Bot traffic costing advertisers billions as fraud detection fails, investigation reveals

A major investigation released this month, has uncovered significant flaws in the digital advertising ecosystem, revealing that leading verification systems routinely fail to detect and block non-human traffic despite claims to the contrary.

The investigation by research firm Adalytics shows that brands are spending billions of dollars on ads without knowing for certain that they are actually being shown to humans. Even when bots identify themselves openly, the industry's leading fraud detection systems frequently miss them.

Invalid traffic goes undetected

The research analyzed over a petabyte of web traffic data across more than two million websites over seven years, finding that at least 40% of web traffic consists of fake users or computerized bots. These bots range from benign web crawlers to sophisticated fraud systems.

According to the report, the top three companies that advertisers pay to detect and filter out bots — DoubleVerify, Integral Ad Science (IAS), and Human Security (formerly White Ops) — consistently failed to block ads from being shown to automated traffic, including declared bots operating from known data centers.

"It's like, can you tell the difference between a person and a person-shaped sock puppet that is holding up a sign saying, 'I am a sock puppet'?" said Laura Edelson, a computer science professor at Northeastern University and former Justice Department technologist who reviewed the findings.

The report revealed that in some cases, verification vendors correctly identified a visitor as a bot but still allowed ads to be served to that bot. In one notable example, IAS's publisher optimization tool labeled confirmed bot traffic as valid human visitors 77% of the time in a sample dataset spanning 2019-2024.

Billions at stake

The financial impact is significant. According to the World Federation of Advertisers, ad fraud is likely to exceed $50 billion globally this year, making it second only to the drugs trade as a source of income for organized crime.

The investigation found that among the organizations whose ads were shown to bots were major corporations including Procter & Gamble, Hershey's, IBM, T-Mobile, and JPMorgan Chase, along with government entities like the U.S. Postal Service, Department of Veterans Affairs, and the Centers for Disease Control and Prevention.

Erich Garcia, senior vice president of paid media at comparison-shopping site Quote.com, which spent hundreds of thousands of dollars on DoubleVerify's pre-bid filtering technology in 2024, questioned the value of these investments after reviewing the research.

"It's as if you haven't even learned how to throw a baseball, but you want me to trust you to throw a hundred-mile-an-hour pitch," Garcia said.

Industry blindspots

The technical examination revealed major blind spots in how verification systems operate. According to the research, services from DoubleVerify and IAS that attempt to catch bots before an advertiser bids don't receive critical credentials from some of the largest ad-buying platforms, including information about the user's browser, device type, and IP address.

"Without these identifiers, vendors lack essential information to determine whether traffic is coming from a declared bot or a data center," the report explains.

This contradicts what many advertisers believed about these verification systems. Executives at multiple ad agencies, publishers, and brands told researchers they were under the impression that verification vendors could access and use this information to filter out bots before bidding.

"Many of these vendors have made public statements about validating 100% of bid requests pre-bid, and avoiding bidding on or serving ads to bots. However, this research shows that even vendors who made such public statements were seen in some cases serving ads to bots," the report states.

Testing verification capabilities

The study's methodology relied on analyzing traffic from three different bot sources, including HTTP Archive, a nonprofit that crawls websites using declared bot user agents that have been on an industry standard list since 2013.

In one notable finding, Google's advertising systems served ads to bots crawling from Google's own data centers. For example, the investigation found that hundreds of thousands of healthcare.gov ads (from the U.S. Department of Health and Human Services) were served to declared bots operating out of Google Cloud data center IP addresses between 2022 and 2024.

Some publishers demonstrated that it is possible to block bots effectively. The Wall Street Journal, Reuters, and media sites operated by The Arena Group consistently prevented ads from being displayed when visited by declared bots.

"We believe it's inappropriate to serve ads to bots," an Arena Group spokesperson told researchers. "Therefore, we employ a significant amount of resources to ensure our traffic is high-quality... Serving ads to bots is a betrayal of that trust and would only degrade our performance and relationships."

The spokesperson added that 25-30% of their web traffic comes from bots, sometimes reaching over 40%.

Industry responses

DoubleVerify previously called the Adalytics report "misleading and manufactured" and claimed after publication that the findings were "inaccurate and misleading." The company maintained that even when it doesn't catch bots before brands bid on ads, it often detects them after the fact and ensures advertisers don't pay for those impressions.

An Integral Ad Science spokesperson said the company uses various services to help protect customers. "We continuously evaluate and innovate our offerings to respond to today's rapidly changing digital landscape," she said.

Human Security, which had previously announced being "the first company to receive accreditation from the Media Rating Council for pre and post-bid protection against Sophisticated Invalid Traffic," declined to comment on the findings because it hadn't seen the full report.

Timeline

• 2016-2018: U.S. Senators Warner and Schumer express concern about ad fraud, asking the FTC to investigate the "willful blindness to fraudulent activity in the online ad market."
• 2020: Media Rating Council publishes standards for invalid traffic detection.
• 2021-2023: Major ad tech companies announce partnerships with bot detection firms.
• 2023: DoubleVerify acquires Scibids, an AI-powered campaign optimization company.
• March 2025: Adalytics report reveals systemic failures in bot detection across the digital advertising ecosystem.

The investigation emphasizes that solving this problem requires cooperation across the entire advertising supply chain, as bot traffic not only wastes advertising budgets but also contaminates analytics data and increases electricity consumption and carbon emissions.

As Association of National Advertisers previously warned: "A false sense of security enables fraud to thrive."