Threat intel researchers link advertising platforms to international criminal networks, exposing their hidden role in sustaining digital fraud and illicit profits.
A large-scale, sophisticated multinational ad fraud operation has been uncovered, revealing a sprawling cybercrime enterprise that has been active for over a decade.
This criminal network is the result of a merger between Italian and Eastern European factions that control nearly 100 companies across various industries including adtech, energy, and construction. The masterminds orchestrate an extensive scam supply chain, managing every stage — from the creation of fraudulent apps and fake investment platforms — to the operation of payment processors that collect illicit profits.
The network, dubbed VexTrio, poses as legitimate affiliate marketing companies while using compromised websites, spam campaigns, and manipulated social media to redirect millions of victims into scams. In 2024, one affiliate network involved had claimed over 2bn unique monthly users, while close to 40% of compromised websites observed by security researchers had been found to redirect traffic into the fraudulent network. One of its core domains ranks among the 10,000 most popular domains globally, illustrating the scope and reach of this fraud.
Modus operandi
The types of scams promoted include fake antivirus products and fraudulent credit card schemes, with affiliates incentivized by payouts exceeding US$100 per lead, and promises of high payback, six-figure payday scams.
Despite its massive scale, the entire operation runs on fewer than 250 virtual machines and leverages automation, multiple hosting providers, and legitimate content delivery networks to maintain resiliency and evade detection.
The criminal enterprise hides behind a complex web of shell companies that appear to be legitimate adtech firms, allowing the fraud to operate in plain sight. However, these same companies vet affiliates, and thus could be instrumental in identifying and disrupting the cybercrime network.
The findings and detailed investigation of this operation have been published by threat intelligence experts at Infoblox, who have exposed the group’s sophisticated structure and global impact on online fraud.