149/68 Wednesday, April 23, 2025
Cybersecurity firm HUMAN, a leader in bot detection and ad fraud prevention, has uncovered “Scallywag,” a large-scale ad fraud operation embedded within WordPress plugins. The scheme leverages piracy websites and URL shortening services to generate fraudulent traffic. The group utilized four WordPress plugins—Soralink, Yu Idea, WPSafeLink, and Droplink—developed between 2016 and 2022, to create up to 1.4 billion fake ad requests per day. These plugins enabled malicious actors to monetize content that would typically be ineligible for legitimate advertising revenue.
Websites involved in the Scallywag network were primarily piracy platforms hosting links to pirated movies or software. When users clicked on these links, they were redirected to intermediary pages filled with ads, CAPTCHA prompts, or countdown timers before reaching the final content. These intermediary pages ran WordPress with Scallywag plugins designed to hide fraudulent behavior from ad service detection systems. While the owners of these piracy sites may not have developed Scallywag themselves, many had “gray area partnerships” with fraudsters to share ad revenue.
HUMAN’s detection relied on analyzing traffic patterns, such as seemingly ordinary WordPress sites with unusually high ad display volumes or forced user interactions before accessing content. Once confirmed as fraudulent, HUMAN collaborated with ad providers to block these requests, resulting in a 95% revenue drop for Scallywag operators and a near-elimination of fake ad traffic. However, some bad actors attempted to adapt by using new domains or complex link redirection chains. Despite this, HUMAN has continued to detect and thwart these efforts. Experts caution that while Scallywag’s monetization system has collapsed, fraudsters may develop new methods to exploit ad systems in the future.
