Somewhere between your media plan and your performance report, a quiet theft is taking place. Nobody broke into your servers. Nobody intercepted your emails. Your campaign metrics look perfectly reasonable.
And yet a meaningful portion of your advertising budget has been redirected to fraudsters you will never meet, running operations your IT security team has almost certainly never discussed.
Digital fraudsters use a variety of sophisticated methods to silently syphon your digital ad budget and avoid detection. One of the most insidious is the generation of fake clicks.
Welcome to the world of ghost click farms and to one of the most structurally overlooked problems in enterprise advertising.
What makes ghost farms different
The term ‘click farm’ conjures images of warehouses filled with smartphones, staffed by people tapping screens for pennies. That model still exists, but the modern ghost click-farm operates on an entirely different principle: it does not need a building, a staff, or even dedicated hardware. It borrows yours.
In September 2025, HUMAN Security’s Satori Threat Intelligence team uncovered a scheme they named SlopAds: a collection of 224 mobile apps, downloaded more than 38 million times across 228 countries and territories, that silently converted ordinary user devices into ad fraud nodes.
At its peak, the operation generated 2.3 billion fraudulent ad bid requests per day, racking up fake impressions and clicks while delivering zero engagement to any advertiser.
What made SlopAds particularly elegant was its precision. The apps activated their fraud payload only under specific conditions. Apps downloaded organically from the Play Store behaved normally, whereas installations traced to a threat actor-controlled ad campaign triggered the hidden activity. The scheme was designed to appear clean to anyone not looking very closely at the right signals.
This is the defining characteristic of the ghost click-farm: it is built to pass, not just to perform. It clears standard verification thresholds by design.
The optimisation engine problem
For enterprise advertisers, the damage does not stop at wasted impressions; it compounds.
Modern programmatic platforms and ad servers use smart-bidding algorithms that learn from campaign signals. Click-through rates, engagement events, and landing-page interactions feed the machine and shape where future spend is directed.
Ghost click farms have been trained to generate fake clicks that look behaviourally coherent enough to be rewarded by the algorithm.
The result is a (negative) feedback loop that works entirely against the advertiser. Fraudulent placements produce inflated engagement signals. The algorithm interprets those signals as evidence of a high-performing placement, so more budget flows to that placement.
More fraudulent signals are generated. And the advertiser’s own optimisation engine becomes an instrument of the fraud.
Why legacy verification misses it
At this point, a reasonable person might ask, “What are my fraud verification tools doing?”
Frankly, they are doing what they were built to do, which is no longer sufficient. According to the Association of National Advertisers (ANA) 2024 Programmatic Transparency Benchmark Study, for every $1,000 spent programmatically, only $439 reaches consumers as a quality impression.
That figure has improved somewhat since then, but the trajectory underscores how much budget has haemorrhaged for years while verification tools reported that everything was broadly in order.
Based on studies of our FouAnalytics clients, this is a somewhat rosy picture: we have helped South African advertisers recover up to 60 per cent of lost/wasted/stolen ad-spend budgets.
The gap exists partly because of a measurement problem that predates AI-powered fraud. Legacy verification services typically measure a sample of impressions rather than the full campaign. When a bot strips out or blocks its measurement tag, it records no data. But the impression still gets marked as ‘clean.’
No data becomes no fraud, which is a category error with expensive consequences.
Ghost click farms add another layer to this. Because they simulate behaviourally plausible human patterns, they can clear the probabilistic thresholds that traditional detection relies on. By the time the verification vendor’s model catches up to a new evasion technique, the fraudsters have already moved on to the next one.
According to Juniper Research, ad fraud losses are projected to reach $172 billion by 2028, which is not the trajectory of a problem being solved.
Where the real signal lives
The good news is that ghost click farms, for all their sophistication, leave forensic traces that deterministic measurement can detect.
The most reliable of these signals lives at the point of engagement be it on an ad and/or on the landing page. A real human touching a mobile screen produces a touch event before the click registers. A real human scrolling through content exhibits erratic, organic movement patterns over time, with pauses and redirections that reflect cognitive processes.
Bots, even sophisticated ones optimised for behavioural mimicry, struggle to fake the full constellation of these signals simultaneously and consistently across millions of impressions. When you measure more than 300 interaction variables deterministically, the absence of genuine touch events and interaction signals becomes forensically unambiguous. You are looking at the data and clearly seeing that no human was there.
This is the principle behind TruthsetsOnline’s glass-box approach. We put the underlying forensic data directly in the advertiser’s hands. You can see which apps and placements triggered which signals. You can see why a placement was flagged, not just that it was. And crucially, when you can see all of that, no one in the supply chain has an incentive to look the other way.
The attribution wrinkle
There is one further dimension worth understanding, because it explains why ghost click-farm activity so often goes undetected even when advertisers are paying close attention to their results.
Sophisticated fraud operations are also designed to ‘game’ attribution. Loading landing pages in hidden browser windows triggers the conversion pixels that fire on page load. Devices get marked as ‘exposed’ to the ad. When those devices subsequently make a purchase (as real humans in the real world will), the fraudster claims credit for the conversion.
On landing pages, the fact that Google Analytics and Adobe Analytics filter out bot responses is a significant barrier to their use in finding and mitigating against fraud; the source of the fraud needs to be known to do anything about it.
This is why campaign ROAS (Return on Ad Spend) numbers, if based on vanity metrics such as clicks, can look genuinely impressive while the underlying ad delivery is substantially fraudulent. The attribution model is being exploited, and the performance dashboard is reporting a version of reality that does not correspond to what happened.
The bottom line
In the grand scheme of things, ghost click farms are just one small facet of the international criminal operations we deal with daily. T
he SlopAds study highlighted how sophisticated these criminals are, but the real effort has to go into identifying fraud across the board: looking for and identifying signals, triangulating them, and implementing mitigation measures to prevent ad budget waste.
It is worth being clear about an important mindset: the enterprise advertisers sitting on the wrong end of these schemes are not victims of their own negligence. Ghost click-farm operators and other ad fraudsters are sophisticated, well-resourced, and deeply incentivised to stay ahead of detection.
The tools that most advertisers rely on were not designed to detect this class of fraud, and the trade bodies that set industry benchmarks have historically published figures that have obscured the scale of the problem.
The ANA’s Q2 2025 Programmatic Transparency Benchmark found $26.8 billion in wasted programmatic spend globally, despite measurable progress in cleaning up the supply chain. That is not evidence of widespread incompetence. It is evidence of a structural measurement gap. And measurement gaps can be closed.
The path forward becomes clearer the moment you decide the numbers you have been given are worth interrogating and get data granular enough to see what is actually happening at the impression level.
Ghost click farms thrive in the dark.
Forensic analytics turns on the lights.
Marc Dhalluin is the co-founder of TruthsetsOnline.com. With over 25 years in marketing — spanning agency, client, and consultancy roles across Africa, Europe, and the US — he has helped build, transform, and rescue brands, generating more than $500 million in annual revenues. A long-time collaborator of fraud researcher Dr Augustine Fou, Marc is now focused on one thing: proving that real advertising reaches real humans. He is based in Los Angeles and writes regularly on digital transparency, programmatic fraud, and what brands should actually be measuring. Connect with Marc on LinkedIn or visit TruthsetsOnline.com.
