Hubbry Logo
3ve3veMain
Open search
3ve
Community hub
3ve
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
3ve
3ve
3ve
View on Wikipedia
from Wikipedia

3ve was a botnet that operated between about 2013 and 2018.[1]

History

[edit]

3ve, pronounced as “Eve”, was a botnet that was halted in late 2018.[2] The botnet was first discovered in 2016[2] by White Ops,[3] and was active since at least 2013.[4] The discovery led to the start of a 2017 FBI investigation.[5]

The botnet

[edit]

3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions.[2] Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time.[6]

At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.[2] It is estimated that 1.7 million PCs were infected over time, clicking on more than ten thousand fake websites[6] with more than 250,000 total webpages,[7] taking in ad revenue from about sixty thousand digital advertising accounts placing the false ads.[8] The network issued more than three billion fraudulent daily ad bid requests.[6] About thirty million dollars was stolen over the time the botnet was in use.[9]

Closure

[edit]

The bot net was shut down through a collaboration of multiple organizations, including White Ops, Google, Department of Homeland Security, and the FBI Internet Crime Complaint Center.[2] Other organizations involved included Adobe, the Trade Desk, Amazon Advertising, Oath, Malwarebytes, ESET, Proofpoint, Symantec, F-Secure, McAfee, and Trend Micro.[8] Following the end of investigation that took down the botnet, the Department of Justice issued thirteen indictments against eight individuals, in a case led by United States Attorney Richard P. Donoghue.[8] Six of the individuals charged were from Russia, and two were from Kazakhstan.[10] Additionally, 31 internet domains and 89 servers were seized by the FBI.[6]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

3ve

View on Grokipedia
from Grokipedia
3ve was a sophisticated botnet that operated from approximately 2013 to 2018, specializing in large-scale online advertising fraud by infecting computers worldwide with malware to simulate artificial website traffic and generate billions of fake ad impressions and clicks, thereby diverting revenue from legitimate advertisers to cybercriminals and estimated to have generated around $30 million in illicit profits. The operation controlled over 1.7 million unique IP addresses globally, with a heavy concentration in North America and Europe, enabling it to proxy ad requests through compromised residential and corporate devices while masking origins via data center IPs and Border Gateway Protocol hijacking. At its peak in 2017, 3ve produced more than 3 billion fraudulent ad bid requests per day, exploiting vulnerabilities across the digital ad ecosystem, including spoofed domains and counterfeit premium websites that mimicked real user behavior to evade detection. Central to 3ve's mechanisms were two primary malware families: Boaxxe (also known as Miuref), which spread via email attachments and drive-by downloads to act as proxies for ad requests, and Kovter, a fileless malware that deployed hidden Chromium Embedded Framework browsers on infected Windows systems to invisibly load and interact with ads under command-and-control server instructions. These infections, often delivered through spam campaigns, pay-per-install schemes, and ransomware like Nemucod, allowed the botnet to automate stealthy fraud while persisting through registry modifications and randomized file placements. In October 2018, an international law enforcement effort, coordinated by the U.S. Department of Justice and involving cybersecurity experts from ESET and White Ops, as well as tech giants like Google, targeted and dismantled 3ve's infrastructure, reducing invalid traffic to near zero within 18 hours and resulting in a 13-count indictment against eight defendants from Eastern Europe. Subsequent arrests and a 2022 forfeiture of $15 million underscored ongoing efforts against the scheme. This disruption highlighted ongoing industry collaborations, such as the Interactive Advertising Bureau's ads.txt standard and Google's automated invalid traffic refunds, underscoring the evolving battle against ad fraud in the digital economy.

Overview

Description

3ve, pronounced "Eve," was a sophisticated online advertising fraud scheme that operated from approximately 2013 to 2018, generating fake ad impressions through hidden browser instances on compromised devices. This operation controlled over 1.7 million unique IP addresses worldwide, primarily in North America and Europe, by infecting victim computers with malware to simulate legitimate user traffic. At its core, 3ve employed the Chromium Embedded Framework (CEF) to run invisible browser instances on infected machines, enabling the stealthy loading of counterfeit websites and ads without user awareness. These hidden browsers mimicked human browsing behavior, such as navigating to premium site replicas and requesting ads, to bypass fraud detection systems. The scheme relied on botnets like Kovter and Boaxxe to proxy traffic and execute these tasks. The primary objective of 3ve was to monetize this artificial traffic by funneling ad revenue through networks like Google AdSense, ultimately defrauding advertisers of millions of dollars in illegitimate impressions and clicks.

