A massive ad fraud scheme named “Scallywag” has been exposed, leveraging WordPress plugins to exploit pirating and URL shortening sites for fraudulent ad revenue.
According to bot detection firm HUMAN, the operation generated up to 1.4 billion fake ad requests daily at its peak and was backed by a network of over 407 domains.
The fraud ring was powered by four malicious WordPress plugins: Soralink, Yu Idea, WPSafeLink, and Droplink, enabling scammers to redirect users through ad-heavy pages disguised as legitimate blogs. These plugins provided the infrastructure for fake ad impressions, cloaking techniques, and forced interactions like CAPTCHA, making it harder for ad platforms to detect abuse.
Unlike traditional ad setups, Scallywag monetized high-risk, low-quality content, especially on sites that offer pirated software or media. While most piracy sites couldn’t directly serve ads due to legal concerns, many formed “gray partnerships” with Scallywag affiliates to cash in through hidden redirect chains.
HUMAN’s aggressive intervention—identifying the fraud, working with ad platforms to block bidding, and tracking new evasion tactics—resulted in a 95% traffic drop, effectively crippling the operation. However, the group remains persistent, rotating domains and exploring new monetization models to stay afloat.
Though Scallywag’s ad fraud empire has collapsed for now, experts warn that similar fraud-as-a-service models could re-emerge, especially with ready-made plugins and online tutorials lowering the barrier for new cybercriminals.
