The Shadow Ad Economy: Farmed Google Ads Accounts

Google publishes crawler IP ranges in JSON format. Cloaking systems maintain databases of these IPs plus:

• Google AdsBot IPs (from special-crawlers.json)
• Data center IPs (AWS, GCP, Azure, OVH, Hetzner)
• Known VPN exit nodes and proxy provider ranges
• Security vendor IPs (Kaspersky, BrandVerity, GeoEdge)
• Spy tool IPs (AdPlexity, AdClarity, AdSpy)

Keitaro maintains a database of 500,000+ known bot IP addresses. The script checks each incoming request's IP against these databases — match = safe page.

Client-side JS collects browser fingerprint data and sends it to the cloaker's API for classification:

• Screen resolution, WebGL renderer, installed fonts
• Canvas fingerprint, audio context
• navigator.webdriver flag (headless browser indicator)
• Selenium/Puppeteer/Playwright fingerprints
• Missing chrome.runtime (headless Chrome indicator)

Advanced techniques: Mouse detection (content only appears after mouse movement), timing-based detection (bots load pages faster), interaction gates (require click/scroll before revealing content).

CrawlPhish study: 31.31% of phishing sites use client-side cloaking, up from 23.32% in 2018.

Server-side: Decision made before content is sent. Leaves no trace in the browser. Cannot be detected by inspecting page source. But limited to IP/header signals — can't detect headless browsers.

Client-side: Richer fingerprinting (Canvas, WebGL, audio). Can detect automation frameworks. But leaves traces in JS code and introduces latency.

2025-2026 best practice: Three-layer hybrid:

• Layer 1: Server-side IP/user-agent filtering (catches known crawlers)
• Layer 2: Client-side JS fingerprinting (catches advanced bots)
• Layer 3: Behavioral analysis (catches human reviewers using residential proxies)

Cloudflare as shield: Hides origin server IP. Ad networks can't flag Cloudflare IPs since they serve most of the internet.

Cloudflare Workers: Serverless cloaking at CDN edge — filtering happens before the request reaches the origin server.

CNAME cloaking: A subdomain's CNAME record points to a third-party cloaking domain, making it appear first-party. 95% of sites using this also leak cookies to the third party.

Affiliate cloaking rose from 25% of fraud cases (2022) to 45% (2024).

Sub-verticals: Weight loss (keto gummies, fat-burning teas), male enhancement (consistently highest-converting), anti-aging/skincare, CBD/sleep, general wellness.

The "advertorial" funnel: Ad → Pre-landing "TOP 5 Supplements" ranking → Fake news article styled like CNN/Fox → Product page → Purchase. Uses fabricated celebrity endorsements (Dr. Oz, Jennifer Aniston, Paula Deen).

Payout models:

• CPA: $5-$105 per conversion (KetoCleanse: $85/lead, Nutrisystem: $105 CPA)
• COD (Cash on Delivery): Dominant in Tier 2/3 markets. Lower CPA but lower approval rates.
• Trial/Subscription: "Free trial" at $4.95 shipping, then billed $79-$149/month if not cancelled.

FTC v. Tarr Inc.: $179 million judgment for a network of 40+ products sold through fake news websites and fabricated celebrity endorsements.

CPA payouts: $100-$500+ per first-time depositor. Revenue share models offer 25-50% of player losses.

Cloaking approach: White page = blog about board games or casual gaming. Black page = actual casino/betting site.

Key operators: 1xBet (notorious for hundreds of mirror domains to bypass bans — became FC Barcelona sponsor despite controversy), Betsson, Pin-Up, Mostbet.

GEO strategy: Tier 1 countries = "winning experiences with joy and fun." Tier 3 = "extravagant lifestyle" messaging.

The global gambling market is estimated at $107 billion (2025), making it enormously lucrative even with 2-day account lifespans.

