Ad fraud is frustrating for a lot of reasons. But the most frustrating part is it doesn’t always look like fraud.
There’s no malware, no fake websites, and no sketchy traffic source you can point your finger at. Everything seems totally above board as the publisher is real and the domain exists. You could be paying premium rates to reach a publisher’s audience (genuinely believing that’s where your ads are running) only to find out later that none of it ever came from that publisher. Someone in the middle just… claimed the right to sell inventory they had no right to sell.
It sounds ridiculous when you put it that way, doesn’t it?
That someone can profit from a publisher’s reputation without actually owning the audience and the content, or operating the website, feels like something that shouldn’t be possible in a mature advertising industry. Unfortunately, though, it’s a frequent problem we’ve had for years – one that cannot disappear on its own.
Buyers trust that the inventory they’re purchasing comes from the source it claims to come from. Publishers trust that their name isn’t being used by someone they’ve never worked with. All the while, everyone involved assumes the information moving through the supply chain is accurate, and the trust is there.
Most of the time, that assumption is correct, but what happens when it isn’t?
The Problem Nobody Could Verify
Before ads.txt entered the picture, verifying inventory sources wasn’t always straightforward. Programmatic advertising created enormous opportunities for automation, but it also introduced additional layers between buyers and sellers.
That’s how inventory could pass through multiple intermediaries before a final transaction occurred, and supply paths became more complex. But transparency – it just became harder to maintain. This wasn’t necessarily anyone’s fault, since the ecosystem evolved quickly, and complexity arrived as a natural side effect of growth. In which cases, complexity allows abuse.
And for fraudsters, one opportunity stood out in particular: when advertisers couldn’t easily verify who was authorized to sell inventory. That’s when bad actors could potentially claim relationships that didn’t actually exist (Spoiler: exactly what started happening).
Inventory associated with legitimate publishers began appearing through unauthorized channels: buyers believed they were purchasing impressions from trusted sources when, in reality, those impressions originated elsewhere.
The opportunity fraudsters got was simple: if buyers couldn’t easily verify who was authorized to sell a publisher’s inventory, why not just claim to be selling it anyway?
How Inventory Spoofing Happens
Both supply paths can appear identical to buyers — the difference is whether the seller is actually authorized by the publisher.
A scheme uncovered in early 2025 shows exactly how this plays out. DoubleVerify’s Fraud Lab exposed Synthetic Echo: a network of over 200 AI-generated websites, monetized through multiple ad exchanges, using deceptive domain names like espn24.co.uk, nbcsportz.com, and cbsnewz.com to pass themselves off as legitimate publishers. The sites were pumping out low-quality AI content, but that wasn’t really the point – it was the ads running on them.
So, what made it especially hard to catch? The Synthetic Echo sites had copied near-identical ads.txt files from real, reputable publishers, and later cloned their authorized seller lists to trick programmatic platforms into treating them as legitimate. Once again: buyers thought they were reaching real audiences on real publishers when, in fact, they weren’t.
The result (apart from creating a massive financial loss for the legitimate publishers): it undermined trust and created uncertainty throughout the entire buying process.
The Simplest Fix Nobody Expected
When the ad industry finally agreed on a solution, it wasn’t the sweeping technological overhaul you might expect. No industry-wide platform rebuild, no blockchains, and no fancy AI features.
It was a text file!
More specifically, ads.txt (Authorized Digital Sellers) – it allows publishers to publicly post which companies are permitted to sell their inventory.
app-ads.txt extends the same concept, but to mobile applications.
Think of it like a guest list outside a venue. If someone claims to be on it, you check, if they’re not there, they’re not getting in: no guesswork, no back-channel verification, and no taking anyone’s word for it.
The list is public on the publisher’s own domain, and anyone in the supply chain can look it up before a single dollar changes hands (i.e: buyers, exchanges, verification platforms, etc.).
How ads.txt Works
Think of ads.txt as a guest list for advertising — only approved sellers are allowed to enter and sell a publisher’s inventory.
