Vane Viper: How Adtech Fuels Cybercrime and Disinformation

Uncovering Vane Viper

• 🔍 Vane Viper, a Cyprus-based holding company, has been identified as the entity behind PropellerAds, a major advertising network.
• ⚠️ Research indicates Vane Viper is not just exploited by criminals but actively operates as criminal infrastructure, profiting from fraud, malware, and disinformation.
• 📈 The scale of their operation is immense, with researchers tracking approximately one trillion DNS queries linked to Vane Viper in a single year, highlighting extensive consumer and enterprise reach.

The Business of Malicious Advertising

• 💰 Vane Viper is financially motivated, generating revenue from both "publishers" who display ads and "advertisers" who distribute scams and malware.
• 🎯 Their core business involves distributing scams and malware through affiliated advertisers, and in some cases, directly dropping malware onto user devices.
• 🌐 The company's operations are linked to gambling sites, cracking sites, and free video download sites, suggesting a broad reach across various online communities.

Corporate Structure and Plausible Deniability

• 🧩 The research reveals a complex corporate structure under Adtech Holdings, including subsidiaries like PropellerAds and Money Tag, designed to obscure ownership and operations.
• 🧐 This intricate web of offshore entities and complex ownership structures allows for "deniability by design", making it difficult to attribute malicious activities directly.
• 🎭 While some may argue legitimate aspects of the ad tech business, the direct delivery of malicious content from Vane Viper's own infrastructure makes them directly responsible.

Tactics and Deception

• 📢 Push notifications are a primary tool, providing a persistent mechanism to repeatedly deliver scams or malware after initial user consent.
• 📊 A traffic distribution system (TDS) is employed to tailor offers (scams/malware) based on user device type, region, and previous interactions, maximizing engagement and profit.
• ⚠️ Victims can stumble into these traps through regular web browsing, compromised websites, spam, or even seemingly normal software downloads, often experiencing redirects to decoy pages like Google searches.

Recommendations and Outlook

• 🚫 Users are advised to avoid accepting notifications from unknown sources and be suspicious of unexpected redirects.
• 🚨 Reporting suspicious activity to law enforcement is crucial for building momentum and understanding victimology.
• 🛡️ For businesses, implementing security measures that specifically tackle traffic distribution systems is recommended, while consumers can benefit from ad blockers as a partial defense.