Introduction
Scallywag is a sophisticated ad fraud network that exploits specially crafted WordPress plugins to generate fraudulent bid requests, enabling multiple threat actors to monetize pirated content and URL shortening sites. This operation poses significant challenges to the digital advertising landscape.
Description
Scallywag is a sophisticated ad fraud network that generates approximately 1.4 billion fraudulent bid requests daily by exploiting a collection of four specially crafted WordPress plugins—Soralink (2016), Yu Idea (2017) [2] [5], WPSafeLink (2020) [5], and Droplink (2022) [2] [5]. This fraud-as-a-service model enables multiple independent threat actors to establish their own ad fraud schemes [5], facilitating the indirect monetization of pirated content and URL shortening sites. The plugins are designed to allow users with minimal technical expertise to set up cloaking and redirection systems, effectively managing the redirect logic, ad loading [5], CAPTCHA challenges, timers [1] [5] [6], and cloaking mechanisms to present a legitimate appearance during ad platform checks [5].
Identified by the fraud detection firm HUMAN [9], this operation comprises 407 domains and utilizes cashout domains that masquerade as legitimate blogs. Instead of directly serving ads on piracy sites [3], Scallywag redirects users through intermediary pages filled with numerous ads and misleading buttons, ultimately leading them to pirated content when accessed through piracy catalogs or shortened URLs. These cloaked cashout sites obscure their connection to piracy while creating fake ad impressions, deceiving ad networks into believing the sites provide genuine engagement [8].
To enhance ad requests and user engagement [6], these sites employ various tactics [6], including requiring clicks on buttons to proceed, solving CAPTCHAs [6] [7], implementing mandatory wait times [6], necessitating scrolling through full pages [6], and navigating through multiple intermediary pages on related domains [1]. While many owners of piracy sites are not directly involved in the Scallywag operation [4], they often engage in gray partnerships with fraud operators to manage monetization without hosting ads themselves [4], thus perpetuating the cycle of ad fraud in the digital landscape.
Despite a significant reduction in activity following exposure by the Satori Threat Intelligence and Research Team at HUMAN, which resulted in a reported 95% drop in traffic, the operators have demonstrated resilience by rotating domains and exploring alternative monetization strategies [9]. HUMAN’s Defense Platform actively flags and neutralizes Scallywag-linked requests [3], while the modular design of the operation [8], facilitated by easy-to-use plugins marketed as legitimate SEO or affiliate marketing tools, has further aided its spread across WordPress sites [8]. Additionally, some users implement redirection through platforms like Google or X (formerly Twitter) to obscure referrer data [1], making their fraudulent activities less detectable within the ad tech ecosystem [1]. This method replaces the original referrer with a more benign source [1], presenting the traffic as organic to advertisers [1], highlighting the persistent challenges in the digital advertising landscape [3].
Conclusion
The Scallywag ad fraud network significantly impacts the digital advertising ecosystem by creating fraudulent ad impressions and misleading advertisers. Despite efforts by organizations like HUMAN to mitigate its effects, the network’s adaptability and the use of legitimate-seeming plugins complicate detection and prevention. Continued vigilance and innovative countermeasures are essential to combat this evolving threat and protect the integrity of digital advertising.
References
[1] https://www.humansecurity.com/learn/blog/satori-disruption-scallywag/
[2] https://hackedalert.com/el-complemento-refinado-de-wordpress-ad-fraud-genero-1-400-millones-de-solicitudes-de-anuncios-por-dia/
[3] https://gbhackers.com/wordpress-ad-fraud-plugins/
[4] https://dailysecurityreview.com/cyber-security/ad-fraud-operation-scallywag-used-wordpress-plugins-to-generate-1-4-billion-daily-ad-requests/
[5] https://wmtech.io/wordpress-ad-fraud-plugins-generated-1-4-billion-ad-requests-per-day/
[6] https://www.infosecurity-magazine.com/news/scalllywag-ad-fraud-networ-14/
[7] https://www.matricedigitale.it/sicurezza-informatica/scallywag-il-cybercrimine-monetizza-la-pirateria-digitale-tramite-wordpress-e-pubblicita-cloaking/
[8] https://undercodenews.com/scallywag-inside-the-billion-dollar-ad-fraud-operation-using-wordpress-plugins/
[9] https://lifeboat.com/blog/2025/04/wordpress-ad-fraud-plugins-generated-1-4-billion-ad-requests-per-day
