Malvertiser behind 100+ million bad ads arrested and extradited to the US

Ukrainian man behind slew of fake companies that delivered malicious ads on legitimate sites.

malvertising

A Ukrainian man has been arrested in the Netherlands and extradited to the US, where he was arraigned last Friday in front of a New Jersey judge to face charges of orchestrating malvertising campaigns for almost five years.

According to court documents, Oleksii Ivanov, 31, has been behind multiple fake companies that operated from October 2013 through May 2018 and shipped over 100 million bad ads to users all across the world.

Suspect used string of fake companies

Ivanov and co-conspirators operated by registering a fake company, buying ad space from advertising networks on legitimate sites, and delivering ads containing malicious code (called malvertising) that redirected users to sites peddling malware.

US investigators said that Ivanov would often claim his innocence and deny any involvement with the bad ads when the malvertising campaigns would be uncovered and the victimized ad networks would reach out with inquiries.

If the ad networks would suspend his companies' accounts, Ivanov would simply register a new firm, usually in the UK, and continue from where he left off.

Ivanov and his co-conspirators, none of which were named in court documents, also used fake personas to hide their real identities when interacting with the ad networks.

Most of the time, investigators said, Ivanov's malicious ads redirected users to websites peddling malware-laced files.

US prosecutors said Ivanov also built a malware botnet during the time he carried out the malvertising operations.

Ivanov was arrested on October 19, 2018, following an international investigation by the US Secret Service, Dutch and British law enforcement.

US cracking down on ad fraud

Ivanov's arrest is the second major case that US authorities are getting underway as part of recent efforts to fight ad fraud. In December last year dismantled 3ve, a gigantic ad fraud network involved in generating fake ad views and clicks that made millions of US dollars in illicit revenue for the scheme's perpetrators.

Ivanov's use of fake companies to buy advertising space on legitimate ad platforms is not the first of its kind. Last year, security researchers unearthed a group called Zirconium that ran 28 fake ad agencies that were renting ad space on legitimate sites in a similar fashion.

In recent months, malvertising has been surging, targeting US-based iOS users, with the most active groups being the likes of ScamClub, VeryMal, and eGobbler.

Related malware and cybercrime coverage: