Right now, a man named Aleksandr Zhukov is sitting in jail for one of the most financially ruinous schemes ever invented for the internet.
Zhukov is guilty. He was caught and convicted under a mountain of evidence against him. Simple as that. Here’s the thing…
The overwhelming majority of people involved in his case — and the people who have written and spoken about it since — would have you believe that what you’ve just heard is the whole story. Bad guy, cybercrimes, jail.
Except the deeper you look into it, the deeper the well goes. The picture widens, like those old Alfred Hitchcock close-ups — as we zoom in, what we’re looking at strangely appears further away.
Hi, I’m Ran Levi, welcome to Cybereason’s Malicious Life. In this episode, we’ll learn how Aleksandr Zhukov defrauded some of the biggest American corporations for millions of dollars. And we’ll ask the question that hardly anyone else is willing to acknowledge: Was this clever, successful, guilty cybercriminal merely a fall guy for everybody else playing his twisted game?
Methbot is Born
It was September, 2015, when a group of researchers working for the cybersecurity firm “White Ops,” noticed a “small amount” of automated web traffic all bearing the signature of the same bot. They started monitoring, just in case, thinking little of it. That is, quote, “until October of the following year when the bot morphed [. . .] and began to scale and adapt aggressively.”
We at Malicious Life reached out to White Ops — now called HUMAN — for an interview. They declined, as they were advised by the FBI not to comment on an ongoing legal case. So we can only pull from what they’ve already published online, namely their initial white paper we’re reading from now. Quote:
“In September 2016, White Ops detected a mutation in a previously low volume bot signature which had been flagged as “C3” since September 2015. The security research team continued to track the evolution of C3 as it innovated and grew into what would become known as “Methbot.””
“Methbot,” due to references to “meth” in the code. They’d later learn that “meth” derives from the name of the company behind the bot, “Media Methane.” Quote:
“On October 5, 2016, Methbot began to scale aggressively, reaching as many as 137 million impressions per day by the end of the week. The operation continued to expand rapidly. [. . .] By the end of the month, the bot farm had spread to affect 32 distinct clients upon which White Ops had detected or blocked activity. Following the initial ramp in October, Methbot continued to produce massive amounts of impression volumes while continuing to adapt its codebase daily in an effort to elude fraud detection and viewability vendors and avoid discovery in order to continue the operation.”
The researchers assessed that Methbot, quote, “far exceeds the financial damages done by previously discovered botnets,” causing, in their estimates, 3 to 5 million dollars worth of fraud per day.
This was an overstatement. But even a small fraction of these numbers is a lot of money to be intercepting every day. How was it possible?
Intro to Ad Fraud
“[Fou] In digital ad fraud, there’s something called domain spoofing.”
That’s Dr. Augustine Fou. For years he’s been trying to ring the alarm on the problem of digital advertising fraud. Ad fraud can manifest in a number of ways, including domain spoofing…
“[Fou] Where a bad guy could just make a page appear to be a mainstream publisher like New York Times, or Wall Street Journal, or MarthaStewart.com. And so in the data, it looks like the ads ran on those sites when the ads never actually ran on those sites.”
So imagine you’re a company, and you think you’re advertising your product on The New York Times’ website, but you’re just being tricked by bots.
“[Fou] They thought they were paying for ads on the legitimate publishers, when it was completely an ad that didn’t run anywhere, actually.”
On the face of it, it seems like somebody could have figured this whole thing out pretty easily. But Media Methane maintained a massive, thorough operation to try to disguise their trail. They began by renting more than 2,000 servers from data centers in Dallas and Amsterdam.
“[Fou] It’s very inexpensive for the bot makers to just use those cloud data centers. In fact, they don’t even need to pay for the hardware because they just pay for what they use. So it’s actually dramatically lowered the cost of entry for anybody to get into the bot making business.”
It was from these servers that they’d load real ads on fake sites, spoofing more than 6,000 domains in all.
“[Fou] So it wouldn’t be so obvious, right? Because if you just have traffic coming from one domain, and too much of it, it would be pretty obvious.”
Next, Media Methane leased somewhere between 570 and 853 thousand IP addresses, assigning them to different servers. But ordinary people don’t usually access the internet through cloud data centers, which would make tracking these IPs rather straightforward for anybody with the intent to look. Except…
“[Fou] Here, the bots are bouncing the traffic through what we call residential proxy services. So there’s a number of companies selling access to residential proxies where the traffic can then be bounced through a residential IP address to make it look like it came from a residential IP versus a data center.”
So instead of a data center in Texas, these IPs would appear from the outside to belong to regular customers of Verizon, Comcast, or Spectrum.
