Cybercriminals rake in nearly half a million dollars a day from advertising

Tens of thousands of misleading domain names and half a million hacked IP addresses. That's what an international gang used to rake in millions from advertising before being uncovered by a Danish firm. The story of the Hyphbot network was reported by the Wall Street Journal last week.

How could it happen?

Hyphbot registered loads of domain names similar to the names of prominent media corporations, including CNN and The Wall Street Journal. On the sites linked to the names, they put up video ads. Then they programmed bots on hacked PCs to visit the sites. Advertisers -- who thought their ads were on legitimate media sites -- were billed for each unique IP address used to view their ads. And, with half a million hacked PCs doing the 'viewing', the fees kept mounting up. For a month, the network was raking in nearly $500,000 a day.

Scams are getting bigger and bigger

The scale of the Hyphbot operation shows how sophisticated cybercriminals have become. It wasn't the first time the trick had been used, but it was easily the biggest scam of its kind to date. Media corporations are trying to turn the tide by publishing lists of partners that are allowed to sell advertising for them. The lists are placed on the companies' main sites, in the form of an 'ads.txt' file in the root directory. For an example, see Sanoma's ads file. Advertisers can use the file to check whether an intermediary is authorised to sell the media company's ad space.

Protect your brand!

The Hyphbot scammers were able to con advertisers on a huge scale by using misleading domain names. However, there are numerous tools on the market for checking the profile, reputation and history of a domain name. One of the best known is And you can get alerts whenever a domain name is registered that looks like your brand name by signing up for SIDN's Domain Name Surveillance Service (DBS). The fraud described above would have been much harder without domain names that looked like big media brands.




Michiel Henneke

Marketing Manager

+31 26 352 55 00

  • Tuesday 26 March 2019


    Our terms and conditions are changing


    New T&Cs effective from 1 May 2019

    Read more
  • Monday 29 October 2018

    SIDN Labs

    Towards automated, MUD-based DDoS protection


    Reduce the risk of insecure IoT devices

    Read more
  • Monday 28 January 2019


    Webshop Trade Days 2019 focus on platforms


    No app, no sales

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.