A massive advertising fraud operation named “Scallywag” has been uncovered, leveraging malicious WordPress plugins to monetize piracy and URL shortening websites by generating as many as 1.4 billion fraudulent ad requests daily.
The operation was exposed by HUMAN, a cybersecurity firm specializing in bot and fraud detection. The company identified a sprawling network of 407 domains supporting the scheme, which was structured to redirect users through ad-heavy pages, inflating ad impressions and deceiving advertisers.
Fraud-as-a-Service Infrastructure
Scallywag operates as a “fraud-as-a-service” platform built around four WordPress plugins: Soralink (launched in 2016), Yu Idea (2017), WPSafeLink (2020), and Droplink (2022). These plugins were created to help threat actors monetize content that typically cannot generate revenue through legitimate ad platforms, such as pirated media and cracked software.
According to HUMAN, various independent malicious actors purchased and deployed these plugins to run their own ad fraud schemes. Some even went as far as publishing tutorial videos on YouTube to instruct others on how to use the plugins.
Droplink is unique among the four, offering its services for free in exchange for running the monetization processes for its operators. When users visit piracy directory sites in search of premium software or movies, they are often redirected via shortened URLs to intermediary WordPress sites running these plugins. These sites present multiple layers of advertisements, CAPTCHAs, and timers before delivering the promised content.
Though these piracy websites are not always operated by Scallywag members, their administrators often collaborate with fraudsters in what HUMAN describes as “gray partnerships,” outsourcing their monetization efforts in return for a share of the profits.
A Sophisticated Redirection Process
The redirection process is central to the fraud operation. Once a user clicks on a shortened link from a piracy site, they are sent to an intermediary site running the fraudulent plugin. This site is designed to appear as a benign blog to ad platforms, while in reality, it loads multiple ad impressions in the background.
The plugins manage the entire process: handling URL redirects, injecting advertisements, presenting CAPTCHAs and wait times, and obfuscating the fraudulent behavior to bypass ad verification systems.
HUMAN’s Mitigation Efforts
HUMAN discovered the scheme by analyzing traffic patterns across its partner network. Indicators included unusually high ad request volumes from seemingly innocuous WordPress blogs, forced user interactions like CAPTCHA challenges, and delays prior to redirects.
Once the fraudulent infrastructure was confirmed, HUMAN worked with ad providers to block bidding on traffic originating from the Scallywag network. This effort effectively cut off the operation’s revenue streams.
In response, Scallywag operators attempted to adapt by rotating domains and introducing open redirect chains to obscure their referral sources. However, HUMAN continued to detect and block these tactics, reducing fraudulent traffic by 95%.
Economic Collapse of the Scallywag Network
Following intervention, daily fraudulent ad requests dropped from 1.4 billion to nearly zero. Many affiliates abandoned the scheme and shifted to other monetization scams. Although Scallywag’s financial model has been severely disrupted, HUMAN warns that its operators may still seek new ways to revive or replicate the network.
This incident highlights the growing sophistication of ad fraud operations and the need for constant vigilance among advertisers, publishers, and cybersecurity professionals.
Related Topics
- Modular DS Raises €615K to Grow WordPress Platform
- How to Schedule Wordpress Posts
- Which SEO Plugin Is Best for Wordpress
