DoubleVerify uncovers $2.5M ShadowBot fraud targeting mobile and CTV

DoubleVerify released findings on June 25, 2025, revealing the discovery of ShadowBot, a widespread fraud scheme that generated over 35 million spoofed mobile devices during the first quarter of 2025. The fraudulent operation cost unprotected advertisers an estimated $2.5 million since the beginning of 2025, according to the digital media verification company.

The DV Fraud Lab identified ShadowBot targeting mobile and Connected TV environments using rudimentary automation techniques. These included mobile emulators and spoofed application identifiers. Despite the scheme's extensive reach, researchers noted it contained amateur-level mistakes that made detection possible for advertisers protected by advanced fraud-detection systems.

PPC Land Newsletter

Get the PPC Land newsletter ✉️ for more like this.

Subscribe

Summary

Who: DoubleVerify's Fraud Lab detected the ShadowBot scheme, which targeted unprotected advertisers across mobile and Connected TV advertising environments.

What: ShadowBot generated over 35 million spoofed mobile devices using amateur-level automation techniques, including mobile emulators with inappropriate screen resolutions and spoofed application identifiers, resulting in $2.5 million in estimated losses.

When: The scheme operated during the first quarter of 2025, with DoubleVerify announcing the discovery on June 25, 2025.

Where: The fraud targeted mobile and Connected TV advertising inventory globally, using anonymizing IP proxies and affecting multiple advertising platforms and exchanges.

Why: The scheme exploited vulnerabilities in emerging media types that have limited visibility and rapid growth, taking advantage of basic automation techniques that could generate significant revenue before detection by unprotected advertising campaigns.

"ShadowBot shows that fraud doesn't need to be sophisticated to be costly," said Gilit Saporta, VP Product, Fraud & Quality at DoubleVerify. "It's alarming to see $2.5M lost to bots using resolutions of an old CRT screen we all used back in the 1990s."

The investigation revealed several technical indicators that exposed the fraudulent operation. ShadowBot employed emulators that defaulted to screen resolutions such as 800x600 pixels, which are not typical for mobile devices. This resolution choice represents one of the most obvious signs of the scheme's amateur implementation.

Technical red flags expose amateur operation

DoubleVerify's Fraud Lab documented five key indicators that uncovered the ShadowBot network. The basic automation methods used by fraudsters relied on emulators with inappropriate screen resolutions for mobile devices. The operation also produced abnormally high impression volumes that failed to align with seasonal advertising trends.

Suspicious internet protocol activity provided another detection vector. Fraudsters utilized anonymizing IP proxies provided by questionable entities whose digital footprints contained fake testimonials, broken URLs, and documented abuse reports. The lack of behavioral diversity among devices showed identical impression counts, which contradicted the variability expected from genuine users.

Perhaps most revealing were the improbable engagement patterns. Devices appeared to open 10 different spoofed applications within just 9 minutes, representing behavior impossible for actual users to achieve. These patterns enabled DoubleVerify's artificial intelligence-powered detection systems to identify and block the fraudulent traffic.

Lisa Toledano, who leads one of DoubleVerify's fraud detection teams, emphasized the vulnerability of emerging media formats. "We've found that emerging media types, including mobile and CTV environments, are especially susceptible to fraud due to limited visibility and rapid growth," she stated. The rapid expansion of these advertising channels creates opportunities for fraudsters while presenting challenges for traditional monitoring systems.

Connected TV fraud concerns mount across industry

The ShadowBot discovery adds to growing concerns about fraud in Connected TV advertising environments. Recent industry analysis shows CTV platforms face significant fraud challenges, with non-vMVPD applications demonstrating particularly high rates of invalid traffic compared to traditional virtual multichannel video programming distributors.

Wayne Tassie, Group Director – Netherlands at DoubleVerify, positioned the company's fraud detection capabilities within broader industry challenges. "As the digital ecosystem continues to scale through automation, the emergence of sophisticated fraud schemes like ShadowBot reinforces the critical importance of transparency, quality, and accountability in media," he explained.

The scheme's impact extends beyond immediate financial losses to advertisers. Fraudulent traffic contaminates analytics data, potentially leading to misguided strategic decisions. Industry reports indicate that advertisers face fraud rates 14 times higher when campaigns lack protection measures, highlighting the necessity of comprehensive fraud detection solutions.

Connected TV environments present unique challenges for fraud detection compared to traditional digital advertising channels. Unlike desktop or mobile web advertising, CTV platforms often have limited on-device measurement capabilities and rely heavily on server communication. These characteristics create vulnerabilities that fraudsters can exploit using schemes like ShadowBot.

Industry response to evolving fraud landscape

The advertising technology sector has increasingly focused on combating sophisticated fraud schemes. Recent partnerships between security companies and advertising platforms demonstrate industry-wide recognition of fraud threats. These collaborations aim to implement pre-bid detection and mitigation solutions that protect advertisers before fraudulent impressions can be purchased.

DoubleVerify's discovery comes amid broader industry investigations revealing systemic failures in bot detection across the digital advertising ecosystem. Research indicates that leading verification systems routinely fail to detect and block non-human traffic, even when bots identify themselves openly.

The financial implications extend far beyond individual schemes. The World Federation of Advertisers estimates that ad fraud will exceed $50 billion globally in 2025, making it second only to the drugs trade as a source of income for organized crime. This scale necessitates continuous innovation in fraud detection technologies and industry cooperation.

Artificial intelligence arms race in fraud detection

The emergence of artificial intelligence-powered fraud schemes has created an technological arms race between fraudsters and detection systems. Reports document increasing sophistication in ad fraud tactics, with cybercriminals leveraging generative AI to create more convincing fake user profiles and engagement patterns.

DoubleVerify's detection of ShadowBot demonstrates how even amateur-level fraud schemes can achieve significant scale before discovery. The scheme's use of outdated screen resolutions and obvious behavioral patterns suggests that fraudsters may not always employ sophisticated techniques when basic automation proves sufficient to generate revenue.

The company's fraud detection capabilities rely on artificial intelligence systems trained to identify subtle deviations from normal user behavior. These systems analyze impression-level data across global networks to detect both sophisticated schemes and simpler operations like ShadowBot. The technology enables real-time blocking of fraudulent traffic before advertisers pay for worthless impressions.

Roy Rosenfeld, Head of DV Fraud Lab, previously noted that "good AI can be used to fight bad AI," emphasizing the importance of leveraging artificial intelligence to stay ahead of increasingly sophisticated fraudsters. This technological competition continues to evolve as both sides develop more advanced capabilities.

Mobile and streaming fraud acceleration

Mobile advertising fraud has shown particular growth, with investigations doubling in 2023 compared to previous years. The ease with which generative AI can create fake websites and applications with deceptive tactics like mass-generated positive reviews contributes to this increase. These tactics create illusions of legitimate audiences within mobile applications.

Streaming platform fraud has demonstrated even more dramatic growth. Bot fraud schemes targeting streaming platforms showed a 269% increase in variants during 2023, contributing to a 58% overall rise in streaming fraud schemes. Fraudsters leverage generative AI to generate seemingly authentic user agents that mimic human interaction with content while inflating advertisement impressions.

The ShadowBot scheme's focus on mobile and Connected TV environments reflects broader fraud trends targeting high-growth advertising channels. These platforms often lack the established fraud detection mechanisms present in traditional digital advertising, creating opportunities for both sophisticated and amateur fraudsters.

DoubleVerify continues monitoring and shutting down evolving fraud schemes across the open web, mobile applications, and streaming environments. The company employs proprietary analytics tools, impression-level monitoring, and global fraud laboratory capabilities to protect brand and agency media investments.

Industry standards and verification challenges

The discovery highlights ongoing challenges with industry verification standards. Recent reports document over 100 cases of ads.txt manipulation since the standard launched in 2017, including AI-generated networks that exploit publisher authorization systems to divert advertising revenue.

Connected TV advertising faces additional complexity due to the rapid evolution of viewing technologies and measurement standards. Industry initiatives to establish unique identifiers for advertisement creatives aim to improve measurement and fraud detection capabilities. These efforts seek to address frequency capping challenges and enable more accurate campaign reporting across platforms.

The Interactive Advertising Bureau Tech Lab has collaborated with industry organizations to develop standardized approaches for creative identification in CTV advertising. These frameworks potentially improve fraud detection by providing consistent identification throughout advertisement delivery processes.

DoubleVerify maintains that protecting advertisement spend from schemes like ShadowBot requires continuous monitoring and adaptation. The company's global fraud laboratory analyzes traffic patterns across more than two million websites to identify emerging threats and develop countermeasures.

The ShadowBot investigation demonstrates that fraud detection success depends on identifying behavioral anomalies rather than relying solely on technical sophistication indicators. Amateur-level schemes can achieve significant scale through basic automation when proper detection systems are absent.

Timeline

• May 2017: IAB Tech Lab launches ads.txt standard to prevent unauthorized advertisement inventory sales
• March 2024: Pixalate report reveals higher invalid traffic rates on non-vMVPD CTV apps
• May 2024: IAS releases Media Quality Report showing fraud rates 14 times higher for unprotected campaigns
• June 2024: DoubleVerify report shows 20% increase in new ad fraud schemes, with 269% rise in streaming platform variants
• July 2024: HUMAN Security report reveals AI-powered bot sophistication, with up to 98.55% of traffic attempting fraud
• September 2024: HUMAN and Opera Ads announce partnership to combat CTV advertising fraud
• March 2025: Major investigation reveals systemic failures in bot detection across digital advertising ecosystem
• Q1 2025: ShadowBot scheme generates 35 million spoofed mobile devices
• May 2025: DoubleVerify documents over 100 ads.txt fraud cases including Synthetic Echo AI network
• June 25, 2025: DoubleVerify announces ShadowBot discovery and $2.5 million fraud impact