Types:

• Fake trading platforms: SEC charged Morocoin/Berge/Cirkor — $14M stolen, no actual trading occurred
• Wallet phishing: Ads impersonate Phantom Wallet, MetaMask, PancakeSwap. Victims enter seed phrases. Check Point documented $500K+ stolen.
• Recovery scams: Google Ads impersonating "Revoke Cash" crypto recovery services
• Fake software: Bitdefender found ads for "free TradingView Premium" that delivered malware

Scale: Chainalysis reports crypto scams received at least $14 billion on-chain in 2025. AI-enabled scams generate 4.5x more revenue per operation.

The funnel:

• User searches "PayPal help" or "Netflix customer service"
• Sponsored ad appears with what looks like the real support number
• Click leads to fake support page or full-screen browser hijack with fake virus warnings
• Victim calls offshore call center (commonly India)
• Pressured to download AnyDesk/TeamViewer for "remote repair"
• Charged $200-$500 for fake repairs or told to buy gift cards

Brands impersonated: PayPal, Apple, Microsoft, Amazon, Netflix, Bank of America.

One advertiser had over 30 reported incidents in 3 months, raising questions about Google's enforcement against repeat offenders.

FBI 2023: Tech support scams accounted for $924 million in losses.

Flow: "Congratulations!" page → 3-question quiz → Lucky wheel spin → Personal data submission → Endless surveys → No prize ever.

Revenue models:

• SOI (Single Opt-In): Email only, $0.50-$5/lead
• DOI (Double Opt-In): Email + confirmation, higher payout
• PIN/Mobile Submit: Carrier details for subscription, higher payout
• CC Submit: Credit card for "free trial," $15-$40+/lead

Collected data is sold to data brokers or used for further targeting.

Fake loans: Target bad-credit consumers with "guaranteed approval." Victims pay $100-$500+ in "processing fees" and never receive the loan.

Forex/binary options: Fake platforms with manipulated algorithms ensuring losses. Platforms extend trade expiration times until winning trades become losses.

Credit repair scams: Financial Education Services scammed consumers out of $213 million via a pyramid scheme (FTC case).

Investment scams (OCCRP "Scam Empire"): Based on 1.9 TB of leaked data — 32,000+ victims, $275 million stolen by call centers in Israel and Eastern Europe. Marketers earned $200-$2,350 per lead.

"The Great Google Ads Heist" (Malwarebytes, 2025): Criminals place ads impersonating Google Ads itself, targeting advertisers searching for login pages.

The circular attack: Stolen Google Ads accounts are used to run more phishing ads, creating an infinite loop.

Primarily operated by Portuguese-speaking operators based in Brazil. Described as "the most egregious malvertising operation" ever tracked.

1Campaign platform: Full-service cloaking specifically for Google Ads phishing. One campaign showed 1,676 visitors but only allowed 10 through (0.6% pass rate).

Google TAG (Q2 2025): Dismantled 9,800+ channels for coordinated influence operations. Russian-linked campaigns represented the majority.

ProPublica: Google places ads on 41% of ~800 COVID-19 false articles. In Turkey, 73% of false-rated articles carry Google ads.

Disinformation sites earn an estimated $250 million to $2.6 billion annually from programmatic ads.

Google verified 8,900+ election advertisers in 2024 and removed 10.7 million election ads from unverified accounts.

• Card fingerprinting: Cardholder name vs account info mismatches flagged
• Virtual card detection: Prepaid, single-use cards specifically flagged
• BIN analysis: Cards from obscure issuers raise suspicion
• History cross-referencing: Cards linked to banned accounts auto-flagged; all related accounts can be blocked simultaneously
• Geographic matching: US account with Kenyan payment = immediate suspicion

Accounts for ~8% of all Google Ads suspensions.

• Datacenter IPs: Easiest to detect — identifiable ASN signatures
• Residential proxies: Hardest to detect — use real ISP customer IPs
• VPN detection: TCP/IP fingerprints + latency data achieve ~98% accuracy
• Multiple accounts from same IP: Automatically linked
• IPv6 batch detection: Accounts registered with IPv6 proxies get batch-banned

• Canvas fingerprinting: Draws text with specific fonts, captures pixel data via Canvas API. Each GPU renders slightly differently.
• WebGL fingerprinting: 31 rendering tasks can uniquely identify 99%+ of devices
• Font enumeration: Installed font set creates a unique fingerprint
• Timezone, locale, screen resolution, color depth, cookie behavior, OS parameters

Feb 2025: Google reversed its earlier position and now formally permits fingerprinting-based tracking within Privacy Sandbox.

