DoubleVerify detects ShadowBot scheme spoofing 35 million mobile devices

New Delhi: DoubleVerify (DV), a software platform for media verification and ad performance analysis, has uncovered a bot-based fraud scheme named ShadowBot that generated over 35 million spoofed mobile devices in the first quarter of 2025. According to DV’s findings, the scheme has led to an estimated $2.5 million in losses for advertisers who lacked protection.

DV’s Fraud Lab identified ShadowBot as targeting mobile and Connected TV (CTV) inventory using automation tactics such as mobile emulators and falsified app IDs. Despite its broad impact, the operation included several detectable errors.

“ShadowBot shows that fraud doesn’t need to be sophisticated to be costly,” said Gilit Saporta, VP Product, Fraud & Quality at DoubleVerify. “It’s alarming to see $2.5M lost to bots using resolutions of an old CRT screen we all used back in the 1990s. The fraud scheme operator didn’t even bother to match its fake device signals to a proper mobile device. We’re happy to know that DV clients remain safe, thanks to DV’s AI-powered Fraud Lab, which catches subtle deviations from normal user behaviour. That’s how we uncover the most sophisticated schemes out there, as well as the easier cases like ShadowBot.”

The DV Fraud Lab outlined five key indicators that led to the identification of the scheme:

1. Basic automation methods: The use of emulators defaulting to outdated screen resolutions such as 800x600, which do not align with modern mobile devices.
   

2. Abnormal traffic volumes: The bot generated unusually high impression counts, inconsistent with typical seasonal activity.
   

3. Proxy IP use: IP addresses were masked using anonymised proxy services associated with suspicious digital footprints, including false testimonials and broken website links.
   

4. Uniform behaviour: The spoofed devices demonstrated identical patterns of activity, lacking the variability seen in genuine user interactions.
   
   Unrealistic engagement rates: Devices were logged accessing up to 10 spoofed apps within nine minutes, behaviour considered implausible for real users.
   
   

“We’ve found that emerging media types, including mobile and CTV environments, are especially susceptible to fraud due to limited visibility and rapid growth,” said Lisa Toledano, who leads a DV fraud detection team. 

Wayne Tassie, Group Director, Netherlands, DoubleVerify, added: “As the digital ecosystem continues to scale through automation, the emergence of sophisticated fraud schemes like ShadowBot reinforces the critical importance of transparency, quality, and accountability in media. Safeguarding advertisers from spoofed environments is not just technically challenging for DV, it is fundamental to maintaining trust, protecting brand equity, and upholding investment integrity for our customers and partners.”