At this point, we have hundreds of thousands of fake computers accessing thousands of fake websites on thousands of real servers. Tracking any portion of this activity, let alone grouping it all together, would’ve been a massive task for any authorities or researchers. But the ruse went much deeper than this.
As we’ve talked about plenty on this show, most recently in our episode last month — The Reason You Don’t Have Data Privacy — companies amass a remarkable amount of information about you, through your internet activity. Your cookies aren’t soft and delicious, they’re a treasure trove of data points indicating your browser history, recent purchases, demographic information, geolocation, and more.
Advertisers pay good money for that microtargeting data, and Media Methane knew that. So they forged internet personas — an army of ad-viewing ghosts, from different places, with different characteristics — and maintained them over time.
Then, to further the illusion that real people were viewing the ads, Media Methane programmed their bots to simulate exactly how people might use the internet: browsing websites, fake mouse movements, scrolling, clicks, starting and stopping video ads partway through, instead of letting them run all the way until completion every time.
To give these scrolls and clicks context, the bots had their own fake logins for Facebook, Twitter, or Google, as if they were logged in while doing all of this. And Methbot would mimic different operating systems — Windows, Mac, iOS — and different browsers through which all of this activity was happening.
“[Fou] So it would sometimes pretend to be Chrome, sometimes pretend to be Safari. And so again, by rotating through a large number of different browsers, it will make it less obvious that it’s just generated by bot activity.”
Picture all of this, hundreds of millions of times over every day, across more than 250,000 unique URLs. Of course, each of these fake “publisher” sites was no more than a page with a video ad spot, once you looked under the hood.
Even with all of these stealth tactics, probably, somebody along the line might have caught onto the scam. Except there’s one, crucial detail we’ve yet to mention. Media Methane’s customers were not advertisers and publishers. Instead, they sold their traffic to a middle man…
“[Fou] Ad tech companies that were basically bundling together inventory to sell.”
Exchanges — ubiquitous in online advertising — designed to programmatically facilitate the buying and selling of ad placements.
“[Fou] You would probably call them resellers, or SSPs, or something, meaning Supply-side Platforms. So they would actually go out and help the buyers of the ads, securing ad inventory.“
Through programmatic exchanges, Methbot was able to launder its falsified traffic.
“[Fou] So the problem is very similar to what we saw in the 2008 financial crisis. It was basically junk mortgages being bundled into good mortgages, and kind of being sold as all of it was good, right? So it was Triple-A rated and all that kind of stuff. So in this case, you have some legitimate ad impressions. And then you have a whole bunch of fake ones being manufactured by bot traffic. And you just kind of bundle it all together. When you mix it all together, it kind of gets easy to hide the fraud.”
According to how the story of Methbot is typically told, this whole, grand scheme was devised by one man.
On the internet, he was known as “Nastra,” like “Nostradamus.” IRL, he was Aleksandr Zhukov — blonde hair, blue eyes, a soft look about him that portrays “programmer” much more than “hardened Russian criminal.”
A native of St. Petersburg, Zhukov served in the army before turning to cyber work around the turn of the millennium. A cybercrime colleague told the Russian newspaper “Kommersant” that Zhukov was a, quote, “merry fellow, with a great sense of humor, whom no one will say a bad word about.” End quote. Zhukov was also moral, at least by the standards of the community he occupied. “He did not steal credit cards and did not traffic in child porn,” his colleague clarified, “but his work was not always clean from the point of view of the law.”
Around 2010, Zhukov got an apartment in Varna, an historic coastal city in east Bulgaria. According to Kommersant, quote, “Nastra did not earn any big money, he lived quietly, and people even began to forget him a little.” End quote.
That is, until the fall of 2014, when he was contracted for a job.
By the time security researchers caught on years later, Zhukov was leading a small group of developers under the banner of Media Methane. According to the Department of Justice, their Methbot was responsible for eating over 7 million dollars in ad revenue from corporations that didn’t have a clue what was going on. Zhukov kept 75% of the proceeds for himself, pocketing 4.8 million dollars. He laundered it through bank accounts in Bulgaria, Cyprus, the Czech Republic, Latvia, Russia, and the United Kingdom.
From a modest apartment in Bulgaria to a multimillionaire. Zhukov gave himself a title he felt appropriate for his new stature: the King of Fraud. But this boastfulness, perhaps, contributed to his undoing.
On November 6th, 2018, Bulgarian authorities carried out a warrant on Zhukov’s head, issued by the United States government. The 38 year-old was put in handcuffs and, because he wasn’t in his home country of Russia, he was successfully extradited to the Land of the Free the following January.
