HUMAN Security announced on July 7, 2026 that its Satori Threat Intelligence and Research Team had identified and disrupted a coordinated connected TV fraud operation, dubbed NewsJunkie, in which a group of sellers transacted high volume, high invalid traffic while masquerading as premium streaming inventory. At its peak, the scheme generated hundreds of millions to nearly two billion invalid CTV bid requests per day, per individual seller, according to HUMAN Security.
The disclosure lands in a market where fraud detection has become a defining competitive concern for buyers of connected television advertising. Streaming inventory now carries a structural weakness that traditional desktop and mobile channels do not share, and NewsJunkie appears to have exploited that weakness with unusual persistence.
If nobody's reading it, did it ever really load? Add PPC Land as your preferred source in Google Search and actually see the stories that matter.
What made NewsJunkie different from typical CTV fraud
Connected TV advertising occupies a strange position in the broader digital ecosystem. Unlike desktop or mobile environments, where JavaScript can generate rich behavioral signals, a substantial share of CTV inventory is delivered without any JavaScript at all. That absence removes an entire category of detection signal that verification systems rely on elsewhere. According to HUMAN Security, a sizable component of NewsJunkie-related traffic exploited precisely this information gap.
Will Herbig, Senior Director of Media Research at HUMAN, framed the discovery within a wider industry shift. "NewsJunkie reinforces a reality security leaders are increasingly confronting: invalid CTV traffic is not simply an impression-quality issue, it's a supply chain security challenge," Herbig said, according to HUMAN Security. He added that organizations need visibility across every intermediary involved in a transaction "to identify hidden risks, validate trusted pathways, and prevent sophisticated operations from exploiting gaps in the ecosystem."
The operation relied on two distinct techniques that worked in tandem. The first involved spoofing device, app, and IP details through server-side ad insertion, giving the appearance of real household devices watching content, when in fact the entire signal chain was fabricated server-side. The second, described by HUMAN Security as a more evasive variant, routed traffic through residential IP addresses paired with forged CTV device information, a combination designed specifically to evade origin-based detection methods.
Together, these methods flooded the programmatic supply chain with impressions engineered to resemble premium CTV inventory originating from genuine households. Because no single technical signal exposed the fraud on its own, Satori researchers had to examine the full, end-to-end supply chain, tracing individual bid requests to determine which were unlikely to have come from real people watching real devices.
Why detection required full supply chain analysis
Lindsay Kaye, Vice President of Threat Intelligence at HUMAN, described the operation's core danger in structural terms rather than technical ones. "NewsJunkie is a reminder that today's most sophisticated ad fraud operations can blend into legitimate-looking supply chains," Kaye said, according to HUMAN Security. She continued: "What made this scheme particularly challenging was that no single signal revealed the fraud. As threat actors continue exploiting the complexity of CTV, visibility into the full supply chain is no longer optional; it's imperative for identifying coordinated fraud and protecting the integrity of digital advertising."
That statement captures a pattern that has recurred across multiple CTV fraud disclosures over the past several years. Isolated anomalies rarely give away sophisticated schemes; only aggregated, cross-referenced analysis does. Bid requests that individually look plausible can, in combination, reveal volumes, timing patterns, or device distributions that no real audience could produce.
The scale problem behind CTV fraud detection
The economics of connected television advertising help explain why schemes like NewsJunkie can operate at the volumes HUMAN Security describes. CTV ad spend has continued its rapid expansion, and buyers have increasingly directed budget toward the channel on the assumption that streaming environments carry premium, brand-safe inventory. That assumption has proven only partially reliable, according to a growing body of independent research.
DoubleVerify's 2026 Global Insights report found that CTV fraud schemes and variants rose 140 percent in the first quarter of 2026 compared with the same period a year earlier, with the company identifying more than 50 distinct bot attacks and variants across 2025 alone. The same research found that in campaigns without pre-bid fraud protection, 9 percent of impressions were not served to a real human at all, a figure that rose as high as 25 percent in specific fast-moving consumer goods deals structured as direct buys. That detail matters for the NewsJunkie disclosure, since it undercuts a common industry assumption: that direct deals inherently carry lower fraud risk than open exchange inventory. HUMAN Security's own findings suggest sellers, not just exchange pathways, can be the point of exploitation.
