Click Bots & Ad Fraud – A Short History

Since the beginning, click bots have caused PPC marketers to suffer. These annoying automated troublemakers drain the budgets of businesses, and they have become more sophisticated in recent times.

Click fraud losses have reached alarming levels for advertisers. Global losses from click fraud are estimated to reach 100 billion U.S. Dollars in 2023. This is an increase of 35 billion dollars from 2018.

This post will look at the most notable click bots, their impact on advertising campaigns today and how to avoid them.

What is a Click Bot?

Click bots are software programs that simulate clicks by users on advertisements or other web content.

Click bots are sometimes beneficial. Some click bots perform useful online activities, for example scanning websites for errors or tracking links to detect spam.

Click bots are mostly used to commit fraud. These bots harm the online ecosystem in many ways, from manipulating ads to creating fake traffic.

Bots can be programmed to do simple things like click on buttons, post comments (spambots) or visit websites (bot traffic). Fraudsters create more sophisticated bots that can perform more complex tasks, and even imitate real user behavior. It can be ‘browsing a website’, adding items to a shopping cart, or filling out forms and downloading files.

Botnets are another option to click bots. Botnets are interconnected bot networks that can be used to perform tasks individually or in a group. They are usually controlled by humans from a central command and control center. Bots can be embedded in servers located in data centers, or on infected devices like laptops and phones.

{What is Bot Traffic? | ClickCease Academy”, “description”: “Learn what is bot traffic and how to block it Bot traffic: non-human traffic to a website or an app, coming through organic or paid traffic. Bots and web crawlers are an important part in the global web ecosystem. More than half of internet traffic is automated. But – there are good bots, and bad bots. Good bots can perform useful tasks, such as: delivering your search results; collecting marketing and performance data; automating repetitive tasks; providing automated customer service. Bots are also used to carry out malicious activities and can go undetected. Bots are used for many things, including: – spreading viruses and malware such as ransomware; – credit card fraud; – account takeovers and brute-force attacks; – click fraud and ad-fraud – where they click on your advertisements automatically. It’s data time! Cybercrime accounts for over $1 trillion in lost revenue annually, with ad fraud and click fraud being the biggest contributor to this ( Fake traffic on PPC ads accounted for 41 billion dollars worth of losses in the marketing industry in 2021 alone ( Compare this with credit card fraud which was responsible for the theft of $31 billion in the same year ( Bad bots affect us all, whether we are aware of it or not. Protecting our ads and website from malicious bot traffic has become a necessity as marketers to keep ourselves and our clients safe online. Check out our ClickCease blog to get a deeper dive into bot traffic Want to know more about ClickCease and get a 7-day free trial? Click here”, “thumbnailUrl”: “”, “uploadDate”: “2022-12-01T14:18:59Z”, “duration”: “PT1M33S”, “embedUrl”: “”, “interactionCount”: “215”>

What are click bots?

Click bots are designed to generate fake clicks in order to fool ad campaigns. The bots are designed to make it appear as if the ads were clicked by real users.

PPC fraud is characterized by fraudulent clicks (on display, video or text/search ads). These ads are usually embedded in a fraudulent website. The fraudster will then receive a payout for all clicks or video impressions on his website.

Click bots can also be used to generate bot traffic on social media sites, engage with websites and spam or make comments.

This bot traffic may also be used to commit more malicious fraud, such as spreading viruses and copies of the bot. It can also be used to perform cybercrime related activities, such as DDoS attacks.

What is the function of these click bots?

Bots are technically a Trojan or virus. They can be embedded in any internet-connected device, such as a laptop, tablet, server or cell phone.

These bots can be used to click on ads in mass numbers. Or they can perform localized click fraud (also known as click spamming or click injection) within an application.

Every ad-click costs an advertiser some money, somewhere on the planet.

Click fraud pre-2006

The majority of mentions of click-fraud before 2006 relate to the practice whereby ads are placed on low-quality sites (or websites) and then clicked in mass to collect payout.

It was usually quite simple. Fraudulent publishers would sign up for Google AdSense on their low-quality sites and then click the ads (or hire someone else to do it).

In 2003, bots were mentioned as clicking on ads. However, much of this information was based on assumptions or partial research. Google, aware of the problem, hired a team dedicated to tackling click fraud and advertising fraud.

Since the beginning of pay-per click, competitors have been engaging in click fraud. The practice is now commonplace.

It was only a matter time before click-bots proliferated and became a larger problem.

Click fraud post-2006

Clickbot A

Year active: 2006Estimated costs: $50,000Estimated infection: 100,000 computers

Google discovered malicious software in 2006 called Clickbot A, which conducted low-noise attacks of click fraud on syndicated networks.

