Cybercriminals are operating less and less in the dark corners of the internet. Instead, they are increasingly keen to exploit an infrastructure that has been at the heart of the digital economy for years – online advertising. Infoblox ‘s latest report shows how the Vane Viper group successfully impersonates an AdTech service provider and uses its ‘legitimate’ platforms to spread malware and run massive fraud campaigns. This case study shows that AdTech is becoming not only a field for fraud, but also a full-fledged refuge for criminals who no longer need to hide in the darknet.
Cybercriminals’ new strategy
Until a decade ago, most major cybercrime operations were associated with hidden forums and darknet exchanges. This is where data was bought, attacks were ordered and malware was traded. Today, the landscape looks different. The digital underworld not only uses advertising platforms, but increasingly builds and runs them itself.
The reason is simple: AdTech is an industry focused on rapid growth and maximising reach. In practice, this means a lack of transparency, minimal partner control requirements and huge volumes of traffic that make it easy to mask malicious activity. For groups like Vane Viper, this is the ideal environment to operate openly and still remain off the law enforcement radar.
Vane Viper – a test case for the industry
The Vane Viper group, tracked by researchers for more than three years, has become one of the most famous examples of this operating model. Its infrastructure includes more than 60,000 domains – ranging from short-lived domains, active for a few days, to those that have been around for years. According to Infoblox data, domains associated with the entity appeared in almost half of all the company’s customer networks, and the group generated more than one trillion DNS queries last year.
The scale of the business is not just due to aggressive distribution. Vane Viper combines a variety of techniques: abuse of push notifications, manipulation of traffic distribution systems (TDS), use of compromised websites and false advertising from publisher partners. What’s more, the analysis revealed links to AdTech Holding, the parent company of controversial ad network PropellerAds, whose reputation has long been questioned in the industry.
AdTech as a high-risk ecosystem
The problem is not just the activities of one group. The fact that cybercriminals can so easily infiltrate the advertising environment shows a fundamental weakness in the industry as a whole. The AdTech ecosystem has been built around simple goals: quickly connecting advertisers with audiences and maximising revenue. Security and partner verification mechanisms often fall by the wayside.
The effect is predictable. Companies are looking for cheap and broad reach, publishers want to monetise traffic, and entities that offer instant results – regardless of their origin – embed themselves in the gap. This is how Vane Viper was able to blend into the ad network and expand its infrastructure virtually unhindered for years.
Parallel cases – VexTrio and other players
Vane Viper is not the only example. A few months earlier, Infoblox researchers warned of the VexTrio group, which also used advertising networks to conceal malicious activities. Both entities have a similar structure: they function as a set of advertising companies registered in different jurisdictions, often run by Russian speakers and linked to diaspora centres in Eastern Europe and Cyprus.
At first glance, each company looks like a separate business. In practice, they form something like a holding company – a loosely connected network of cooperating organisations that share infrastructure and know-how. This approach allows operations to scale quickly, while at the same time making investigations and action by regulators more difficult.
Consequences for business and users
While this may seem like a technical issue for security professionals, the implications of cybercriminals infiltrating AdTech are much broader.
For companies using adverts, this means a real risk that their campaigns will appear alongside misleading content or even serve to infect users. Ordinary internet users, on the other hand, are exposed to attacks through seemingly innocent adverts or pop-up notifications. Each click can lead to infection, data theft or participation in a digital fraud campaign.
Long-term, it is also a reputational threat to the entire digital advertising market. If the ecosystem is associated with danger, advertisers may reduce investment and users may block content, undermining the business foundations of the entire industry.
A systemic regulatory problem
The Infoblox report also highlights a wider challenge: the lack of international security standards in the AdTech industry. Opaque ownership structures, offshore jurisdictions and links to other high-risk industries make it extremely difficult to prosecute such groups.
While the first attempts to civilise the digital advertising ecosystem – especially in the context of data protection – can be seen at the regulatory level, security issues are still in the shadows. Meanwhile, the Vane Viper case shows that without audit tools, partner controls and verification mechanisms, the entire sector can be vulnerable to long-term, systemic abuse.
AdTech has over the years been presented as the engine of the internet economy, enabling the monetisation of content and funding the development of digital services. Today, however, it is becoming increasingly clear that the same infrastructure is also becoming a convenient refuge for cyber criminals.
