIVT exposure across your campaigns.

FAQ

The frontmatter faq block above answers the recurring questions: scale of modern botnets, legality, monetization paths, the bot-versus-botnet distinction, measurement methodology, antivirus limits, channel coverage, and the residential-proxy connection. For deeper coverage of specific channels and techniques, see the click fraud detection guide, the types of ad fraud overview, and the bot traffic detection signal stack.

---

Sources

1. Juniper Research, “Digital Advertising Research Report” — forecasts of global digital ad fraud losses, projecting $172 billion in 2026 with botnets accounting for the majority of programmatic invalid traffic. Visit: juniperresearch.com (accessed May 2026). ↩

2. HUMAN Security (formerly White Ops), Methbot, 3ve, and Vastflux disclosure white papers and Satori Threat Intelligence briefings — primary documentation for the major ad-fraud botnet operations between 2016 and 2023. Visit: humansecurity.com/learn/reports (accessed May 2026). ↩

3. Integral Ad Science, “Media Quality Report” — annual measurement of invalid traffic, viewability, and brand safety across the global digital advertising stack, including SIVT catch-rate benchmarks. Visit: integralads.com/insider/media-quality-report/ (accessed May 2026). ↩

4. Media Rating Council, “Invalid Traffic Detection and Filtration Guidelines Addendum” and related standards documents defining GIVT, SIVT, and the refund-evidence framework platforms use. Visit: mediaratingcouncil.org/standards-documents (accessed May 2026). ↩