Around 100,000 machines powered the bot, which targeted sponsored Google sites.

Clickbot A, the first botnet to be proven as a click fraud network, caused frauds estimated at $50,000. It pales in comparison with the later, more massive botnets.

DNS Changer

Years Active: 2007-2011Estimated Cost: $14 MillionEstimated Infections: 4,000,000 computers (both Internet Explorer and Apple devices).

At the time DNSChanger was the master of ad fraud botnets

Rove Digital, a team of Estonians & Russians who infected browsers with ad-fraud bots, created the DNS Changer Scam.

The botnet displayed ads and changed the web address of infected devices to a domain owned by the gang.

The DNS Changer was active for four years and had features that prevented updates to anti-virus software. Vladimir Tsastin was convicted for wire fraud and money-laundering. This is the first case in which a bot network has been prosecuted for ad fraud.


Estimated cost: UnknownEstimated infection: Unknown

Like the Terminator, Miuref botnet keeps coming back

Miuref (also known as Boaxxe) is a Trojan horse that can be distributed through fake documents. It’s used to launch various online bot attacks. It was part of the 3ve Botnet Campaign and could also steal data, mine Bitcoin and exploit security flaws.

Miuref is a persistent problem, despite being detected and removed by antivirus software.

Miuref is used with other botnets, so it’s hard to say how much damage Miuref has caused. As it’s not a PPC bot clicker specifically, the financial impact of Miuref will be multiple billions.


Estimated cost: Not availableEstimated infection: 500,000+ machines

Stantinko botnet keeps on finding new ways to make money

Stantinko, another multi-use botnet has been identified. It was previously used for ad fraud but recently switched to crypto mining.

It was initially detected as a component of malware in Chrome extensions that facilitated ad injection. The bot can also install adware and access WordPress and Joomla websites, as well as perform Google searches.

The botnet’s code is hidden in reams and reams legitimate code. This has allowed the gang to maintain it for many years. Stantinko is a virus that affects mainly Russia and Ukraine but can also be found on other systems.


Years active: 2009-2013Estimated cost per year: $700,000. Estimated infections: up to one million desktop computers

Ghost in the Shell and Bamital botnet share some sililarities

Microsoft discovered in 2013 a malware called Bamital that was used to commit click fraud, redirecting users of search engines to malicious pages or ads.

This bot was able to evade detection by hiding on web pages and installing through ‘drive-by’ downloads.

It was estimated that the botnet could generate up to $1,000,000 per year in revenue for its operators. Searchers on Bing, Yahoo and Google were affected by Bamital’s search hijacking.


Years active: 2013Estimated costs: around $6 million per dayEstimated infection: 120,000 desktop computers

The Terminator from Terminator 2 was a bit like the Chameleon botnet

The Chameleon botnet was one of the first click bots that mimicked user behavior and targeted display ads. This was revolutionary as text ads were commonplace.

It was relatively easy to use, but it managed to divert over half of the advertising revenue from 200 sites targeted by a random and uniform series of fraudulent clicks.


Estimated cost: Not knownEstimated infection: Unknown

Kovter botnet is a Decepticon

Kovter, a click fraud botnet still active today, has been used by larger campaigns. Kovter, like other long-lasting malwares, has been able to hide itself in many lines of code including Windows Registry files.

This is a clever bot which does its damage while the system is on’sleep mode’ or in’standby mode’. Kovter will also shut down when a system scan starts, making it difficult to detect by standard virus scanners.


Years active: 2015 to 2017Estimated costs: $3 million per day during peak infectionEstimated infection: 1,900 dedicated servers with 852,000 false IP address

Methbot was one of the biggest ad fraud click bots ever

Methbot was the botnet that generated fake impressions of video ads and fake websites using infected servers. These fake impressions reportedly brought in up to $5,000,000 a day for the group behind Methbot.

Methbot was known for its ability to disguise its fake inventory and pass it off as premium inventory. The digital marketing industry was alarmed by its massive scale. It remains the standard in click fraud schemes.

3ve (Eve)

Year active: 2017-2018Estimated costs: at least $29 millionsEstimated infections : 1.7 Million hacked computers

3ve was a monster botnet, much like ED209 from Robocop

While the FBI was shutting down Methbot, a larger ad fraud scheme came to light. 3ve, which was run by the majority of the team behind Methbot was a much more complex scheme.

3ve could deliver even more video impressions, and it worked despite the ads.txt list – in fact, using ads.txt to spoof inventory.

The team of Russians and Kazakhs behind the scam made an estimated $29,000,000 from their efforts.