Before ads.txt, there was no equivalent of that list. In other words, sellers could claim relationships with publishers that simply didn’t exist, and buyers had no easy way to call their bluff. ads.txt changed that dynamic entirely, and it didn’t require a massive technical lift or industry-wide coordination to implement.
As a result, publishers could adopt it quickly, and the benefits were immediate, giving unauthorized sellers something concrete working against them.
But it wasn’t designed to catch every type of fraud, having the specific job to make unauthorized inventory claims easy to spot and easy to reject. And that’s what it works well for specifically. No wonder adoption spread fast among major publishers, especially since the data backed it up, with sites running ads.txt showing lower fraud rates than those without it.
However, there’s one thing worth knowing about fraud: it doesn’t give up; it just gets more creative…
How Did the Bad Actors Learn to Go Around the Rules?
That’s a good question, particularly when having a system and using it properly are two very different things.
In reality, ads.txt works when buyers check it, exchanges enforce it, and most importantly, when publishers keep it updated.
The problem is that the whole chain has to hold, and in a programmatic ecosystem moving billions of impressions a day, there are plenty of weak links to exploit. Fraudsters figured this out early, and rather than trying to break ads.txt directly, they just went around it.
How Fraudsters Bypass ads.txt
Attackers rarely compromise the ads.txt file itself. Instead, they take advantage of outdated records, weak verification, and trust gaps throughout the advertising supply chain.
One angle is simple negligence. Publisher-partner relationships change constantly (i.e. when new deals get signed and/or old ones end), but the ads.txt file doesn’t always get updated to match those changes. And that’s how outdated or incomplete files continue to cause lost revenue opportunities for publishers and wasted spend for advertisers.
For example: A seller that should have been removed months ago still looks authorized, and nobody flags it, potentially creating a leak where fraud can happen quietly.
Another angle is verifying on paper, but not in practice. The vast majority of placement reports that buyers get, have no seller IDs included – just the domain and the quantity of impressions served on that domain. In other words, buyers often can’t actually do the verification they’d need to catch mismatches.
According to Fou Analytics, buyers see a recognized domain, assume it’s fine, and move on. And then… there’s the more brazen approach called ads.txt spoofing.
In late 2018, DoubleVerify’s Fraud Lab identified a network where bots scraped content from legitimate websites and created spoofed sites with URLs designed to appear original. The scheme’s operators then sold fraudulent ad slots using the spoofed URLs through authorized resellers listed on the legitimate publishers’ actual ads.txt files, making the fraudulent inventory appear legitimate. All because it seemed to originate from a valid site via an authorized seller.
That’s right, read it again:
They DIDN’T fake the ads.txt file, but used the real one by sneaking into the supply chain through a reseller who wasn’t examining publishers carefully enough. The guest list was legitimate, and all they did was find a side door in.
The underlying idea behind all of these tactics is the same: convince buyers that inventory is coming from an authorized source when it isn’t.
What makes this particularly frustrating is that it doesn’t require sophisticated hacking or technical wizardry, but finding the gap between where verification is supposed to happen and where it actually does. Then, quietly setting up shop there.
What Spoofed Inventory Actually Costs
When ad fraud comes up in conversation, the discussion almost always goes straight to wasted budget. Fair enough, since nobody wants to pay for inventory that isn’t what it claims to be.
However, the financial hit is actually the most straightforward part of the problem. You can point at it, measure it, and to some extent, even account for it, while it’s harder to quantify what spoofed inventory does to your data. When fraudulent impressions get mixed in with legitimate ones, your campaign performance numbers start lying to you – quietly, consistently, and in ways that are hard to detect in real time.
That’s how you end up with skewed benchmarks and optimization decisions that are made based on signals that don’t reflect reality. You might end up shifting budget toward a placement that appears to be performing well, without realizing the numbers are inflated by non-human traffic or inventory that was never what it claimed to be. And by the time you spot it, you might’ve already made decisions you can’t undo.
Ultimately, there goes trust, and it’s far more difficult to rebuild it than it is to lose.