The information-gap problem HUMAN Security describes has technical roots documented elsewhere in industry research. IAB Europe's April 2026 guide to programmatic CTV states plainly that CTV measurement is heavily influenced by server-side ad insertion, which limits the client-side tags that underpin verification in other advertising channels. The guide also notes that device attestation, based on the IETF Privacy Pass Protocol, has emerged as one countermeasure: it cryptographically verifies that a bid request originated from legitimate CTV hardware rather than a server farm, without passing personally identifiable information to the ad server.
A recurring pattern in CTV ad fraud history
NewsJunkie is not the first large-scale CTV spoofing scheme to surface, and its underlying mechanics echo earlier disclosures. In 2021, Oracle's Moat unit exposed an operation called StreamScam, which exploited flaws in server-side ad insertion technology to convince advertisers they were paying for ads that were never actually delivered to households. That operation reportedly led to 14.5 million dollars in misspent advertising budget, according to AdAge's reporting cited at the time. DoubleVerify separately said it had already detected the same scheme under a different name, LeoTerra, tracking 44 million unique spoofed device signatures and 4,700 spoofed apps.
An earlier operation, ICEBUCKET, involved two million spoofed household IP addresses spread across 300 app IDs and 1,000 CTV device IDs, according to Oracle's disclosure. The parallels to NewsJunkie are evident: both operations combined device and IP spoofing with server-side infrastructure specifically to defeat detection systems built around client-side signals that simply do not exist in much of the CTV environment.
More recently, DoubleVerify disclosed in June 2025 a scheme called ShadowBot, which generated more than 35 million spoofed mobile devices during the first quarter of that year and cost unprotected advertisers an estimated 2.5 million dollars. Lisa Toledano, who led one of DoubleVerify's fraud detection teams, said at the time that emerging media types, including mobile and CTV environments, were especially susceptible to fraud due to limited visibility and rapid growth. Unlike ShadowBot, which researchers characterized as containing amateur-level automation mistakes, NewsJunkie appears to reflect a more calculated design, given its reliance on residential IP routing specifically intended to defeat origin-based checks.
The broader Satori threat intelligence record
HUMAN Security's Satori team has built a track record of disrupting large-scale fraud operations across different advertising formats. In mid-2024, the team uncovered Konfety, a mobile advertising fraud campaign that exploited the CaramelAds software development kit through an evil twin method, generating what researchers described as massive fraudulent ad traffic while evading detection through counterfeit versions of legitimate apps.
Later that same year, Satori researchers exposed an operation called Camu, a Brazil-based scheme that peaked at 2.5 billion daily bid requests across 132 domains by exploiting pirated content websites and domain cloaking techniques. That volume is comparable in scale to what NewsJunkie is reported to have generated per individual seller, though Camu operated across a documented list of domains rather than through device and IP spoofing in the CTV environment specifically. HUMAN Security said mitigation efforts against Camu reduced bid request volume from 2.5 billion to approximately 100 million per day over roughly nine months, illustrating that disruption, even when successful, does not always mean instant elimination of an operation's residual activity.
Ongoing monitoring after disruption
HUMAN Security stated that Satori researchers have disrupted the NewsJunkie operation and that customers using the company's Ad Fraud Defense and Ad Fraud Sensor products are protected against the threat. The company also said its researchers continue to monitor the threat actors behind NewsJunkie for adaptations, specifically citing the possibility of migration to new app IDs, device strings, and seller accounts.
That framing is consistent with how HUMAN Security has described previous disruptions. The Konfety case saw threat actors shift targeting toward ad networks not protected by HUMAN's services almost immediately after countermeasures were deployed, according to the company's earlier disclosure. Whether NewsJunkie's operators follow the same pattern of migration rather than cessation remains something only continued monitoring can establish.
Why this matters for advertisers and publishers buying CTV inventory
The NewsJunkie disclosure arrives as measurement gaps in CTV attract growing scrutiny from multiple directions simultaneously. Pixalate's OpenEPG Index, launched in June 2026, found that invalid traffic rates at the individual show level can mask app-level averages that look acceptable, since a channel's overall rate might hide specific shows or dayparts carrying substantially higher fraud concentrations. IAB Europe's research cited in the same reporting found that global invalid traffic rates doubled between the third quarter of 2023 and the third quarter of 2025, with 15 to 25 percent of total global ad spend now lost to fraud, disproportionately affecting CTV and mobile in-app environments.