Year active: 2016Estimated monthly cost: $300,000.

HummingBad malware clicked ads from within Google Play apps

HummingBad is a malware that was allegedly developed by YingMob, a Chinese company, to increase ad clicks. This highlighted the problem of mobile app infection.

This software could not only be used as an ad clicker, but it also had the capability to hide click origins. It was even possible to install software without user consent.

It was shut down in 2016 but resurfaced in 2017 as HummingWhale and infected more than 20 Google Play Store apps.


Years active: 2017Estimated costs: up to $1.2million per dayEstimated infection: at least 500,000 computers across the US, UK and Canada

Is HyphBot the most gangsta click bot ever?

HyphBot, another ad-clicker that was able to bypass ads.txt and be 3 to 4 times larger than Methbot, was also thought to have been around this size.

The exploited list of ads.txt to create composite domain names and fake video impressions. The creators used an existing botnet to click on ads.

HyphBot was only active for a few days, but it managed to steal millions of dollars from fraudulent advertising revenue before disappearing.


Years active: 2018-2019Estimated cost not knownEstimated infections at least 10 million

DrainerBot vs Mechagodzilla Bot Zapping

DrainerBot, a malware botnet, was embedded into a Software Development Kit (SDK), found on Android devices.

The botnet was able to evade Google’s Play Protect checks, and commit ad fraud through the use of video ads that were played in the background. This used a lot of battery and data power. DrainerBot is a name that’s not surprising. The malware could drain battery life and use up to 10GB.

DrainerBot has been removed from all apps that were identified to contain it, but this ad clicking bot may still be out there.


Cost: Estimated at $15 million. Infections: Unknown.

Is the 404 Bot inspired by Japanese Manga series Gundam?

This bot clicker, which is a botnet that targets weak links in ads.txt in a similar fashion to HyphBot, spoofs the domain inventory. It seems that the 404 Bot can bypass several preventative measures and continue to drain marketing funds even as we speak.

How many millions more will 404 Bot siphon off after the estimated damage of $15 million in February 2020?


Year active: 2019-2020Estimated costs: Not knownEstimated infections : At least 56 applications, over 1,000,000 downloads

Tekya and Ultron are both evil botnets

Tekya was found to be a clicker in 56 Android applications, including games for children and utility apps. Haken, a clicker-malware, was used to engage in advertising without the user’s knowledge.

Tekya has been guilty of click fraud since May 2019 on more than 1 million downloads. They clicked on ads visible and invisible to simulate user behavior.

This isn’t ….

This list is not even complete. Judy, an ad-clicker based on malware from South Korea that was allegedly distributed to inflate ad revenue by a South Korean app developer, is not even included.

Other botnets we’ve not mentioned include IceBucket and SourMint. Both have been recent botnets which have caused havoc. There are many smaller botnets which don’t exist or run too short to be detected by authorities.

These bots can have a negative impact on your paid campaign.

Click bots are a major headache for anyone who runs online ads. Advertisers who run PPC campaigns on behalf of clients, small business owners that manage their own ads and marketing teams managing many marketing activities.

Fake clicks are a major factor in PPC advertising and budgets. This leads to a number of negative consequences. Here are the top five you should avoid:

Click bots are a major source of wasted marketing budgets. This leads to misleading analytics. Fake click data can also be incorporated into analytics. This gives you incorrect insights, leading to poor decision-making.Challenging optimization process: Campaign optimization based on irrelevant data won’t bring a positive outcome. Again, this is a waste.

Click bots can affect your entire marketing campaign. They are a serious threat.

It is therefore important to stop them before they happen.

Click bots: How to block them

It’s possible to detect bot clicks, even though it can be difficult. You can avoid and detect click bots by following these simple steps:

Implement CAPTCHAs. CAPTCHAs can be a great way to stop bots from accessing a website. CAPTCHAs are a popular way to prevent bots from accessing your website. The most basic forms include text or image recognition tests that verify the user’s identity.

These steps may help reduce bot traffic but they do not guarantee 100% effectiveness. It’s also important to note that they can be time-consuming and difficult to implement.

ClickCease can streamline this entire process. ClickCease, a bot-detection tool, is designed to block and mitigate bot clicks real-time.

Check out the free trial if you want to ensure that your PPC ads or any other marketing activities are free from click bots. Before you sign up, you can see how many fake clicks are being made on your ads.

Make sure that your PPC ads are only seen by real people, and not clicker robots or click farms.

Click fraud is a serious issue. Read our comprehensive guide to learn more.

The article A Brief History of Click Bots & Ad Fraud first appeared on ClickCease Blog.