Scale and Impact

The 3ve ad fraud operation infected over 1.7 million unique IP addresses worldwide, primarily through malware such as Boaxxe/Miuref and Kovter targeting Windows systems, enabling the generation of massive volumes of fraudulent traffic. At its peak, the botnet maintained around 700,000 active desktop infections, with additional leverage from BGP-hijacked corporate and residential IPs. This infrastructure produced 3 to 12 billion daily ad bid requests, representing billions of fake ad impressions annually and simulating human-like behavior to evade detection in high-value markets like the US, Canada, and UK. Financially, 3ve inflicted losses of approximately $29 million on advertisers through falsified ad views across spoofed domains, with U.S. authorities recovering over $15 million in proceeds from the scheme in 2022. The operation's monetization via counterfeit inventory sales and unauthorized impressions siphoned budgets in the programmatic ecosystem, though exact operator revenues remain undisclosed; related indictments highlighted tens of millions in aggregate losses from 3ve and affiliated rings. On an industry level, 3ve exacerbated ad fraud trends by eroding trust in programmatic advertising, where over 80% of its bid requests bypassed authorization standards like ads.txt, driving up costs for legitimate advertisers and publishers. The scheme's sophistication, including hidden browsers and anti-forensic techniques, contributed to broader systemic vulnerabilities, prompting collaborative takedowns and heightened adoption of verification tools, though it underscored ongoing challenges in a market losing billions annually to similar fraud.

History

Origins and Discovery

The 3ve ad fraud operation emerged around 2013, initially as a small-scale bot-driven effort leveraging basic infrastructure in Eastern Europe, including an Autonomous System (AS) known as "ALPHA" that facilitated Border Gateway Protocol (BGP) hijacking to control IP addresses. This setup evolved from earlier ad fraud tactics, building on schemes like Methbot—a 2016 operation by Russian cybercriminals that generated fake ad impressions through bots and counterfeit media properties—though 3ve predated it and incorporated similar methods of mimicking human traffic while scaling more aggressively by 2017. Initial links to Russian cybercriminals were suggested by the Eastern European origins of its core ASNs and the use of malware families prevalent in that region's malvertising ecosystems. ESET researchers played a pivotal role in the discovery process during 2017-2018, identifying anomalous patterns within the Boaxxe (also known as Miuref) and Kovter botnets that pointed to coordinated ad fraud. Boaxxe, first analyzed by ESET in 2014 as adware redirecting search traffic, and Kovter, detected that same year as ransomware before evolving into ad fraud malware, were observed proxying unusual volumes of traffic through infected machines to simulate legitimate ad interactions. By late 2017, while assessing Methbot's aftermath, Google and White Ops researchers, in collaboration with ESET, Proofpoint, and Malwarebytes, uncovered 3ve's structure, revealing the 3ve.com domain as a facade for a central ad network that orchestrated bid requests across siloed sub-operations. These findings connected disparate botnet activities to a unified scheme controlling over 1.7 million IP addresses, primarily in North America. Key early indicators included surges in residential IP traffic from compromised devices, where hidden browsers emulated user behaviors such as mouse movements and idle-time execution to generate billions of fraudulent ad bids daily, blending seamlessly with organic requests. ESET's telemetry highlighted encrypted communications and geographic targeting toward high-value markets like the US, with bots evading detection by scanning for security software and virtual environments before activating. These patterns were first publicly detailed in cybersecurity reports from ESET and collaborative whitepapers in late 2018, marking the operation's identification as a sophisticated evolution of prior threats.

Operational Timeline

The 3ve ad fraud operation originated in 2013 with the establishment of core infrastructure, including the activation of Autonomous System (AS) ALPHA in Eastern Europe for BGP hijacking purposes. This initial setup involved a simple routing configuration with a single transit provider, aimed at acquiring and legitimizing IP space without immediate ad fraud activity. By 2015, low-volume botnet operations emerged, utilizing malware to infect residential computers through methods such as drive-by downloads and malvertising, resembling standard ad fraud botnets with minimal industry impact. These early infections, tied to families like Kovter, focused on small-scale traffic generation and evasion tactics, including scans for security software and virtual machines. In 2016, the operation began modest expansion, incorporating Boaxxe (also known as Miuref) and Kovter malware for proxying and direct infections, respectively, while maintaining under 5,000 active global infections for Boaxxe. Anti-forensics techniques evolved to target specific geolocations and ISPs, enabling integration with legitimate ad exchanges through spoofed residential traffic. By early 2017, BGP hijacking intensified, abusing defunct ASNs to route 200,000–500,000 unused IPs at a time, impersonating inactive providers to scale proxy layers for data center bots. This period marked the launch of sub-operation 3ve.1, with encrypted command-and-control communications and rapid IP churn, alongside the growth of 3ve.2 using Kovter for ~700,000 active Windows infections via malvertising campaigns mimicking software updates. Mid-2017 saw further diversification into 3ve.3, employing data center bots for video and display fraud, supported by over 1,000 servers for content rendering and rogue DNS resolution. Infections scaled to over 1 million compromised IPs, including residential and corporate addresses, with bots mimicking human behaviors like mouse movements to blend fraudulent traffic. By late 2017, daily ad bid requests surged into the billions, counterfeiting over 10,000 websites and selling inventory through more than 60,000 accounts, primarily targeting North America and Europe. The operation peaked in early 2018, generating 3–12 billion daily ad bid requests—representing approximately 3% of the industry's total—with 700,000 active Kovter infections driving the majority via custom browsers on hidden desktops and DNS hijacking for domain spoofing. IP churn reached 33% every four weeks through ISP rotations and cleanups, while BGP tactics impersonated live networks of major providers. Over 80% of these requests bypassed authorization standards like ads.txt, enabling seamless integration into supply chains before coordinated disruptions curtailed activity. In October 2018, an international effort disrupted 3ve's infrastructure, reducing invalid traffic to near zero. In May 2022, the United States recovered over $15 million from Swiss bank accounts holding proceeds from the scheme, linked to one of the indicted operators.