For agency trading desks and brand-side programmatic teams, the practical challenge NewsJunkie presents is one of verification architecture rather than simple vigilance. A scheme built specifically to exploit the absence of client-side signals cannot be caught by tools designed around those signals. HUMAN Security's own materials describe examining bid requests across the full transaction chain, not isolated data points, as the method that ultimately exposed the operation. That approach requires infrastructure most individual advertisers do not build themselves, which is part of why third-party verification has become a standard line item in CTV media planning rather than an optional add-on.
Only 21 percent of surveyed advertisers currently use invalid traffic or fraud detection as a key performance indicator for their CTV campaigns, according to DoubleVerify's research. That low adoption rate, set against fraud schemes capable of generating close to two billion invalid bid requests daily from a single seller, suggests a gap between the scale of the problem and the measurement discipline many buyers currently apply to it.
Timeline
- November 2021: Oracle's Moat unit exposes StreamScam, an earlier CTV ad fraud operation exploiting server-side ad insertion vulnerabilities, reportedly resulting in 14.5 million dollars in misspent advertising budget.
- Mid-2024: HUMAN Security's Satori Threat Intelligence and Research Team uncovers Konfety, a mobile advertising fraud operation using evil twin apps built on the CaramelAds SDK.
- Late 2024: Satori researchers expose Camu, a Brazil-based ad fraud scheme peaking at 2.5 billion daily bid requests across 132 domains using pirated content and domain cloaking.
- June 25, 2025: DoubleVerify discloses ShadowBot, a fraud scheme generating more than 35 million spoofed mobile devices and an estimated 2.5 million dollars in losses across mobile and CTV environments.
- July 7, 2026: HUMAN Security announces that its Satori team has identified and disrupted the NewsJunkie CTV device spoofing operation, which generated hundreds of millions to nearly two billion invalid bid requests per day, per seller, at its peak.
Related PPC Land coverage
- CTV fraud schemes up 140% as AI arms both sides of the fight - DoubleVerify's May 2026 Global Insights report documents a 140 percent year-over-year rise in CTV fraud schemes and finds that direct deals are not immune to fraud despite common industry assumptions.
- IAB Europe maps the programmatic CTV landscape in its most detailed guide yet - The trade body's April 2026 guide explains how server-side ad insertion limits client-side verification tools and describes device attestation as an emerging countermeasure.
- Oracle exposes StreamScam, an ad fraud operation in Connected TV - Coverage of an earlier, structurally similar CTV fraud operation that exploited server-side ad insertion technology to fake ad delivery.
- DoubleVerify uncovers $2.5M ShadowBot fraud targeting mobile and CTV - Reporting on a 2025 fraud scheme spoofing millions of mobile devices across mobile and CTV inventory.
- Massive Mobile Ad Fraud Operation Konfety Uncovered by HUMAN's Satori Team - Coverage of an earlier large-scale fraud operation identified by the same HUMAN Security research team.
- Camu ad fraud operation exposed: piracy sites exploit digital advertising - Reporting on a separate Satori-identified scheme that reached a comparable peak volume of 2.5 billion daily bid requests.
- Pixalate's OpenEPG Index exposes the blind spot in streaming TV measurement - Coverage explaining how invalid traffic can concentrate at the show and daypart level in ways that app-level averages conceal.
Summary
Who: HUMAN Security, Inc., through its Satori Threat Intelligence and Research Team, identified and disrupted the operation. Named individuals include Will Herbig, Senior Director of Media Research, and Lindsay Kaye, Vice President of Threat Intelligence, both at HUMAN.
What: A coordinated connected TV device spoofing operation, dubbed NewsJunkie, in which a group of sellers transacted high volume, high invalid traffic inventory disguised as premium CTV content. At its peak, the operation generated hundreds of millions to nearly two billion invalid CTV bid requests per day, per seller, using two techniques: spoofing device, app, and IP details through server-side ad insertion, and routing evasive traffic variants through residential IP addresses paired with forged CTV device information.
When: HUMAN Security announced the disruption on July 7, 2026. The company said Satori researchers continue to monitor the threat actors for new adaptations following the disruption.
Where: The operation affected connected TV advertising inventory transacted through programmatic supply chains, with HUMAN Security based in New York, New York.
Why: The disclosure matters because it demonstrates that sophisticated fraud operations can blend into legitimate-looking supply chains without triggering any single detection signal, requiring full end-to-end supply chain analysis rather than isolated technical checks. It also reinforces industry data showing that CTV's structural lack of client-side signals, particularly in server-side ad insertion environments, creates persistent conditions for invalid traffic that current advertiser adoption of fraud detection as a key performance indicator, at only 21 percent according to independent research, may not adequately address.
Discussion