Once buyers start questioning inventory quality, that skepticism tends to spread, and not just for the specific placement or partner that gets scrutinized. The whole supply chain comes under the microscope. Your deals slow down, verification processes get more burdensome, and the entire buying process becomes more defensive, more cautious, and more expensive to manage.
Why, you might ask? Mostly because the confidence took a hit, and not due to the system getting worse. A burn of trust that also hits publishers.
It’s easy to look at inventory spoofing as an advertiser problem, since they’re the ones handing over money. All while publishers are sitting on the other side, watching their reputation get used without their permission, and taking damage they had no part in causing.
Most people might not trace problems all the way back through the supply chain before forming an opinion. What they remember instead is what name was attached to the issue. And that association, however unfair, has a way of sticking.
This is why ads.txt matters beyond the technical mechanics of it. Apart from being just a verification tool, it’s also a way to draw a clear line around who actually represents them in the market.
A way to say, publicly and on record: these are our authorized sellers, and anyone else claiming to sell our inventory is lying.
That one line protects advertisers from buying fraudulent inventory, and publishers from having their reputation dragged through someone else’s fraud scheme.
The Hidden Cost of Inventory Spoofing
The damage goes far beyond lost advertising dollars — it affects financial performance, campaign data, and the trust that keeps digital advertising functioning.
It distorts data and damages trust.
When Something Doesn’t Add Up
Inventory spoofing rarely announces itself.
By the time something feels obviously wrong, the problem has usually been running for a while. That’s why you have to know what to look for before it gets to that point. And while none of the signals below is a smoking gun on its own, if several are showing up at the same time, that’s usually a conversation worth having.
- Seller relationships that don’t match publicly available records
If a seller is claiming to represent a publisher’s inventory but doesn’t appear in that publisher’s ads.txt file, that’s a red flag. It doesn’t always mean fraud (e.g. files get outdated, relationships change) but it warrants a closer look before any money moves.
- Inventory appearing through unexpected supply paths
If impressions are coming through intermediaries that weren’t part of the original deal, ask why. Legitimate supply chains can be complex, but complexity shouldn’t be unexplainable.
- Significant discrepancies between reporting sources
When your DSP numbers and your publisher’s numbers tell meaningfully different stories, something is off. Minor discrepancies are normal, but large, consistent gaps aren’t.
- Outdated ads.txt or app-ads.txt files
Outdated or incomplete files continue to cause lost revenue opportunities for publishers and wasted spend for advertisers. A file that hasn’t been touched in months, especially at a publisher with an active partner roster, is worth flagging.
- Sudden changes in traffic quality
A spike in impressions that doesn’t correspond with a spike in meaningful engagement is a classic signal. So is a sudden drop in viewability or completion rates from a previously solid placement.
- Authorized sellers that can’t be independently verified
If you can’t confirm that a seller is who they say they are through a reputable verification method, don’t assume the best.
Together, all these signals paint a picture, and the earlier that picture comes into focus, the less damage it can do you.
Final Thoughts
ads.txt and app-ads.txt were a genuine step forward. And while they might not be a silver bullet (nobody serious ever claimed they would be) but a real, meaningful shift in how the industry handles transparency. They made it harder to operate in the shadows; they gave buyers something to actually check, and publishers a way to draw a line around who represents them.
That matters (yes, it really still does)!
Here’s the thing about transparency, though: you don’t achieve it once and move on. As the supply chain keeps shifting, partnerships can change, and files go stale. Fraudsters, at the same time, keep looking for whatever gap opens up (as they always do) while everyone might be busy assuming the system is working.
It’s not enough to have ads.txt in place. You have to maintain, check, and enforce them consistently, across every layer of the supply chain. Because the moment any part of the chain starts assuming someone else is handling it, that’s exactly where the next fraudster scheme takes place.
Your inventory quality was never built on good intentions or tidy-looking supply paths, but on actually being able to confirm that the seller in front of you has the right to sell what they’re selling.