Technical Aspects

Botnets and Infrastructure

The 3ve ad fraud operation relied on two primary malware families, Kovter and Boaxxe (also known as Miuref), to build and maintain its botnets, which provided a vast pool of compromised IP addresses for proxying traffic and simulating user activity. These botnets controlled over 1.7 million unique IP addresses at their peak, primarily in North America and Europe, enabling the operation to evade detection by distributing infections across residential and data center environments. Kovter, first identified as ransomware in 2014 before evolving into ad fraud malware, operated as a fileless trojan that stored its encrypted payload in the Windows registry for persistence, avoiding traditional file-based detection methods. It spread primarily through spam email attachments, drive-by downloads from malicious websites, exploit kits, and pay-per-install affiliate programs, with a focus on North American targets. For command-and-control (C2) communication, Kovter bots retrieved a static, encrypted configuration from their resources, which included first-level C2 server IPs and RC4 encryption keys; bots then connected to these servers via raw sockets to receive second-level C2 details and tasks, such as proxying requests through hidden Chrome Embedded Framework browsers on idle or locked systems. ESET researchers tracked over 700,000 active Kovter infections contributing to 3ve, mapping its multi-layered C2 infrastructure to support the 2018 disruption. Boaxxe served as a secondary botnet for scaling infections, functioning as an information-stealing trojan and backdoor that repurposed compromised systems as proxies. It propagated via similar vectors as Kovter, including spam campaigns, bundled ransomware like Nemucod, and pay-per-install schemes, achieving fewer but complementary infections (under 5,000 active at times) compared to Kovter. Boaxxe bots handled RC4-encrypted DNS or HTTP requests from C2 servers, executing them—such as loading web content—and relaying responses to maintain operational stealth; while not primarily using domain generation algorithms, its C2 relied on hardcoded IPs and hostnames for resilience. In 3ve's architecture, Boaxxe enabled traffic proxying from data center bots through residential IPs, with ESET providing sinkhole data on its infrastructure during the takedown. The supporting infrastructure included over 1,000 servers across U.S. and European data centers for hosting counterfeit domains, running bot browsers, and managing C2 operations, with backend elements leveraging Border Gateway Protocol (BGP) hijacking of Eastern European autonomous system numbers (ASNs) like AS ALPHA and AS BRAVO to churn and impersonate IP ranges from defunct networks. Traffic routing occurred through redirection servers issuing HTTP 302 responses and rogue DNS resolvers that mapped legitimate domains to 3ve-controlled IPs, while payout processing integrated with programmatic ad exchanges via spoofed publisher accounts, though exact server locations for financial handling remained obscured. This distributed setup, combining botnet proxies with data center resources, allowed rapid adaptation, such as rotating one-third of IPs every four weeks.

