Home Online Advertising By Sneaking Into Ads.txt Files, The 404bot Cost Advertisers $15 Million
Online Advertising

By Sneaking Into Ads.txt Files, The 404bot Cost Advertisers $15 Million

By

SHARE:

For two years, the 404bot worked unchecked, exploiting a flaw in the ads.txt spec that cost advertisers $15 million in wasted video ads.

The 404bot served 1.5 billion video ads, according to Integral Ad Science, which revealed the scheme Tuesday with a warning for the industry, including for publishers to audit their ads.txt files.

Ads.txt was designed to stop domain spoofing by allowing publishers to list all direct partners and resellers. Advertisers can confirm they are buying inventory from sellers with legitimate access to a publisher’s inventory.

But if publishers add an untrustworthy partner, they can abuse their position as an ads.txt-verified path and spoof the publisher’s inventory.

The few hundred domains where Integral Ad Science found ads.txt files linked to the 404bot all had something in common, said Evgeny Shmelkov, head of the IAS Threat Lab. “Their ads.txt files were huge,” he said. “There were lots of parties freely trusted.”

Once the 404bot was added to a publisher’s ads.txt list, it sold legitimate ads from the publisher and ads at other sites spoofed to look like they came from the publisher’s domain. Since the partner was listed as an approved path to a publisher’s inventory, advertisers had no easy way to determine that the domain was spoofed.

As the name suggests, the 404bot relied on fake URLs. The bot would also create an article page name that didn’t exist on the publisher’s site but existed legitimately elsewhere, such as a story about the week’s highest-grossing movie.

Although some domain spoofing simply puts lipstick on a pig – repackaging human traffic to dating, porn or non-brand safe content sites as higher-value URLs – the 404bot showed the ads to bots, not humans. So publishers’ inventory was not only spoofed and devalued, but their invalid traffic rates would appear higher.

IAS notified the publishers affected by 404bot, Shmelkov said.

Publishers should audit their ads.txt files using best practices outlined by the IAB Tech Lab, he added. By closely monitoring their ads.txt files, they can avoid letting partners onto their sites that could misrepresent their inventory.

And DSPs can track fake URLs in their inventory to root out potential domain spoofing, in addition to buying only from ads.txt-compliant paths to supply.

Tagged in:

Must Read

Marketers

AI Helps Manscaped Trim Social Chatter Down To The Bare Essentials

Meet Clamor, a new social listening product that pulls cultural insights from online conversations in real time. Clamor helped Manscaped freshen up its marketing, including for this year’s Super Bowl.

A man talking to a robot
AI

How Red Roof Is Bringing In More Customers With Zeta’s Voice-Activated AI Agent

Hotel chain Red Roof is using Zeta’s new voice-activated AI agent to guide its campaign creation, deployment timing and audience development.

Jean-Paul Schmetz, Chief of Ads, Brave
Platforms

Why Ad-Blocking Browser Brave Introduced Its Own Ads

Brave’s chief of ads Jean-Paul Schmetz on competition in the search and browser markets, the fallout from the Google Search antitrust ruling and whether AI search will help smaller upstarts compete with Big Tech.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Newfronts 2026

Vizio Helps Walmart Cut A Bigger Slice Of The CTV Ad Pie

Walmart and Vizio announced at NewFronts that unified account logins are coming to smart TVs using Vizio’s operating system.

Comic: CTV Tracking
Marketers

Carl’s Jr. And Hardee’s Marketing Goes Regional With Amazon Ads’ Streaming Media

The age-old question for streaming TV advertisers is, how to target the viewers they want while reaching the scale their businesses need. The quick-serve restaurant operator CKE, which owns Carl’s Jr. and Hardee’s, sought an answer in a case study with Attain and Amazon Ads.

Cartoon of a woman in an apron cooking vegetables on a stovetop, holding a ladle as if to taste her creation
CTV

America’s Test Kitchen Puts Direct And Programmatic Access On Its Menu

America’s Test Kitchen introduced direct and programmatic buying for its free ad-supported TV channels – marking the first time it’s selling ad inventory as a standalone package.

Popular

  1. Cartoon of a woman in an apron cooking vegetables on a stovetop, holding a ladle as if to taste her creation
    CTV

    America’s Test Kitchen Puts Direct And Programmatic Access On Its Menu

    America’s Test Kitchen introduced direct and programmatic buying for its free ad-supported TV channels – marking the first time it’s selling ad inventory as a standalone package.

  2. A man talking to a robot
    AI

    How Red Roof Is Bringing In More Customers With Zeta’s Voice-Activated AI Agent

    Hotel chain Red Roof is using Zeta’s new voice-activated AI agent to guide its campaign creation, deployment timing and audience development.

  3. Allison Schiff, managing editor, AdExchanger
    OPINION: Data-Driven Thinking

    What Happens When A Brand Fails To Deliver On Its Basic Promise

    Customers don’t need perfection. But they do need to know that a brand will make it right when something goes wrong.

  4. Newfronts 2026

    Google Is Pitching Buyers On Gemini And YouTube Creators At The NewFronts

    Google is getting to talk about its two favorite things during IAB’s NewFronts this week: AI and creators.

  5. Marketers

    The Rise Of Principal Media And The End Of The Agencies As We Knew Them

    Ad agency holding companies are among the most adaptable businesses out there. In recent years holdcos like Publicis, WPP and Omnicom-IPG have stretched our notions of what an agency business even is exactly.