The FBI’s investigation into the largest advertising fraud operation in recent memory isn’t over yet.
An application for a search warrant filed by FBI Special Agent Evelina Aslanyana on Aug. 2 and made public this week shows that investigators are seeking access to email, LinkedIn and other data about accused members of the Methbot ad fraud operation, also known as 3ve.
Eight suspects were indicted in November in the Eastern District of New York for alleged involvement in a scheme to defraud advertisers out of more than $30 million by using botnets and other technical means to artificially inflate web traffic to dummy websites. Investigators previously had said the operation was disrupted when the apparent ringleaders, led by Aleksandr Zhukov, were arrested last year.
The fraud, which the FBI had classified into three distinct time periods, is still underway, according to the search warrant application. In the affidavit, the FBI refers to the Methbot operation as “Metan,” the same name the conspirators used to describe their plot. Metan is the Russian word for methane, and the affidavit also reveals the scammers relied on a Zhukov-owned company called Mediamethane, previously described only as “Ad Network #1” in court filings, to coordinate their operations.
“In the third stage, which began in or around November 2016 and is still being carried out, the conspirators are still committing display and video advertising fraud, but are doing so using third-party computers that are infected with malware,” states the search warrant application.
According to the FBI, the two previous stages occurred from July 2014 until September 2015, then and September 2015 through December 2016. The first is described as when Methbot operators used their machines to fraudulently click on ads and siphoned a share of the revenue. The second stage disguised their machines as the computers of real users to make it look like legitimate web browsers were viewing video and display ads. That stage ended when White Ops, a bot detection firm, exposed the attack, triggering the FBI investigation.
Now, with three indicted suspects in custody — each have pleaded not guilty — the Department of Justice appears poised to add more charges to the indictment or take further legal action. When asked for comment, the FBI referred CyberScoop to the Eastern District of New York. An EDNY spokesman declined to comment.
Michael Tiffany, co-founder and president of White Ops, on Tuesday suggested the case may not be over.
“The DOJ and the FBI, especially [people] who are working cases like this are really smart and really ambitious,” he said. “When you look at how they operate, I see a pattern which is ‘no one-offs,’ where you do a thing, you get really good at, then you try to take it out. So my expectation is that we’ll see more.”
The FBI affidavit also delves into some of the minutiae of the Methbot crew’s day-to-day operations. Members of the group emailed each other on a regular basis dating back to 2014, sharing instructions and ideas on how to convert cryptocurrency into cash, and, perhaps most frequently, examining ways to make their bot activity look more human in order to avoid detection from security software.
Dmitri Novikov, a Russian whose location is still unknown, once messaged his associates in 2014 explaining how his use of Jira, a project tracking tool to measure the group’s progress and organize data. In one Jira message, Novikov quoted a message the FBI says originated with Clickandia.net, a since-seized domain that appears to have offered Novikov advice on how to deceive advertisers more effectively.