In a press release today, Ad security company Confiant claims it has identified an ongoing cookie-stuffing scheme allegedly perpetrated by Dataly Media, an affiliate marketing platform based in Ecuador.

The scheme dates back as far as 2015 and underpins a large part of Dataly Media’s business conducted since that time, according to Confiant. This means, their accusations are correct, millions of dollars was scammed from advertisers.

However, Confiant was not able to provide an estimate of how much revenue Dataly Media has earned from these practices.

Dataly Media served roughly 125 million display ad impressions in 2022 alone, Confiant estimates, but it is unclear how many of these placements were subject to cookie stuffing. In 2022, Dataly Media was active on at least four DSPs; Confiant declined to name these DSPs.

What is cookie stuffing?

“Cookie stuffing is essentially stealing conversions,” said Jerome Dangu, co-founder and CTO of Confiant. “If you are running a CPC campaign and paying for clicks on your website or app or whatever through an ad exchange.”

The Dataly Media cookie-stuffing scheme allegedly involves what Confiant refers to as a “dirty” supply path that contains invalid traffic generated by malvertising and a “clean” path that contains valid (although mostly paid) traffic.

The dirty supply path is used to hide the fact that the made for ad sites are actually being used for malicious activity. This is done by mixing up the invalid site traffic with the valid native advertising revenue.

To stay ahead of efforts to identify any purported malfeasance, Dataly Media allegedly created more than 100 ad serving domains and partnered with a wide range of advertising platforms.

For example, Dataly Media’s MFA site specializes in “Top 3” lists that promote products through affiliate links. So, if an advertiser is running an affiliate marketing campaign through ot it wouldn’t be surprised to see a large number of attributed landing-page visits coming from ther same site.

But some of those landing-page visits are manufactured via the alleged cookie-stuffing scheme and stolen from other publisher sites.

“So, if an advertiser or an affiliate platform were to look at the data, they would see they have many visitors from that site and a good amount of conversions. But the number of [valid] visitors is essentially made of traffic that is bought on Taboola for very cheap,” Dangu said.

In a recent interview, Dangu said that Dataly Media’s alleged cookie-stuffing practices create a range of problems for publishers and advertisers alike.

For advertisers, the invalid traffic degrades campaign performance and skews data used for targeting. Invalid traffic can also affect performance metrics like cost-per-click.

Meanwhile, publisher sites get bogged down by the network load required to render the iframes hidden in the ad creative, which causes latency issues for site visitors. And the lack of user consent for the use of third-party tracking pixels means unwitting parties could be on the hook for not complying with data privacy regulations like Europe’s GDPR. In fact, Confiant found that 76% of alleged cookie-stuffing ads served by Dataly Media in 2022 were served to European users in violation of GDPR.

Dangu said that this behavior is “completely hidden” in how the industry is organized to tackle this problem: “This is not bot traffic, and it’s technically not attacking users so much as creating fake impressions,” he said.

If these accusations are true, then Dataly Media has a lot to answer for, and could be brought up on criminal charges for fraud. As someone who used to prosecute criminal cases similar to this with the US Secret Service, I can tell you that if they planned it with others, they could be charged under RICO laws for a criminal conspiracy. Something like this could be a huge wake up call to the industry, that fraud would not be tolerated.

What's your opinion?