Ad Fraud Mechanisms

The 3ve ad fraud operation employed sophisticated techniques to generate fraudulent ad impressions and clicks, primarily through two malware families: Boaxxe (also known as Miuref) and Kovter. These mechanisms allowed the operators to simulate legitimate user interactions on a massive scale, evading detection by ad platforms and publishers. By leveraging infected personal computers as proxies and hidden browsing environments, 3ve created the illusion of genuine traffic to monetize deceptive ad views. A core method involved launching hidden Chromium Embedded Framework (CEF) browser instances via the Kovter malware. Upon receiving commands from command-and-control (C2) servers, infected systems executed tasks in an invisible CEF browser, which rendered webpages and ads without any visible output to the user, such as graphics or audio. This hidden environment ensured ad content loaded and interacted as if viewed by a human, generating billable impressions while the system remained idle or the display was off. Kovter's "fileless" design stored encrypted payloads in the Windows registry for persistence, and it incorporated evasion tactics like sending decoy traffic if network monitoring was detected or terminating processes upon Task Manager launch. To further mimic authentic traffic, 3ve's bots simulated geolocation, device fingerprints, and browsing behaviors. Infected machines in the Boaxxe botnet acted as proxies, relaying requests from data center servers to mask their origins and route traffic through residential IP addresses, primarily targeting North American geolocations for higher ad value. Requests included realistic headers, such as User-Agent strings emulating Chrome on Windows (e.g., Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36), referrers from legitimate sites, and Accept-Language set to en-US, to replicate human browsing patterns. Kovter complemented this by using the host device's native capabilities to generate fingerprints that appeared as standard consumer hardware, avoiding activity during active user sessions to reduce suspicion. These simulations bypassed fraud detection by making requests indistinguishable from organic visits to counterfeit websites mimicking premium publishers. Monetization occurred by routing these fake impressions and interactions through legitimate ad networks, claiming revenue for purported human-generated traffic. Hidden CEF instances and proxied requests loaded ad scripts (e.g., banner JavaScript from controlled domains) on spoofed sites, triggering bid requests and views that were tallied as valid by publishers. Operators earned payouts via affiliate-style tracking parameters, such as sub-IDs and campaign codes embedded in URLs (e.g., /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}), which facilitated revenue distribution from ad exchanges. This flow siphoned funds from advertisers by inflating metrics without delivering real engagement, with 3ve's infrastructure enabling billions of such fraudulent requests daily.

Takedown and Aftermath

Disruption Efforts

The disruption of the 3ve ad fraud operation culminated in Operation Eversion, a coordinated 2018 effort led by the FBI and the U.S. Department of Justice in collaboration with private sector partners including Google, the Shadowserver Foundation, ESET, and White Ops. This operation targeted the infrastructure supporting 3ve's botnets, which at their peak controlled over 1.7 million IP addresses to generate billions of fraudulent ad impressions daily. Technical takedown actions focused on neutralizing 3ve's core systems, including the seizure of 31 internet domains—such as 3ve.com—and 89 associated servers used to orchestrate the botnets. Additionally, authorities issued sinkholing measures for 23 key domains, redirecting infected botnet traffic to controlled servers and preventing further command-and-control communications. These interventions, supported by intelligence from ESET on Boaxxe and Kovter malware infrastructures and Shadowserver's sinkhole data feeds, effectively halted the operation's ability to proxy fraudulent traffic within 18 hours, reducing invalid ad bid requests to near zero. Industry involvement was critical, with ad networks like Google's DoubleClick implementing blacklists to block 3ve-generated traffic and deny payouts for fraudulent impressions. This was part of a broader working group of nearly 20 entities, including cybersecurity firms and ad tech providers, that shared telemetry to map and dismantle 3ve's evasion tactics, such as rapid IP rotation and spoofed domains. The collaborative approach not only disrupted immediate operations but also informed ongoing defenses against similar ad fraud schemes. In November 2018, the U.S. Department of Justice unsealed a 13-count indictment charging eight individuals with wire fraud, money laundering, and computer fraud in connection with two international ad fraud operations, including the 3ve scheme. Five Russian nationals—Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, and Dmitry Novikov—were charged in relation to the related Methbot operation, while three others were specifically indicted for operating 3ve: Sergey Ovsyannikov and Yevgeniy Timchenko, both Kazakh nationals, and Aleksandr Isaev, a Russian national. These operators, based primarily in Russia and Kazakhstan, allegedly generated over $29 million in fraudulent ad revenue through 3ve by infecting computers worldwide and simulating billions of ad impressions. Following the collaborative disruption efforts led by the FBI and international partners, arrests began swiftly for key 3ve figures. Ovsyannikov was apprehended in Malaysia in October 2018 and extradited to the United States, while Timchenko was arrested in Estonia in November 2018 and also extradited. Isaev remains at large. Both Ovsyannikov and Timchenko pleaded guilty in federal court in Brooklyn in September 2019 to charges including conspiracy to commit wire fraud and money laundering; they faced maximum sentences of 42 years and 40 years, respectively, and were subsequently convicted and sentenced. Among the Methbot defendants, Zhukov was extradited from Bulgaria, tried, and sentenced to 10 years in prison in 2021 for his role in the interconnected fraud. In a significant financial outcome, U.S. authorities recovered $15.1 million in laundered proceeds from Swiss bank accounts tied to the 3ve scheme in May 2022, pursuant to a federal forfeiture order. This recovery, the largest international cybercrime forfeiture in the Eastern District of New York's history, represented over half of the estimated $29 million in illicit gains and underscored ongoing efforts to dismantle the economic foundations of such operations. International extradition pursuits continue for unarrested defendants, including Isaev and several Methbot co-conspirators.
Add your contribution
Related Hubs
User Avatar
No comments yet.