• Click timing: Real users: 10-30+ seconds on page. Bot traffic: 0-5 seconds.
• Scroll depth: Tracked at 25%, 50%, 75%, 100%
• Campaign creation speed: Budget spikes after registration = review trigger
• Keystroke patterns: Monitors for automated vs manual input
• Activity timing: Unusual hours trigger flags

Google uses "high-confidence connection" detection across:

• Shared login credentials across accounts
• Common payment information
• IP and proxy pattern overlap
• Device/browser fingerprint matches
• Overlapping domains in campaigns
• Manager account relationships
• Timing correlations between activities

Critical: A single flagged account can trigger suspension of an entire chain. Using different company documents doesn't help if a personal ID or setup pattern is reused.

Modern Google bots no longer behave like traditional crawlers:

• They scroll, click elements, engage with content
• Use mobile devices with random screen sizes
• Simulate slow connections
• Stay on sites longer to test time-based content changes
• Execute JavaScript fully in headless Chrome

Multi-crawler comparison: Google sends multiple crawlers with different profiles to the same URL. A classifier compares content, structure, rendering, and redirect graphs — achieving 95.5% cloaking detection accuracy with 0.9% false positive rate.

Chrome Safe Browsing provides real-user browsing data at massive scale — a signal no other ad platform possesses.

• Scale: Infected 1.7 million computers, generating billions of fraudulent ad bid requests daily
• Damage: Businesses paid $29 million for ads never viewed by real humans
• Indictments: 8 men charged with 13 counts (wire fraud, computer intrusion, identity theft, money laundering)
• Seizures: 31 domains, 89 servers, multiple Swiss bank accounts
• Takedown speed: Bid requests dropped to near-zero within 18 hours
• Collaboration: Nearly 20 industry partners including Google, White Ops (now HUMAN Security)

• Operator: Aleksandr Zhukov, self-proclaimed "King of Fraud"
• Peak revenue: $3-5 million per day
• Infrastructure: 2,000+ rented servers, 765,000 IP addresses
• Method: 200-400M fake video ad views/day, spoofing domains of NYT, NY Post, and 6,000+ publishers
• Sentence: 10 years in federal prison
• Forfeiture: $3.8 million

• Scale: Infected 25 million consumer devices via 115+ Android apps
• Method: Secret in-app browsers pushed traffic to ~500 AI-generated domains
• App types: QR scanners, PDF readers, WiFi detectors
• Geo spread: 33% in APAC (India, Philippines, Indonesia, South Korea)
• Response: Google pulled all 115+ apps, IAS reduced related bid requests by 95%

• Method: Network of fake news websites (goodhousekeepingtoday.com, menshealth.com--i.link)
• Fake endorsements: Paula Deen, Dr. Oz, Jennifer Aniston, Jason Statham
• Products: 40+ weight loss, muscle, and skin products
• Bait and switch: "Free trials" at $4.95 → billed ~$87 + recurring subscriptions
• Judgment: $179 million (suspended after $6.4M paid)
• Defendants permanently banned from deceptive marketing

• Scale: Two groups of call centers convinced 32,000+ victims to "invest" $275 million
• Lead prices: Marketers earned $200-$2,350 per lead based on victim's country
• Marketing spend: One operation's marketers earned $7.3 million in 7 months (2024)
• Tactics: Fake celebrity endorsements (Elon Musk), fabricated news, AI deepfake videos
• Platforms identified: 81 fraudulent investment platforms across the network
• Human cost: A Spanish architect lost €400,000 in two months; a retired Finnish scientist was left suicidal

• Criminals phish Google Ads advertisers using fake Google Ads ads impersonating Google Ads itself
• Fake "Sponsored" results redirect to Google Sites pages → phishing kits that fingerprint users via JS
• Primarily Portuguese-speaking operators based in Brazil
• Stolen accounts used to run more phishing — creating a circular attack pattern
• Malwarebytes: "the most egregious malvertising operation" ever tracked