3ve Takedown / Operation Eversion

November 27, 2018

Google 3ve Security Blog

Operation Eversion was the result of over a year of investigation into one of the most complex and sophisticated ad fraud operations seen to date. Researchers at Google and WhiteOps named this operation “3ve” (pronounced “Eve”). The 3ve criminal enterprise operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe, as well as significant networks of malware-infected residential computers. 3ve used three separate sub-operations, based on a combination of rented data center resources and Kovter and Boaxxe malware infected botnets, to generate billions of fraudulent ad bid requests (i.e. ad spaces on web pages that advertisers can bid to purchase in an automated way). It also created thousands of spoofed fraudulent domains. The 3ve operator’s goal was to falsely generate realistic appearing web traffic to advertising sites, in order to defraud those web properties and collect advertising payments running into tens of millions of US dollars.

Today, the U.S. Attorney’s Office for the Eastern District of New York unsealed a 13-count indictment in federal court in Brooklyn, announcing criminal charges associated with the 3ve fraud operation, along with the successful takedown and dismantling of the 3ve operation under Operation Eversion by the US FBI and multiple private industry partners, including The Shadowserver Foundation.

Sinkhole data from the 3ve platform / Operation Eversion is available each day in Shadowserver’s free of charge daily reports to national CERTs and network owners, tagged as Eversion.

For more information about 3ve / Operation Eversion, please see Google Security Team’s blog post and detailed white paper, and WhiteOps blog post.


Recent Articles