3ve was a botnet that operated between about 2013 and 2018.
3ve, pronounced as “Eve”, was a botnet that was halted in late 2018.[1] The botnet was first discovered in 2016 by White Ops,[2] and was active since at least 2013.[3] The discovery led to the start of a 2017 FBI investigation.[4]
3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time.[5]
At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America. It is estimated that 1.7 million PCs were infected over time, clicking on more than ten thousand fake websites with more than 250,000 total webpages,[6] taking in ad revenue from about sixty thousand digital advertising accounts placing the false ads. The network issued more than three billion fraudulent daily ad bid requests. About thirty million dollars was stolen over the time the botnet was in use.[7]
The bot net was shut down through a collaboration of multiple organizations, including White Ops, Google, Department of Homeland Security, and the FBI Internet Crime Complaint Center. Other organizations involved included Adobe, the Trade Desk, Amazon Advertising, Oath, Malwarebytes, ESET, Proofpoint, Symantec, F-Secure, McAfee, and Trend Micro.Following the end of investigation that took down the botnet, the Department of Justice issued thirteen indictments against eight individuals, in a case led by United States Attorney Richard P. Donoghue.[8] Six of the individuals charged were from Russia, and two were from Kazakhstan.[9] Additionally, 31 internet domains and 89 servers were seized by the FBI.