In May, 2021, a jury in Brooklyn, New York convicted Zhukov on four counts of wire fraud and money laundering. That November, he was ordered to pay $3.8M, and handed a prison sentence of 10 years. U.S. Attorney Breon Peace provided a statement that summed up the mood. Quote:
“Sitting at his computer keyboard in Bulgaria and Russia, Zhukov boldly devised and carried out an elaborate multi-million-dollar fraud against the digital advertising industry, and victimized thousands of companies across the United State. Today’s sentence holds the defendant accountable for his deception and outright theft of more than $7 million, and sends a powerful message to cyber criminals around the world that there is no escape from the international reach of law enforcement.”
Law enforcement, media outlets, and the security community heralded victory over the King of Fraud.
“[Fou] the Association of National Advertisers, the trade association, made a big deal out of it, because it made for good headlines, right? We caught a Russian national doing hacking and crime and all that. And they took full advantage of it, issuing press releases, essentially claiming credit by associating themselves with this prosecution. Right? So the trade associations amped up the PR around this and said, “Oh, yeah, hey, look, we caught this Russian national for committing ad fraud.”
As if it even mattered.
Ad Fraud is Widespread
“[Fou] So this was one of the most rudimentary bots you could imagine.”
To Dr. Fou, the story of Aleksandr Zhukov is, if anything, unexceptional.
“[Fou] He was just one case. And the dollar amounts were extremely trivial, right, like $7 million, when we’re talking about $150 billion being spent on digital advertising in the US alone, right, not worldwide. So it was less than, you know, a drop in the bucket.”
If anything, the most notable thing about Zhukov was that he got caught at all.
“[Fou] And there’s many that are much more sophisticated, that are still in operation that have not been caught. [. . .]
[Nate Nelson] do you have any sense of approximately how much advertising traffic online is fake?
[Fou] The vast majority of it.”
Nobody has a view into the whole internet, but there are ways you can methodically test for fake traffic, and fake ad impressions.
“[Fou] So the way we estimate it is you take a look at the good publishers, so the ones that you recognize, like New York Times, Wall Street Journal, Washington Post, the Hearst, you know, Condé Nast and Meredith companies, you know, they have all those consumer magazines, and a bunch of newspapers, right. So those are the ones that humans have heard of, and humans do visit, right. So those mainstream publishers have human audiences.
Then when we talk about the hundreds of millions of sites, that are what we call the long tail, right? People have never heard of them but yet, they’re generating hundreds of billions of impressions to buy, who’s generating those impressions?”
There’s no good way to capture the entirety of the problem, but enough researchers have tried to test exactly how much of the world’s ad traffic is chum.
Like in 2019, the security company CHEQ analyzed 4.1 billion U.S. ad impressions from 1.2 million websites, finding that around 18% of the traffic was fraudulent. Their estimate fell to 14% in 2021.
That figure is in line with a 2020 University of Baltimore study, which concluded that 14% of all pay-per-click ads online are invalid.
Other studies have varied widely. In 2021, Statista published rates of ad fraud by region: 1.6% in Europe, the Middle East, and Africa — 1.5% in the U.S. and Canada, 1.1% in Latin America, and 0.8% in Asia.
By contrast, that same year, the U.K. software company Lunio claimed that 36% of clicks on display ads are invalid.
Whether it’s “the vast majority,” or closer to 36%, 14%, or even just 1.5%, we’re still talking about a massive phenomenon. 1% of all ad traffic on the entire web is a lot.
The Cost of Ad Fraud
And even if we don’t have the exact numbers, the cost of all this fakery is still clear.
At the 2017 Association of National Advertisers conference in Orlando, Florida, Kristin Lemkau — Chief Marketing Officer for JP Morgan Chase — claimed that advertisers lost 7.2 billion dollars to fraud in 2016. But even that was nothing, because in 2017, she said, the number would more than double to 16.4 billion.
Today’s internet is positively flooded with fraud, and it’s not exactly a secret. As Lemkau told her audience, quote, “There are 5,000 ad tech companies out there claiming that they can help solve the problem.”
But solve they did not. The next year, the number more than doubled again: advertisers lost 35 billion to fraud, according to Juniper Research. Juniper only tracked a 21% rise in fraud in 2019, costing advertisers 42 billion, but it’s safe to say that the number rises significantly every year. And who knows how much data we’re missing — how much fraud is happening that we just haven’t discovered yet.
“[Fou] So there’s a direct parallel in cybersecurity, right? You may have heard of zero days, right? Zero days are those malware threats where we didn’t know about it before, right, it’s probably been running for three years, five years for a very long period of time, we simply didn’t know it was there because we didn’t know what to look for.”
With dozens of billions of dollars squandered to cybercriminals every year, and “5,000” companies offering a solution, why isn’t anything actually getting solved?
Because there already is a very simple solution — an easy step companies can take to circumvent fraudsters entirely. They’re just not doing it, because, perhaps, they don’t actually want to.
That’s next time on Malicious Life.