A major online ad fraud operation known as Scallywag has been uncovered, showing how cybercriminals abused WordPress plugins to trick advertisers and make money through fake ad traffic. This operation was generating an enormous 1.4 billion fake ad requests per day, mostly through pirated content and URL shortening websites.
The scheme was discovered by cybersecurity company HUMAN, which specializes in bot detection and online fraud prevention. After investigating the case, HUMAN identified 407 domains involved in the scam. Although the operation has now been reduced by 95%, experts warn that the criminals behind it are still active and adapting.
How Scallywag Ad Fraud Scheme Worked
Scallywag was designed to take advantage of low-quality and risky websites that mainstream ad companies usually avoid. These include piracy platforms, which offer free downloads of movies, music, or paid software, and URL shortening services, which mask a website’s full address.
Since big advertising networks don’t want their ads shown on such sites (due to brand safety and legal risks), scammers built a different system using WordPress plugins to generate ad revenue through fraudulent means.
The Four Malicious WordPress Plugins
The Scallywag operation relied on four specific plugins to carry out the scam:
Soralink (created in 2016)
Yu Idea (created in 2017)
WPSafeLink (launched in 2020)
Droplink (released in 2022)
These plugins were designed to be installed on WordPress websites and automate the process of redirecting users through multiple ad-heavy pages. Each redirect generated a fake “impression” — making it seem like a real user had viewed an ad — allowing the scammers to collect money from advertisers.
According to HUMAN, multiple independent threat actors used these plugins to run their own fraud campaigns. Some even posted step-by-step guides and YouTube tutorials to teach others how to do the same. These tools made it easy for anyone to join the scam and start earning from fraudulent ad traffic.
The only plugin available for free was Droplink, which users could download after completing certain monetization tasks defined by the plugin’s creators.
Role of Piracy and URL Shortening Sites
Piracy websites often don’t show ads directly to avoid legal issues. Instead, they use shortened URLs that redirect users through multiple webpages before delivering the actual content. Scammers took advantage of this redirection system by partnering with such websites — creating what HUMAN calls a “gray partnership.”
Here’s how it worked:
A user visits a piracy website to download a movie or software.
They click on a shortened link.
The link takes them through Scallywag-controlled websites filled with ads, CAPTCHAs, and countdown timers.
These intermediary sites look like normal blogs when scanned by ad companies, thanks to a method called cloaking.
After several redirects and fake ad views, the user finally lands on the page with the content they wanted.
Each visit generated multiple fake ad views, allowing the fraudsters to collect payments from ad networks.
Detection and Takedown by HUMAN
The fraud was eventually detected by HUMAN after noticing unusual traffic patterns coming from innocent-looking WordPress blogs. These blogs were actually hiding malicious redirect code and were receiving extremely high volumes of ad impressions.
Red flags included:
Very high ad impression numbers
Forced CAPTCHA interactions
Long wait times before page redirects
Cloaking to trick ad platforms into thinking the site was safe
Once HUMAN confirmed the activity was fraudulent, they worked with ad providers to block the ad traffic, stop real-time ad bidding, and cut off revenue to the Scallywag operators.
Scallywag’s Collapse and Future Risks
In response to the crackdown, the Scallywag network tried to stay alive by switching to new domains and using open redirect chains to hide their real websites. However, HUMAN was able to track and block these methods as well.
Thanks to these efforts, Scallywag’s ad fraud traffic dropped dramatically — from 1.4 billion requests daily to almost zero. Many of the affiliates running these scams abandoned the plugins and moved on to other fraudulent methods.
But experts warn that the problem may not be over. The cybercriminals behind Scallywag are likely to come back with new plugins, domains, or monetization tricks, trying to stay ahead of ad fraud detection tools.
Conclusion
The Scallywag ad fraud operation shows how dangerous and widespread ad fraud can be, especially when powered by everyday tools like WordPress plugins. With billions of fake ad views happening daily, advertisers lose money, while users are misled and redirected through shady pages.
The incident is a reminder that:
Piracy and shady websites often serve as hosts for cybercrime operations.
Even legitimate platforms like WordPress can be misused for malicious purposes.
Ongoing monitoring and collaboration between cybersecurity firms and ad networks is crucial to protect the digital advertising ecosystem.
For advertisers and website owners, staying informed about the latest ad fraud tactics is key to avoiding costly losses and ensuring ad traffic comes from real users, not bots or scammers.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Hackers Exploit Google OAuth to Send Verified Phishing Emails