Cyber Incident Victim: Technion – Israel Institute of Technology

The Vastflux ad fraud operation was discovered by HUMAN's Satori research team during an investigation into a separate ad fraud scheme in early 2022. Researchers identified anomalous behavior in an application generating excessive bid requests using multiple app IDs, leading them to reverse-engineer obfuscated JavaScript code. This analysis revealed communication with command-and-control (C2) servers that distributed encrypted configuration payloads containing instructions for ad placement parameters (size, position, type) and spoofed publisher/application identifiers. The operation exploited the VAST ad-serving template combined with fast flux techniques to rotate IP addresses and DNS records rapidly, evading detection while spoofing 1,700 applications across 120 publishers—primarily targeting iOS devices. At its peak, Vastflux generated over 12 billion fraudulent bid requests daily and impacted approximately 11 million devices, predominantly in Apple's ecosystem.

HUMAN initiated three coordinated takedown waves between June and July 2022 involving partners, customers, and impersonated brands to disrupt the infrastructure. These actions forced Vastflux operators to temporarily take C2 servers offline and reduce operations, with ad bids declining steadily until reaching zero by December 6, 2022. The fraud involved stacking up to 25 hidden video ads behind active application windows, generating illegitimate ad revenue while avoiding verification tags used by performance trackers. Although non-malicious to user data, the operation caused measurable device impacts including battery drain, increased data consumption, performance degradation, and potential overheating due to background video rendering. The scale of infrastructure and sophisticated evasion methods marked Vastflux as a significant ad fraud campaign prior to its dismantling.