Doubleverify uncovers Shadowbot fraud scheme impacting mobile and CTV ads
Doubleverify has identified a bot scheme that spoofed over 35 million mobile devices and cost advertisers $2.5 million since early 2025.
The announcement:
DoubleVerify (“DV”) (NYSE: DV), the leading software platform to verify media quality, optimise ad performance, and prove campaign outcomes, today released the discovery of ShadowBot, a fraudulent bot scheme that generated over 35 million spoofed mobile devices in Q1 2025 and cost unprotected advertisers an estimated $2.5 million since the start of 2025.
The DV Fraud Lab identified ShadowBot targeting mobile and Connected TV (CTV) environments using rudimentary automation techniques, including mobile emulators and spoofed app IDs. While the scheme was widespread, it was riddled with amateur-level mistakes, making it detectable for advertisers protected by DV’s advanced fraud-detection systems.
“ShadowBot shows that fraud doesn’t need to be sophisticated to be costly,” said Gilit Saporta, VP product, fraud & quality at DoubleVerify. “It’s alarming to see $2.5M lost to bots using resolutions of an old CRT screen we all used back in the 1990s. The fraud scheme operator didn’t even bother to match its fake device signals to a proper mobile device. We’re happy to know that DV clients remain safe, thanks to DV’s AI-powered Fraud Lab, which catches subtle deviations from normal user behavior. That’s how we uncover the most sophisticated schemes out there, as well as the easier cases like ShadowBot.”
DV Fraud Labs identified five key red flags that uncovered ShadowBot:
- Basic Automation Methods: ShadowBot used emulators that defaulted to screen resolutions (e.g., 800×600). This resolution is not typical for mobile devices.
- Overly Aggressive Traffic Generation: The operation produced abnormally high impression volumes that didn’t align with seasonal trends.
- Suspicious IP Activity: Fraudsters relied on anonymising IP proxies, provided by long tail entities. The digital footprint of these proxy providers was riddled with fake testimonials, broken URLs, and known abuse reports.
- Lack of Behavioral Diversity: Devices showed identical impression counts, lacking the variability expected from real users.
- Improbable Engagement Patterns: Devices appeared to open 10 spoofed apps in just 9 minutes – behavior impossible for actual users.
“We’ve found that emerging media types, including mobile and CTV environments, are especially susceptible to fraud due to limited visibility and rapid growth,” added Lisa Toledano, who leads one of DV’s fraud detection teams. “Without consistent monitoring and adaptation, these high-value environments become easy targets. Protecting ad spend from these types of schemes requires an always-on approach.”
“As the digital ecosystem continues to scale through automation, the emergence of sophisticated fraud schemes like ShadowBot reinforces the critical importance of transparency, quality, and accountability in media,” said Wayne Tassie, group director – Netherlands, DoubleVerify. “Safeguarding advertisers from spoofed environments is not just technically challenging for DV, it is fundamental to maintaining trust, protecting brand equity, and upholding investment integrity for our customers and partners. In an increasingly complex and fragmented landscape, brands rely on us to ensure their media investments deliver genuine impact, fostering long-term, mutually beneficial partnerships and reciprocal advocacy.”
The DV Fraud Lab continues to monitor and shut down evolving fraud schemes across the open web, mobile apps, and streaming environments. With proprietary analytics tools, impression-level monitoring, and a global fraud lab, DV endeavors to ensure that brands and agencies can confidently protect their media investments.
Read the full breakdown here: https://doubleverify.com/shadowbot-slip-ups-dvs-guide-to-fraudster-mistakes/
Source: Einsteinz Communications
Editor’s note: Mumbrella has changed the way it deals with company names. House style is now to use standard proper noun capitalisation on all names regardless of brand typography. Brand typography may be retained in direct quotes from releases.
Keep up to date with the latest in media and marketing
Have your say