← field notes

The 100 Billion Dollar Ad Fraud Machine Running on Phone Farms

somewhere there is a warehouse wall of phones. hundreds of them on metal racks, screens glowing in a dim room, each quietly scrolling through apps all night long. every one is watching ads. not one of them is a person.

the phones load a video, wait for the ad to play, register the view, then move on. they tap banners. they install apps and open them once. they do this thousands of times an hour, and somewhere a counter ticks up, and somewhere an advertiser pays for every tick. estimates put the cost of this kind of ad fraud at over one hundred billion dollars a year. that money does not vanish. it moves, deliberately, from the people who buy advertising to the people who manufacture fake attention.

to understand how, you first have to understand how advertising actually pays.

how an ad actually pays

when you load almost any free website or app, the empty ad slots are not filled in advance. in the fraction of a second the page loads, an auction happens. information about you, the page, and the moment gets sent out, advertisers bid, and the highest bidder’s ad drops into the slot. this is programmatic advertising, and it runs most of the open web.

the advertiser pays in one of a few ways. sometimes per impression, meaning per time the ad is shown. sometimes per click. and sometimes only when someone installs an app or completes some action after the click. each of these is a number that a machine counts.

that is the whole problem in one sentence. the entire economy runs on counting events, and a counted event is just a signal. if you can manufacture the signal convincingly, you can manufacture the payment. nobody has to break into a bank. they just feed the right number into the right counter at the right moment.

the four ways it is done

people talk about ad fraud like it is one thing, but it is really a family of tricks, each aimed at a different number in that auction.

the first is impression fraud, faking the moment an ad is shown. the second is click fraud, faking the moment someone clicks it. the third is install or attribution fraud, faking the action after the click. the fourth is domain spoofing, lying about where the ad is even running. they overlap and combine, but each targets a specific weak point in how money flows.

impression fraud: ads no one sees

an impression is supposed to mean a real human had a real chance to see an ad. impression fraud breaks that quietly. an ad loads into a page, the counter records a view, the advertiser pays. but the page is open in a hidden window, or stacked under another ad, or being loaded by a script in an empty room full of phones.

the cheapest version is invisible. ads get stuffed into a frame a single pixel wide, or layered ten deep so only the top one is ever seen, while all ten report as viewed. there are uglier versions still, like video ads that play in the background with the sound off while you read an article. the impression was real as a number and fake as an event.

this is why the industry invented the viewable impression, an ad actually on screen long enough to be seen. it helped. it also gave the fraud side a new target to imitate, which is a pattern you see again and again.

click fraud: taps from nobody

clicks are worth more than impressions because a click looks like interest. so clicks get manufactured too. a script taps the ad, or a rack of phones taps it, and the counter records intent that no person ever felt.

some of it is sabotage, draining a competitor’s daily budget by clicking their ads until the money runs out, so their real ads vanish from the auction for the rest of the day. some of it is profit, where whoever owns the page gets paid per click and generates their own.

what makes clicks slippery is that a single click looks innocent on its own. the fraud only becomes visible in the aggregate, when you notice that ten thousand of those innocent taps came from the same narrow corner of the network, at the same steady pace. the lie is not in any one event. it is in the shape of all of them together.

install and attribution fraud: stealing the credit

further down the chain is the most valuable event of all, the install. an advertiser will happily pay several dollars when someone installs their app, because that looks like a real new user. so this is where the most sophisticated fraud lives.

one version manufactures the installs outright, with devices downloading the app, opening it once, and disappearing. another is sneakier and does not fake the install at all. it steals the credit for a real one, by firing a fake click moments before a genuine install happens, so the system that hands out the reward credits the fraudster instead of whoever actually earned it.

that second kind shows the deeper game. the most effective fraud does not always invent fake activity from scratch. sometimes it just inserts itself into the path of real activity and takes the payment.

domain spoofing: lying about the address

the last big category is about location, not action. when an ad is sold in that instant auction, the seller declares where it will run. a buyer pays far more to appear on a trusted, recognizable site than on one they have never heard of.

domain spoofing is lying about that address. cheap or junk inventory gets dressed up to look like premium space on a famous publisher. the advertiser thinks they bought a slot on a respected site read by real people. they actually bought space on something else entirely, often a page built only to hold ads. the advertiser overpays for fake prestige, and the real publisher whose name was borrowed gets nothing.

the infrastructure behind it

so where does all this fake activity physically come from. broadly, two places. software bots, and real devices.

the bot side is the classic picture. networks of infected computers and servers, scripted to load pages and fire events at scale. they are cheap and enormous, but a machine in a data center does not look like a person at home, and over time the defenders got good at spotting that hollow, mechanical behavior.

so part of the industry moved toward something harder to dismiss. real phones. this is the warehouse from the beginning: rows of genuine handsets, often on real home or mobile connections, each looking like an ordinary person’s device. they are valuable to the fraud side precisely because they are real, with legitimate fingerprints, real sensors, and real network history. and they are operated to look human, with irregular taps and pausing scrolls. seen from the inside, such an operation can look less like a crime scene and more like a small logistics business, which is part of why it persists.

the defensive side: invalid traffic detection

against all this sits an industry whose only job is to decide which events are real. the umbrella term is invalid traffic detection, and the question it answers is simple. did a real human really have a real chance to see or interact with this ad.

the defenders look for patterns no real audience produces. thousands of clicks from one narrow slice of the network. perfectly even timing where humans are messy. a device that watches ads for twenty hours without sleeping. a flood of installs that never open the app again. real people are irregular and inconvenient, and fakers, trying to scale, tend to be suspiciously consistent.

two of the sharpest tools are fingerprinting and reputation. fingerprinting builds a quiet profile of a device from hundreds of small signals and recognizes the same device again, noticing when a thousand supposedly different users share one suspicious shape. reputation is the memory on top, a running history attached to addresses, networks, and devices. a brand new device with no past, suddenly watching ads at industrial volume, gets flagged. it works like a credit history, except it scores hardware instead of people.

because no single advertiser can police this alone, independent verification companies sit in the ad path, grading traffic and certifying which impressions were genuine, viewable, and human. industry bodies publish standards for what counts as a valid impression. it is genuinely useful, and it is also a market, sold to the same ecosystem that loses money to fraud.

why the cat and mouse never ends

here is the uncomfortable core. as long as advertising pays by counting events, faking those events will be profitable. and as long as it is profitable, someone will fund better fakes.

the industry made viewable impressions the standard, so the fakers learned to render ads on screen. detection got good at spotting bots in data centers, so the activity moved onto real phones. each improvement on defense becomes the next target to imitate. the money on both sides keeps the loop alive, and neither side ever gets to declare victory.

who actually pays

so who loses the hundred billion. on paper, the advertisers, who pay for attention that was never given. but the cost rarely stops there.

advertisers raise prices to cover wasted spend, and that flows into the cost of products you buy. honest publishers lose, because every fake site dressed up in a borrowed name makes real ad space worth a little less. and you lose too, in a quieter way, because an internet funded by counting fake attention has every incentive to chase the count rather than serve the actual person reading.

that is the real shape of it. not a dramatic heist, but a slow leak of value out of a system everyone uses, paid for in the end by the honest advertisers and, indirectly, by everyone.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →