{"id":5829,"date":"2026-06-25T08:06:44","date_gmt":"2026-06-25T08:06:44","guid":{"rendered":"https:\/\/adex.com\/blog\/?p=5829"},"modified":"2026-06-25T08:06:45","modified_gmt":"2026-06-25T08:06:45","slug":"ad-cloaking","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/ad-cloaking\/","title":{"rendered":"Ad Cloaking: When Fraudsters Show Moderators One Page and Users Another"},"content":{"rendered":"\n<p>A reader reaches the end of an article and scrolls into the recommendation widget below it. One card offers a free tool to speed up a sluggish laptop. They tap it, and land on a page insisting their browser is dangerously out of date, pushing a &#8220;Chrome update&#8221; that turns out to be a banking trojan. On another site, a card promising a video player sends the visitor to what looks like the official installer, and a few minutes later, ransomware is running on the machine.<\/p>\n\n\n\n<p>In both cases, the reviewer who approved the campaign saw none of this. They saw a clean landing page that matched the ad and broke no rules.<\/p>\n\n\n\n<p>That gap between what the reviewer saw and what the user got is <strong>ad cloaking.<\/strong> A cloaked campaign shows one version of an ad or landing page to the people and systems checking it, and a different version to the real audience.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/support.google.com\/adspolicy\/answer\/15938075\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a> treats it as a serious offense under its circumventing systems policy, and accounts caught doing it are suspended on detection without warning.<\/p>\n\n\n\n<p>To pull this off, the campaign has to answer one question about every single visitor before it serves anything: is this a reviewer, a scanner, or a real user?&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><strong>Cloaking is a sorting machine. It profiles each visitor in real time and routes them to one of two destinations. In that sense, it is the mirror image of what an anti-fraud platform does. A fraud filter sorts traffic to keep bad visitors out. A cloaker sorts traffic to keep reviewers out and let victims in.<\/strong><\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>This piece walks through that sorting decision the way the cloaker builds it: the signals it reads to tell a reviewer from a victim, and how detection answers each one. The framing matters, because once you see cloaking as a classification problem run backwards, the defense stops being &#8220;scan the ad once&#8221; and starts being &#8220;assume the page you reviewed is not the page the user will get.&#8221;<\/p>\n\n\n<div class=\"toc\"><h4 class=\"toc__title\" id=\"contents\">Contents<\/h4><ul class=\"toc__list\"><li class=\"toc__list_item\"><a href=\"#the-sorting-decision-behind-every-cloaked-campaign\">The Sorting Decision Behind Every Cloaked Campaign<\/a><\/li><li class=\"toc__list_item\"><a href=\"#reading-the-visitors-network-address\">Reading the Visitor&#039;s Network Address<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-device-and-browser-check\">The Device and Browser Check<\/a><\/li><li class=\"toc__list_item\"><a href=\"#behavior-what-the-visitor-does-on-the-page\">Behavior: What the Visitor Does on the Page<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-cloakers-sorting-decision\">The Cloaker\u2019s Sorting Decision<\/a><\/li><li class=\"toc__list_item\"><a href=\"#timing-the-switch\">Timing the Switch<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-the-post-click-version-is-so-hard-to-catch\">Why the Post-Click Version Is So Hard to Catch<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-the-split-looks-like-to-publishers-and-advertisers\">What the Split Looks Like to Publishers and Advertisers<\/a><\/li><li class=\"toc__list_item\"><a href=\"#four-faces-of-cloaking-and-where-each-one-breaks\">Four Faces of Cloaking and Where Each One Breaks<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-line-between-cloaking-and-legitimate-variation\">The Line Between Cloaking and Legitimate Variation<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-responsible-networks-defend-against-it\">How Responsible Networks Defend Against It<\/a><\/li><li class=\"toc__list_item\"><a href=\"#faq\">FAQ<\/a><\/li><li class=\"toc__list_item\"><a href=\"#where-this-leaves-advertisers-and-publishers\">Where This Leaves Advertisers and Publishers<\/a><\/li><\/ul><\/div><style>\n.toc {}\n.toc__title {\n      font-size: 32px;\n    line-height: 40px;\n    font-weight: 700;\n}\n.toc__list_item {\n    color: #FE645A !important;\n}\n.toc__list_item:not(:last-child){\n    margin-bottom: 5px;\n}\n.toc__list_item a {\n    font-size: 18px;\n    line-height: 24px;\n    color: #FE645A;\n    font-weight: 600;\n}\n.toc__list_item a:hover {\n    text-decoration: underline;\n}\n@media (max-width: 1023px) {.toc__title {font-size: 24px;line-height: 32px;}}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"key-takeaways\">Key Takeaways<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloaking serves a clean page to reviewers and scanners and a malicious one to real users, which is why a campaign can pass moderation and still harm people.<\/li>\n\n\n\n<li>The mechanism is visitor classification: the campaign reads IP, device, behavior, and timing to decide who sees what. Each of those signals is also where detection pushes back.<\/li>\n\n\n\n<li>Post-click cloaking, where the swap happens only after a real click, is the hard case because the creative under review is genuinely clean.<\/li>\n\n\n\n<li>Showing different content by language, geography, or device is allowed when the product stays the same for everyone. Cloaking abuses that allowance to hide a rule-breaking destination, while the variation by itself is fine.<\/li>\n\n\n\n<li>Because most reviews happen at approval and cloakers switch on afterward, the defensible posture is continuous re-checking, redirect-chain analysis, and zero trust applied even to high-reputation domains.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-sorting-decision-behind-every-cloaked-campaign\">The Sorting Decision Behind Every Cloaked Campaign<\/h2>\n\n\n\n<p>Before any content is served, a cloaked campaign decides which visitor it is dealing with. The clean version, often called the &#8220;white page,&#8221; goes to anything that looks like a reviewer: an ad platform&#8217;s crawler, a security scanner, an automated quality check.&nbsp;<\/p>\n\n\n\n<p>The real version, the phishing form, or the malware download, goes to visitors who pass as genuine. Get the sorting right, and the campaign passes inspection while still reaching its targets.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.humansecurity.com\/learn\/topics\/what-is-ad-cloaking\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">HUMAN Security<\/a> splits the technique along two lines that are useful to keep separate. Cloaking can happen at the creative level, where the image shown above the ad unit is swapped, or at the landing-page level, where the destination URL is swapped. And it can be static or dynamic.&nbsp;<\/p>\n\n\n\n<ul style=\"background-color:#d6d6d630\" class=\"wp-block-list has-background\">\n<li>Static cloaking means the fraudster submits a compliant ad, waits for approval, then manually changes the creative or URL to the malicious one.&nbsp;<\/li>\n\n\n\n<li>Dynamic cloaking means the ad carries logic that decides in real time, on every load, whether to show the clean version or the live payload based on who is visiting.<\/li>\n<\/ul>\n\n\n\n<p>One distinction is worth holding onto. An ad that simply deceives users without ever changing its content or intent is not cloaked, even if the harm is similar.&nbsp;<\/p>\n\n\n\n<p>Cloaking specifically involves the swap or the conditional logic that hides the real behavior from review.&nbsp;<\/p>\n\n\n\n<p>HUMAN notes that dynamically cloaked attacks are comparatively rare and highly targeted, and they are the hardest to catch, because the malicious content only appears after the ad has loaded under the right conditions.<\/p>\n\n\n\n<p>The four checks below are the conditions. They are the questions a dynamic cloaker asks about each visitor.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" sizes=\"100vw\" alt=\"adex-investigation-triada-infected-campaigns\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"inside-the-triada-battle-a-five-year-investigation-and-the-security-upgrades-it-triggered\"><a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\">Inside the Triada Battle: A Five-Year Investigation and the Security Upgrades It Triggered<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"reading-the-visitors-network-address\">Reading the Visitor&#8217;s Network Address<\/h2>\n\n\n\n<p>The first thing a cloaker looks at is where the visitor is connecting from. IP address, the network operator behind it (the ASN), whether the connection comes from a data center or a residential line, and the country all feed into the decision.<\/p>\n\n\n\n<p>Security scanners and ad-platform crawlers tend to run from cloud infrastructure, so their addresses cluster in recognizable ranges.&nbsp;<\/p>\n\n\n\n<p>Varonis Threat Labs documented this in detail when it analyzed <a href=\"https:\/\/www.varonis.com\/blog\/1campaign\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">1Campaign<\/a>, a commercial cloaking platform built specifically to get malicious ads past Google&#8217;s review.&nbsp;<\/p>\n\n\n\n<p>The platform assigns every visitor a fraud score and automatically blocks traffic from known cloud and security providers by their network operator: Microsoft, Google, Tencent, OVH, and others. One campaign it inspected had processed 1,676 visitors and approved only 10 of them, a 0.6% pass rate. Tellingly, traffic identified as coming from Microsoft&#8217;s cloud in Amsterdam was blocked even when it scored a clean zero, because the platform recognized the network itself as a scanner regardless of the score.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>This is why a scanner that always connects from the same data-center IP range learns nothing. The cloaker has already filed that range under &#8220;not a real user.&#8221; Detection responds by varying the vantage point: rotating through diverse IP pools, including residential ones, so the request looks like it came from an ordinary user rather than a known security operator.\u00a0<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>It is also where the legitimate variation rule gets tested, since Google explicitly allows adjusting a landing page for geography. The line is that the product has to stay the same. Geography can change the currency or the language while the offer behind it stays identical.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-device-and-browser-check\">The Device and Browser Check<\/h2>\n\n\n\n<p>If the network address looks clean, the cloaker inspects what the visitor&#8217;s device claims to be, and whether that claim holds up. The user-agent string says &#8220;iPhone, Safari,&#8221; but a real iPhone has a touch screen, a battery that is rarely at exactly 100%, and a browser that renders graphics in a particular way. Automated scanners frequently run headless browsers that fail these small tests.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.geoedge.com\/university\/what-is-ad-cloaking\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GeoEdge<\/a> describes the fingerprinting in concrete terms. If a visitor claims to be on a mobile device, the cloaking script checks for a touch screen; if there is none, it concludes it is dealing with a security platform and serves the clean page. It tracks battery charge, on the logic that a machine reporting a constant 100% is probably not a phone in someone&#8217;s hand. It uses the HTML5 Canvas element, which renders slightly differently across real devices, to identify and exclude testing environments.&nbsp;<\/p>\n\n\n\n<p>Varonis saw the same pattern: 1Campaign flags headless browsers and automation frameworks, and treats inconsistent user-agent strings as a giveaway.<\/p>\n\n\n\n<p>The detection answer is to stop looking like a scanner. That means presenting a realistic device fingerprint and a full browser that executes JavaScript and renders pages the way a person&#8217;s phone or laptop would.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><strong>The arms race here is granular because every property the cloaker checks is a property the analyst&#8217;s environment has to convincingly fake.<\/strong><\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"behavior-what-the-visitor-does-on-the-page\">Behavior: What the Visitor Does on the Page<\/h2>\n\n\n\n<p>Network and device checks can be passed by a well-built testing environment, so sophisticated cloakers add a third layer: behavior.&nbsp;<\/p>\n\n\n\n<p>Does the visitor execute the page&#8217;s JavaScript? Does the page load suspiciously fast, the way an automated fetch does, rather than a human who waits for content to render? Does anything resemble a real interaction?<\/p>\n\n\n\n<p>Varonis lists behavioral analysis as one of the filtering layers in 1Campaign: rapid page loads, missing JavaScript execution, and other patterns that separate a crawler from a person. This is the layer that defeats shallow scanning. A tool that simply requests the ad tag and reads what comes back never behaves like a user, so it never sees the malicious version.<\/p>\n\n\n\n<p>Beating it requires following the visitor&#8217;s path the whole way through, the way a real person would: past the first page, through any intermediate redirects, all the way to the final destination. A scan that stops at the ad tag, before the impression renders, is exactly the scan a cloaker is built to satisfy. The behavioral check is also why post-click cloaking is so difficult, which is worth taking on its own.<\/p>\n\n\n\n<style>\n.adex-cloaker-decision-block {\n  max-width: 1080px;\n  margin: 32px auto;\n  padding: 0 10px;\n  font-family: Arial, Helvetica, sans-serif;\n}\n\n.adex-cloaker-decision-block * {\n  box-sizing: border-box;\n}\n\n.adex-cloaker-decision-card {\n  background: #110765;\n  border-radius: 26px;\n  padding: 50px 60px 34px;\n  color: #ffffff;\n  overflow: hidden;\n}\n\n.adex-cloaker-decision-title {\n  margin: 0 0 10px;\n  font-size: 32px;\n  line-height: 1.14;\n  font-weight: 800;\n  letter-spacing: -0.03em;\n  color: #58dcca !important;\n}\n\n.adex-cloaker-decision-subtitle {\n  margin: 0 0 32px;\n  font-size: 20px;\n  line-height: 1.35;\n  font-weight: 500;\n  color: rgba(255, 255, 255, 0.72) !important;\n}\n\n.adex-cloaker-decision-flow {\n  position: relative;\n  max-width: 900px;\n  margin: 0 auto;\n}\n\n.adex-cloaker-decision-input {\n  position: relative;\n  width: 270px;\n  margin: 0 auto 34px;\n  padding: 13px 22px;\n  border: 3px solid #58dcca;\n  border-radius: 15px;\n  text-align: center;\n  font-size: 18px;\n  line-height: 1.18;\n  font-weight: 800;\n  color: #ffffff !important;\n  background: rgba(255, 255, 255, 0.02);\n}\n\n.adex-cloaker-decision-input::after {\n  content: \"\";\n  position: absolute;\n  left: 50%;\n  bottom: -38px;\n  transform: translateX(-50%);\n  width: 0;\n  height: 0;\n  border-left: 12px solid transparent;\n  border-right: 12px solid transparent;\n  border-top: 25px solid #58dcca;\n}\n\n.adex-cloaker-decision-step {\n  position: relative;\n  display: grid;\n  grid-template-columns: minmax(320px, 500px) 230px;\n  gap: 40px;\n  align-items: center;\n  justify-content: center;\n  margin: 0 auto 32px;\n}\n\n.adex-cloaker-decision-step-main {\n  position: relative;\n  min-height: 96px;\n  display: flex;\n  align-items: center;\n  justify-content: center;\n  padding: 18px 28px;\n  border: 2px solid #ef6a5d;\n  border-radius: 15px;\n  text-align: center;\n  background: rgba(255, 255, 255, 0.015);\n}\n\n.adex-cloaker-decision-step-number {\n  position: absolute;\n  left: -22px;\n  top: -21px;\n  width: 42px;\n  height: 42px;\n  display: inline-flex;\n  align-items: center;\n  justify-content: center;\n  border-radius: 50%;\n  background: #ef6a5d;\n  color: #110765 !important;\n  font-size: 18px;\n  line-height: 1;\n  font-weight: 900;\n}\n\n.adex-cloaker-decision-step-title {\n  display: block;\n  margin: 0 0 8px;\n  font-size: 18px;\n  line-height: 1.15;\n  font-weight: 800;\n  color: #58dcca !important;\n}\n\n.adex-cloaker-decision-step-text {\n  margin: 0;\n  font-size: 15px;\n  line-height: 1.32;\n  font-weight: 700;\n  color: #ffffff !important;\n}\n\n.adex-cloaker-decision-reviewer-wrap {\n  position: relative;\n}\n\n.adex-cloaker-decision-reviewer-wrap::before {\n  content: \"\";\n  position: absolute;\n  left: -40px;\n  top: 50%;\n  transform: translateY(-50%);\n  width: 23px;\n  height: 3px;\n  background: #58dcca;\n}\n\n.adex-cloaker-decision-reviewer-wrap::after {\n  content: \"\";\n  position: absolute;\n  left: -18px;\n  top: 50%;\n  transform: translateY(-50%);\n  width: 0;\n  height: 0;\n  border-top: 10px solid transparent;\n  border-bottom: 10px solid transparent;\n  border-left: 16px solid #58dcca;\n}\n\n.adex-cloaker-decision-reviewer {\n  min-height: 68px;\n  display: flex;\n  align-items: center;\n  justify-content: center;\n  padding: 13px 16px;\n  border: 2px solid #58dcca;\n  border-radius: 13px;\n  text-align: center;\n  font-size: 14px;\n  line-height: 1.3;\n  font-weight: 700;\n  color: #ffffff !important;\n  background: rgba(255, 255, 255, 0.015);\n}\n\n.adex-cloaker-decision-down {\n  position: absolute;\n  left: 50%;\n  bottom: -33px;\n  transform: translateX(-50%);\n  width: 0;\n  height: 32px;\n  z-index: 5;\n  pointer-events: none;\n}\n\n.adex-cloaker-decision-down::before {\n  content: \"\";\n  position: absolute;\n  left: -1.5px;\n  top: 0;\n  width: 3px;\n  height: 27px;\n  background: #58dcca;\n}\n\n.adex-cloaker-decision-down::after {\n  content: \"\";\n  position: absolute;\n  left: -9px;\n  bottom: -3px;\n  width: 0;\n  height: 0;\n  border-left: 10px solid transparent;\n  border-right: 10px solid transparent;\n  border-top: 19px solid #58dcca;\n}\n\n.adex-cloaker-decision-pass-label {\n  position: absolute;\n  left: 18px;\n  top: 8px;\n  min-width: 145px;\n  margin: 0;\n  text-align: left;\n  font-size: 13px;\n  line-height: 1.2;\n  font-weight: 700;\n  color: rgba(255, 255, 255, 0.72) !important;\n  white-space: nowrap;\n}\n\n.adex-cloaker-decision-step-final .adex-cloaker-decision-down::before {\n  background: #ef6a5d;\n}\n\n.adex-cloaker-decision-step-final .adex-cloaker-decision-down::after {\n  border-top-color: #ef6a5d;\n}\n\n.adex-cloaker-decision-step-final .adex-cloaker-decision-pass-label {\n  color: #ef6a5d !important;\n}\n\n.adex-cloaker-decision-result {\n  width: 400px;\n  margin-top: 24px;\n  margin-bottom: 52px;\n  margin-left: calc((100% - 770px) \/ 2 + 50px);\n  margin-right: 0;\n  padding: 17px 24px;\n  border-radius: 13px;\n  background: #ef6a5d;\n  text-align: center;\n  color: #110765 !important;\n}\n\n.adex-cloaker-decision-result-title {\n  display: block;\n  margin-bottom: 5px;\n  font-size: 19px;\n  line-height: 1.16;\n  font-weight: 900;\n  color: #110765 !important;\n}\n\n.adex-cloaker-decision-result-text {\n  display: block;\n  font-size: 16px;\n  line-height: 1.2;\n  font-weight: 500;\n  color: #110765 !important;\n}\n\n.adex-cloaker-decision-note {\n  border: 2px solid #58dcca;\n  border-radius: 15px;\n  padding: 24px 28px;\n  background: rgba(255, 255, 255, 0.015);\n}\n\n.adex-cloaker-decision-note-title {\n  margin: 0 0 11px;\n  font-size: 18px;\n  line-height: 1.2;\n  font-weight: 800;\n  color: #58dcca !important;\n}\n\n.adex-cloaker-decision-note-text {\n  margin: 0;\n  font-size: 17px;\n  line-height: 1.35;\n  font-weight: 700;\n  color: #ffffff !important;\n}\n\n@media (max-width: 900px) {\n  .adex-cloaker-decision-card {\n    padding: 42px 34px 30px;\n  }\n\n  .adex-cloaker-decision-title {\n    font-size: 28px;\n  }\n\n  .adex-cloaker-decision-subtitle {\n    font-size: 18px;\n  }\n\n  .adex-cloaker-decision-input {\n    width: 250px;\n    font-size: 16px;\n  }\n\n  .adex-cloaker-decision-step {\n    grid-template-columns: 1fr;\n    gap: 18px;\n    margin-bottom: 42px;\n  }\n\n  .adex-cloaker-decision-step-main {\n    min-height: 90px;\n    padding: 17px 24px;\n  }\n\n  .adex-cloaker-decision-reviewer-wrap {\n    width: calc(100% - 34px);\n    margin-left: 34px;\n  }\n\n  .adex-cloaker-decision-reviewer-wrap::before {\n    left: -28px;\n    width: 18px;\n  }\n\n  .adex-cloaker-decision-reviewer-wrap::after {\n    left: -11px;\n    border-left-width: 10px;\n  }\n\n  .adex-cloaker-decision-down {\n    left: 50%;\n    bottom: -38px;\n  }\n\n  .adex-cloaker-decision-pass-label {\n    left: 16px;\n    top: 8px;\n    font-size: 12px;\n  }\n\n  .adex-cloaker-decision-result {\n    width: 86%;\n    margin-left: auto;\n    margin-right: auto;\n  }\n}\n\n@media (max-width: 560px) {\n  .adex-cloaker-decision-block {\n    margin: 24px auto;\n    padding: 0 8px;\n  }\n\n  .adex-cloaker-decision-card {\n    padding: 32px 18px 26px;\n    border-radius: 22px;\n  }\n\n  .adex-cloaker-decision-title {\n    font-size: 24px;\n  }\n\n  .adex-cloaker-decision-subtitle {\n    margin-bottom: 28px;\n    font-size: 16px;\n  }\n\n  .adex-cloaker-decision-input {\n    width: 220px;\n    padding: 12px 16px;\n    font-size: 15px;\n    border-radius: 14px;\n  }\n\n  .adex-cloaker-decision-step {\n    margin-bottom: 40px;\n  }\n\n  .adex-cloaker-decision-step-main {\n    min-height: 84px;\n    padding: 18px 18px;\n    border-radius: 14px;\n  }\n\n  .adex-cloaker-decision-step-number {\n    left: -15px;\n    top: -16px;\n    width: 34px;\n    height: 34px;\n    font-size: 15px;\n  }\n\n  .adex-cloaker-decision-step-title {\n    font-size: 16px;\n  }\n\n  .adex-cloaker-decision-step-text {\n    font-size: 13px;\n    line-height: 1.32;\n  }\n\n  .adex-cloaker-decision-reviewer {\n    min-height: 62px;\n    font-size: 13px;\n  }\n\n  .adex-cloaker-decision-pass-label {\n    left: 14px;\n    top: 7px;\n    min-width: 126px;\n    font-size: 11px;\n  }\n\n  .adex-cloaker-decision-result {\n    width: 100%;\n    margin-left: auto;\n    margin-right: auto;\n    margin-bottom: 42px;\n    padding: 16px 18px;\n  }\n\n  .adex-cloaker-decision-result-title {\n    font-size: 17px;\n  }\n\n  .adex-cloaker-decision-result-text {\n    font-size: 14px;\n  }\n\n  .adex-cloaker-decision-note {\n    padding: 20px 18px;\n  }\n\n  .adex-cloaker-decision-note-title {\n    font-size: 16px;\n  }\n\n  .adex-cloaker-decision-note-text {\n    font-size: 14px;\n  }\n}\n<\/style>\n\n<section class=\"adex-cloaker-decision-block\" aria-label=\"The cloaker sorting decision\">\n  <div class=\"adex-cloaker-decision-card\">\n    <h2 class=\"adex-cloaker-decision-title\" id=\"the-cloakers-sorting-decision\">The Cloaker\u2019s Sorting Decision<\/h2>\n    <p class=\"adex-cloaker-decision-subtitle\">One visitor in &#8211; two possible destinations out.<\/p>\n\n    <div class=\"adex-cloaker-decision-flow\">\n      <div class=\"adex-cloaker-decision-input\">Incoming visitor \/<br>ad call<\/div>\n\n      <div class=\"adex-cloaker-decision-step\">\n        <div class=\"adex-cloaker-decision-step-main\">\n          <span class=\"adex-cloaker-decision-step-number\">1<\/span>\n          <div>\n            <span class=\"adex-cloaker-decision-step-title\">Network address<\/span>\n            <p class=\"adex-cloaker-decision-step-text\">Data-center IP or a known<br>security ASN?<\/p>\n          <\/div>\n          <div class=\"adex-cloaker-decision-down\">\n            <span class=\"adex-cloaker-decision-pass-label\">passes as a real user<\/span>\n          <\/div>\n        <\/div>\n\n        <div class=\"adex-cloaker-decision-reviewer-wrap\">\n          <div class=\"adex-cloaker-decision-reviewer\">Looks like a reviewer at<br>clean white page<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"adex-cloaker-decision-step\">\n        <div class=\"adex-cloaker-decision-step-main\">\n          <span class=\"adex-cloaker-decision-step-number\">2<\/span>\n          <div>\n            <span class=\"adex-cloaker-decision-step-title\">Device<\/span>\n            <p class=\"adex-cloaker-decision-step-text\">Headless, or failing fingerprint<br>checks &#8211; no touch screen,<br>battery at 100%, Canvas mismatch?<\/p>\n          <\/div>\n          <div class=\"adex-cloaker-decision-down\">\n            <span class=\"adex-cloaker-decision-pass-label\">passes as a real user<\/span>\n          <\/div>\n        <\/div>\n\n        <div class=\"adex-cloaker-decision-reviewer-wrap\">\n          <div class=\"adex-cloaker-decision-reviewer\">Looks like a reviewer at<br>clean white page<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"adex-cloaker-decision-step\">\n        <div class=\"adex-cloaker-decision-step-main\">\n          <span class=\"adex-cloaker-decision-step-number\">3<\/span>\n          <div>\n            <span class=\"adex-cloaker-decision-step-title\">Behavior<\/span>\n            <p class=\"adex-cloaker-decision-step-text\">No JS execution, instant load,<br>no interaction on the page?<\/p>\n          <\/div>\n          <div class=\"adex-cloaker-decision-down\">\n            <span class=\"adex-cloaker-decision-pass-label\">passes as a real user<\/span>\n          <\/div>\n        <\/div>\n\n        <div class=\"adex-cloaker-decision-reviewer-wrap\">\n          <div class=\"adex-cloaker-decision-reviewer\">Looks like a reviewer at<br>clean white page<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"adex-cloaker-decision-step adex-cloaker-decision-step-final\">\n        <div class=\"adex-cloaker-decision-step-main\">\n          <span class=\"adex-cloaker-decision-step-number\">4<\/span>\n          <div>\n            <span class=\"adex-cloaker-decision-step-title\">Timing<\/span>\n            <p class=\"adex-cloaker-decision-step-text\">Is the campaign still<br>under review?<\/p>\n          <\/div>\n          <div class=\"adex-cloaker-decision-down\">\n            <span class=\"adex-cloaker-decision-pass-label\">passes all four checks<\/span>\n          <\/div>\n        <\/div>\n\n        <div class=\"adex-cloaker-decision-reviewer-wrap\">\n          <div class=\"adex-cloaker-decision-reviewer\">Looks like a reviewer at<br>clean white page<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"adex-cloaker-decision-result\">\n        <span class=\"adex-cloaker-decision-result-title\">Real user gets this<\/span>\n        <span class=\"adex-cloaker-decision-result-text\">the live malicious page<\/span>\n      <\/div>\n\n      <div class=\"adex-cloaker-decision-note\">\n        <h3 class=\"adex-cloaker-decision-note-title\" id=\"how-detection-beats-it\">How detection beats it<\/h3>\n        <p class=\"adex-cloaker-decision-note-text\">Detection works by making the reviewer\u2019s request pass all four gates exactly as a real user would &#8211; so the page the victim sees is the page that gets scanned.<\/p>\n      <\/div>\n    <\/div>\n  <\/div>\n<\/section>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"timing-the-switch\">Timing the Switch<\/h2>\n\n\n\n<p>The fourth check is the simplest and, in many cases, the most effective. It turns on timing: when the visitor arrives relative to the review.<\/p>\n\n\n\n<p>GeoEdge describes the standard sequence. Because the campaign has to be approved before it can run, the fraudster launches it with the cloaker turned off and pointed at minimal traffic. The clean version passes review.&nbsp;<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Subdomain-Takeover-Trusted-Domains.png\" sizes=\"100vw\" alt=\"Adex - subdomain takeover visual showing how trusted domains get weaponized in ad ecosystems.\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"subdomain-takeover-how-trusted-domains-get-weaponized-and-what-actually-stops-it\"><a href=\"https:\/\/adex.com\/blog\/subdomain-takeovers-prevention\/\">Subdomain Takeover: How Trusted Domains Get Weaponized \u2013 and What Actually Stops It<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<p>Where a network concentrates its checks at submission and does not re-examine campaigns afterward, that gap is the whole opening: once approval comes through, the operator switches the cloaker on, counting on the fact that no later scan will look at the redirect logic again. Static cloaking is the blunt version of the same idea: submit a clean creative or URL, get approved, then swap in the malicious one afterward.<\/p>\n\n\n\n<p>This timing is the reason scanning at a single point fails. A cloaked ad reveals its real nature only after the last review it expects to face. The defensive answer is to refuse to treat approval as the end of scrutiny.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><strong>The Adex investigation into the Triada<\/strong> malware showed what that looks like in practice: after attackers began hijacking long-standing, fully verified advertiser accounts to push cloaked redirect chains, the response was to apply checks to every campaign continuously, including ones pointing at trusted destinations, rather than trusting the state at approval time.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-the-post-click-version-is-so-hard-to-catch\">Why the Post-Click Version Is So Hard to Catch<\/h2>\n\n\n\n<p>The checks above describe pre-click cloaking, where different visitors are served different creatives before anyone clicks. There is a second mode that is harder, and it is the one that gives moderators the most trouble.<\/p>\n\n\n\n<p>In post-click, or page-level, cloaking, everyone sees the same ad. The creative is genuinely clean, and a creative review will pass it every time because there is nothing wrong with it. The decision about where to send the visitor is made only after the click, at the landing-page level.&nbsp;<\/p>\n\n\n\n<p>GeoEdge notes that this is more common than pre-click cloaking and much harder to detect, because catching it requires actually clicking the ad and meeting the cloaker&#8217;s criteria for a real user. A review that inspects the creative and stops there has no way to see the split.<\/p>\n\n\n\n<p>This is the point that separates a useful detection program from a checkbox one. It is easy to overestimate how much the visible creative reveals: reviewing the ad, you can see says almost nothing about a post-click cloaked campaign, because the part that matters sits downstream of the click, in the redirect chain and the conditional logic that the creative never exposes. Detection has to go where the decision is actually made.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/device-fingerprinting-fraud-prevention-gdpr\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-device-fingerprinting-balance.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-device-fingerprinting-balance.png\" sizes=\"100vw\" alt=\"How to balance between device fingerprinting and user security?\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"device-fingerprinting-for-fraud-prevention-navigating-gdpr-and-privacy-constraints\"><a href=\"https:\/\/adex.com\/blog\/device-fingerprinting-fraud-prevention-gdpr\/\">Device Fingerprinting for Fraud Prevention: Navigating GDPR and Privacy Constraints<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-the-split-looks-like-to-publishers-and-advertisers\">What the Split Looks Like to Publishers and Advertisers<\/h2>\n\n\n\n<p>Cloaking does not announce itself. Nothing flags that a campaign is serving one page to reviewers and another to users; the split is invisible from the dashboard. What shows up instead are second-order effects, and learning to read those is part of the defense.<\/p>\n\n\n\n<p>A publisher whose inventory has been hit by a cloaked campaign often sees the symptoms in performance metrics before anyone identifies the cause.&nbsp;<\/p>\n\n\n\n<p><strong>GeoEdge points to a few:\u00a0<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An unexplained spike in click-through rate on display ads, which normally sit at a fraction of a percent&nbsp;<\/li>\n\n\n\n<li>A drop in time on site&nbsp;<\/li>\n\n\n\n<li>Session depth<\/li>\n\n\n\n<li>Revenue as users bounce off pages that misbehave<\/li>\n\n\n\n<li>Declines in viewability and CPM when a campaign quietly diverts value elsewhere<\/li>\n<\/ul>\n\n\n\n<p>None of these confirms cloaking on its own, but a cluster of them is a reason to ask demand partners hard questions.<\/p>\n\n\n\n<p>For an advertiser buying media, the more relevant exposure is the reverse: a cloaked campaign riding on a hijacked account, or counterfeit inventory that mimics a real site, can route spend toward placements that no genuine user ever sees. The buyer rarely catches this by eye. The realistic defense sits at the platform and verification layer, where the redirect chain and the destination can be inspected continuously rather than trusted once.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-lookialike-domain-typosquatting.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-lookialike-domain-typosquatting.png\" sizes=\"100vw\" alt=\"adex-lookialike-domain-typosquatting\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"from-domain-intelligence-to-udrp-decision-a-typosquatting-case\"><a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\">From Domain Intelligence to UDRP Decision: A Typosquatting Case<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<p>That is also where a holding-level anti-fraud posture earns its place. <a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\" target=\"_blank\" rel=\"noreferrer noopener\">Adex<\/a>, the anti-fraud platform within AdTech Holding (which also includes PropellerAds, Notix, and Zeydoo), treats even high-trust sources such as GitHub and Discord as high-risk precisely because attackers use them as &#8220;clean&#8221; intermediaries inside cloaked redirect chains.&nbsp;<\/p>\n\n\n\n<p>Its approach leans on redirect-chain analysis, business metrics, and a broader set of detection patterns rather than a single verdict on the creative. In its <a href=\"https:\/\/adex.com\/blog\/biggest-malware-scandals-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">review of 2025&#8217;s malvertising cases<\/a>, the team noted that fake browser extensions were a favorite vehicle for cloakers that year, and that the campaigns were caught at the moderation stage through that combination of signals. PropellerAds, drawing on the same family of defenses, reported in its <a href=\"https:\/\/propellerads.com\/blog\/propellerads-ads-safety-report-2025\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">2025 Ads Safety Report<\/a> that infrastructure-heavy cloaking, multi-layer setups that route users through intermediaries and vary content by geography or device, was one of the dominant patterns its moderation flagged across the year.<\/p>\n\n\n\n<style>\n.adex-cloaking-faces-block {\n  max-width: 1540px;\n  margin: 28px auto;\n  padding: 0 10px;\n  font-family: Arial, Helvetica, sans-serif;\n  color: #0f0868;\n}\n\n.adex-cloaking-faces-block * {\n  box-sizing: border-box;\n}\n\n.adex-cloaking-faces-title {\n  margin: 0 0 18px;\n  font-size: 24px;\n  line-height: 1.18;\n  font-weight: 800;\n  letter-spacing: -0.025em;\n  color: #100765;\n}\n\n.adex-cloaking-faces-table-wrap {\n  width: 100%;\n}\n\n.adex-cloaking-faces-table {\n  width: 100%;\n  border-collapse: separate;\n  border-spacing: 0;\n  table-layout: fixed;\n  background: #ffffff;\n}\n\n.adex-cloaking-faces-table th:nth-child(1),\n.adex-cloaking-faces-table td:nth-child(1) {\n  width: 16%;\n}\n\n.adex-cloaking-faces-table th:nth-child(2),\n.adex-cloaking-faces-table td:nth-child(2) {\n  width: 21%;\n}\n\n.adex-cloaking-faces-table th:nth-child(3),\n.adex-cloaking-faces-table td:nth-child(3) {\n  width: 21%;\n}\n\n.adex-cloaking-faces-table th:nth-child(4),\n.adex-cloaking-faces-table td:nth-child(4) {\n  width: 17%;\n}\n\n.adex-cloaking-faces-table th:nth-child(5),\n.adex-cloaking-faces-table td:nth-child(5) {\n  width: 25%;\n}\n\n.adex-cloaking-faces-table thead th {\n  padding: 18px 14px;\n  background: #100765;\n  color: #57ddcf;\n  text-align: left;\n  vertical-align: top;\n  font-size: 14px;\n  line-height: 1.25;\n  font-weight: 800;\n  word-break: normal;\n  overflow-wrap: anywhere;\n}\n\n.adex-cloaking-faces-table thead th:first-child {\n  border-top-left-radius: 18px;\n}\n\n.adex-cloaking-faces-table thead th:last-child {\n  border-top-right-radius: 18px;\n}\n\n.adex-cloaking-faces-table thead th.adex-cloaking-faces-warning-head {\n  color: #ef6a5d;\n  border-left: 4px solid #ef6a5d;\n}\n\n.adex-cloaking-faces-table tbody td {\n  padding: 18px 14px;\n  border-bottom: 2px solid #e5e4ef;\n  vertical-align: top;\n  font-size: 14px;\n  line-height: 1.32;\n  font-weight: 500;\n  color: #000000;\n  background: #ffffff;\n  word-break: normal;\n  overflow-wrap: anywhere;\n}\n\n.adex-cloaking-faces-table tbody tr:last-child td {\n  border-bottom: 0;\n}\n\n.adex-cloaking-faces-type {\n  font-size: 14px;\n  line-height: 1.28;\n  font-weight: 800 !important;\n  color: #100765 !important;\n}\n\n.adex-cloaking-faces-warning-cell {\n  background: #fdebea !important;\n  border-left: 4px solid #ef6a5d;\n}\n\n@media (max-width: 900px) {\n  .adex-cloaking-faces-title {\n    font-size: 22px;\n  }\n\n  .adex-cloaking-faces-table thead th {\n    padding: 15px 10px;\n    font-size: 12px;\n  }\n\n  .adex-cloaking-faces-table tbody td {\n    padding: 15px 10px;\n    font-size: 12px;\n  }\n\n  .adex-cloaking-faces-type {\n    font-size: 12px;\n  }\n}\n\n@media (max-width: 560px) {\n  .adex-cloaking-faces-block {\n    margin: 24px auto;\n    padding: 0 8px;\n  }\n\n  .adex-cloaking-faces-title {\n    font-size: 20px;\n  }\n\n  .adex-cloaking-faces-table {\n    display: block;\n  }\n\n  .adex-cloaking-faces-table thead {\n    display: none;\n  }\n\n  .adex-cloaking-faces-table tbody {\n    display: grid;\n    gap: 12px;\n  }\n\n  .adex-cloaking-faces-table tbody tr {\n    display: grid;\n    grid-template-columns: 1fr;\n    border: 2px solid #e5e4ef;\n    border-radius: 16px;\n    overflow: hidden;\n    background: #ffffff;\n  }\n\n  .adex-cloaking-faces-table tbody td {\n    display: grid;\n    grid-template-columns: 118px 1fr;\n    gap: 10px;\n    width: 100% !important;\n    padding: 12px 13px;\n    border-bottom: 1px solid #e5e4ef;\n    font-size: 13px;\n    line-height: 1.3;\n  }\n\n  .adex-cloaking-faces-table tbody tr:last-child td {\n    border-bottom: 1px solid #e5e4ef;\n  }\n\n  .adex-cloaking-faces-table tbody td:last-child {\n    border-bottom: 0 !important;\n  }\n\n  .adex-cloaking-faces-table tbody td::before {\n    content: attr(data-label);\n    font-size: 12px;\n    line-height: 1.25;\n    font-weight: 800;\n    color: #57ddcf;\n  }\n\n  .adex-cloaking-faces-type {\n    font-size: 13px;\n  }\n\n  .adex-cloaking-faces-type::before {\n    color: #100765 !important;\n  }\n\n  .adex-cloaking-faces-warning-cell::before {\n    color: #ef6a5d !important;\n  }\n\n  .adex-cloaking-faces-warning-cell {\n    border-left: 0;\n    background: #fdebea !important;\n  }\n}\n<\/style>\n\n<section class=\"adex-cloaking-faces-block\" aria-label=\"Four faces of cloaking and where each one breaks\">\n  <h2 class=\"adex-cloaking-faces-title\" id=\"four-faces-of-cloaking-and-where-each-one-breaks\">Four Faces of Cloaking and Where Each One Breaks<\/h2>\n\n  <div class=\"adex-cloaking-faces-table-wrap\">\n    <table class=\"adex-cloaking-faces-table\">\n      <thead>\n        <tr>\n          <th>Cloaking type<\/th>\n          <th>What gets swapped<\/th>\n          <th>What the reviewer sees<\/th>\n          <th class=\"adex-cloaking-faces-warning-head\">Why it passes review<\/th>\n          <th>Where detection catches it<\/th>\n        <\/tr>\n      <\/thead>\n\n      <tbody>\n        <tr>\n          <td class=\"adex-cloaking-faces-type\" data-label=\"Cloaking type\">Static creative cloaking<\/td>\n          <td data-label=\"What gets swapped\">The ad image, after approval<\/td>\n          <td data-label=\"What the reviewer sees\">A compliant creative<\/td>\n          <td class=\"adex-cloaking-faces-warning-cell\" data-label=\"Why it passes review\">Swap happens post-approval<\/td>\n          <td data-label=\"Where detection catches it\">Re-scanning creatives after they go live<\/td>\n        <\/tr>\n\n        <tr>\n          <td class=\"adex-cloaking-faces-type\" data-label=\"Cloaking type\">Static page cloaking<\/td>\n          <td data-label=\"What gets swapped\">The destination URL, after approval<\/td>\n          <td data-label=\"What the reviewer sees\">A compliant landing page<\/td>\n          <td class=\"adex-cloaking-faces-warning-cell\" data-label=\"Why it passes review\">Swap happens post-approval<\/td>\n          <td data-label=\"Where detection catches it\">Continuous redirect-chain checks<\/td>\n        <\/tr>\n\n        <tr>\n          <td class=\"adex-cloaking-faces-type\" data-label=\"Cloaking type\">Dynamic pre-click cloaking<\/td>\n          <td data-label=\"What gets swapped\">Creative chosen per visitor in real time<\/td>\n          <td data-label=\"What the reviewer sees\">The clean creative reviewer fails the visitor checks<\/td>\n          <td class=\"adex-cloaking-faces-warning-cell\" data-label=\"Why it passes review\">Reviewer is profiled as a non-user<\/td>\n          <td data-label=\"Where detection catches it\">Realistic fingerprints, IP rotation, behavioral analysis<\/td>\n        <\/tr>\n\n        <tr>\n          <td class=\"adex-cloaking-faces-type\" data-label=\"Cloaking type\">Dynamic post-click cloaking<\/td>\n          <td data-label=\"What gets swapped\">Landing page chosen per visitor after the click<\/td>\n          <td data-label=\"What the reviewer sees\">A genuinely clean creative<\/td>\n          <td class=\"adex-cloaking-faces-warning-cell\" data-label=\"Why it passes review\">Nothing is wrong with the creative<\/td>\n          <td data-label=\"Where detection catches it\">Following the click through to the final page<\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n<\/section>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-line-between-cloaking-and-legitimate-variation\">The Line Between Cloaking and Legitimate Variation<\/h2>\n\n\n\n<p>Not every difference in what users see is cloaking, and treating it that way leads to false positives that punish ordinary advertising. The boundary is specific.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><strong>Google&#8217;s policy spells out what is allowed: showing a landing page in different languages, running different special offers, or adjusting for geographic location or slower internet connections.\u00a0<\/strong><\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>The condition is that the promoted product or service stays the same for everyone. A retailer that shows euro pricing in Germany and dollar pricing in the United States is varying the wrapper around an identical product, which the policy allows.&nbsp;<\/p>\n\n\n\n<p>Cloaking is when the variation exists to hide that the real destination breaks the rules, for example, showing the review system of a clothing store while sending users to something the policy prohibits.<\/p>\n\n\n\n<p>The same boundary appears in how security teams define the term. HUMAN draws a line between a cloaked ad and an ad that merely deceives without changing its content.&nbsp;<\/p>\n\n\n\n<p>If there is no swap and no conditional logic hiding the real intent from review, it may still be a bad ad, but it is not cloaking. Keeping that distinction sharp matters for detection, because the two problems are caught in different ways.&nbsp;<\/p>\n\n\n\n<p>Deceptive-but-static ads are caught by reviewing what is there. Cloaked ads are caught by detecting the machinery that decides who sees what.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-responsible-networks-defend-against-it\">How Responsible Networks Defend Against It<\/h2>\n\n\n\n<p>No single check stops cloaking, because the technique is built to pass whichever check it expects.&nbsp;<\/p>\n\n\n\n<p><strong>The defenses that hold up share a common shape: they assume the reviewed version is not the served version, and they keep looking after approval.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stop scanning like a scanner<\/strong><\/li>\n<\/ul>\n\n\n\n<p>The first move is to stop scanning like a scanner. Detection that rotates IP addresses, presents realistic device fingerprints, executes JavaScript, and behaves like a person denies the cloaker the network and device tells it relies on.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fingerprinting<\/strong><\/li>\n<\/ul>\n\n\n\n<p>A useful second move is to look for the fingerprinting itself. When a page is running scripts that check for a touch screen, battery charge, or Canvas behavior, that machinery is a signal in its own right, and its presence can flag a likely cloak even when the payload stays hidden.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>GeoEdge built its real-time approach around exactly this idea: detect the cloaking apparatus, then block the bad ad before it renders.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Continuity<\/strong><\/li>\n<\/ul>\n\n\n\n<p>The third move is continuity. Because cloakers switch on after approval, re-scanning live campaigns and re-walking redirect chains closes the timing gap that one-time review leaves open.&nbsp;<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d6d6d630\"><em>The Triada investigation pushed this to a zero-trust stance, where every redirect, landing page, and target URL is checked, even when it points at a reputable domain, because reputable domains are exactly what attackers borrow to look clean. And because cloaked campaigns frequently ride on <\/em><a href=\"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>hijacked advertiser accounts<\/em><\/a><em>, login-anomaly monitoring, two-factor authentication, and strict identity verification at signup all cut off a common path to getting a campaign approved under someone else&#8217;s good name. Several of these abuse <\/em><a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>trusted domains<\/em><\/a> <em>as the front of the chain, which is why a clean-looking destination cannot be the end of the inquiry.<\/em><\/p>\n\n\n\n<p>None of this delivers zero incidents. Cloaking is an arms race, and a determined operator can build a new evasion faster than any single rule adapts. What the layered approach does is raise the cost and shorten the window: it makes the clean-version trick harder to set up, and it catches the switch sooner after it happens.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"faq\">FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-ad-cloaking-illegal-or-just-against-platform-policy\">Is ad cloaking illegal, or just against platform policy? <\/h3>\n\n\n\n<p>It is firmly against the policies of every major ad platform and is treated as one of the most serious violations. Google suspends accounts for it on detection without warning. Beyond policy, cloaking is usually the delivery mechanism for activity that is itself illegal, such as malware distribution or phishing, and platform operators have pursued cloaking-tool vendors in court.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-is-cloaking-different-from-a-normal-redirect\">How is cloaking different from a normal redirect? <\/h3>\n\n\n\n<p>Redirects are a routine, allowed part of advertising, including for click tracking. The difference is intent and concealment. A redirect becomes cloaking when it sends the review system to a compliant page while routing real users to one that breaks the rules, and hides that split from the platform.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-can-a-campaign-pass-moderation-and-still-be-malicious\">Why can a campaign pass moderation and still be malicious? <\/h3>\n\n\n\n<p>Because moderation mostly happens at approval, and cloaking is designed to behave at that moment. The campaign shows its clean face during review, then either swaps content afterward or uses live visitor checks to keep showing reviewers the clean version. The malicious page only appears to visitors who pass as real users.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-the-hardest-type-of-cloaking-to-catch\">What is the hardest type of cloaking to catch? <\/h3>\n\n\n\n<p>Dynamic post-click cloaking. The ad creative is genuinely clean, so the creative review passes it, and the decision about where to send the visitor is made only after the click and behind device and behavior checks. Catching it requires following the click through to the real destination under conditions that look human.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"can-advertisers-or-publishers-detect-cloaking-themselves\">Can advertisers or publishers detect cloaking themselves? <\/h3>\n\n\n\n<p>Rarely in real time, and rarely by looking at the creative. What they can watch for are second-order symptoms, such as abnormal click-through spikes, drops in time on site, or unexplained declines in viewability and CPM, and then escalate to partners. The detection itself sits at the platform and verification layer, where the redirect chain can be inspected continuously.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"where-this-leaves-advertisers-and-publishers\">Where This Leaves Advertisers and Publishers<\/h2>\n\n\n\n<p>The instinct when fighting cloaking is to scan harder at the gate. That instinct is only half right. A cloaked campaign is built to look perfect at the gate, because the gate is the one moment it knows it will be watched. Reviewing the creative more carefully does little against a post-click cloak where the creative is clean by design.<\/p>\n\n\n\n<p>The more durable stance treats approval as the beginning of scrutiny rather than the end of it.&nbsp;<\/p>\n\n\n\n<p>Assume the page a reviewer saw is not the page a user will get. Walk the redirect chain the way a real visitor would, from a vantage point that does not announce itself as a scanner. Re-check live campaigns instead of trusting the verdict from launch day. Extend the same suspicion to domains with good reputations, since those are the ones attackers borrow. Cloaking is a sorting machine pointed at your reviewers; the defense is to keep arriving as someone it cannot afford to sort out.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Adex tracks cloaking and the redirect-chain techniques behind it as part of its anti-fraud and traffic-quality work across AdTech Holding. Teams that want to compare notes on emerging evasion patterns can reach the Adex anti-fraud team directly.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n","protected":false},"excerpt":{"rendered":"<p>What if the \u201csafe\u201d landing page exists only for the reviewer? Learn how ad cloaking sorts visitors, hides bad destinations, and why real protection has to continue after approval.<\/p>\n","protected":false},"author":4,"featured_media":5837,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[18,16],"class_list":["post-5829","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-current_risks","tag-fraud","tag-threat"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ad Cloaking: How Fraudsters Hide Malicious Pages<\/title>\n<meta name=\"description\" content=\"Learn how ad cloaking hides malicious pages behind clean review versions, and why continuous checks matter after approval.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/ad-cloaking\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ad Cloaking: How Fraudsters Hide Malicious Pages\" \/>\n<meta property=\"og:description\" content=\"Learn how ad cloaking hides malicious pages behind clean review versions, and why continuous checks matter after approval.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/ad-cloaking\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-25T08:06:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-25T08:06:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/Adex-Ad-Cloaking-Reviewer-User-Split.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kira Vessiari\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kira Vessiari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/\"},\"author\":{\"name\":\"Kira Vessiari\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\"},\"headline\":\"Ad Cloaking: When Fraudsters Show Moderators One Page and Users Another\",\"datePublished\":\"2026-06-25T08:06:44+00:00\",\"dateModified\":\"2026-06-25T08:06:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/\"},\"wordCount\":3395,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Adex-Ad-Cloaking-Reviewer-User-Split.png\",\"keywords\":[\"Fraud\",\"Threat\"],\"articleSection\":[\"Current risks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/\",\"name\":\"Ad Cloaking: How Fraudsters Hide Malicious Pages\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Adex-Ad-Cloaking-Reviewer-User-Split.png\",\"datePublished\":\"2026-06-25T08:06:44+00:00\",\"dateModified\":\"2026-06-25T08:06:45+00:00\",\"description\":\"Learn how ad cloaking hides malicious pages behind clean review versions, and why continuous checks matter after approval.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Adex-Ad-Cloaking-Reviewer-User-Split.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Adex-Ad-Cloaking-Reviewer-User-Split.png\",\"width\":1200,\"height\":628,\"caption\":\"Adex - ad cloaking and reviewer-user split, showing how fraudsters serve clean pages to moderators and malicious pages to real users.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/ad-cloaking\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ad Cloaking: When Fraudsters Show Moderators One Page and Users Another\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\",\"name\":\"Kira Vessiari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"caption\":\"Kira Vessiari\"},\"sameAs\":[\"https:\\\/\\\/adex.com\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/kiravessiari\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ad Cloaking: How Fraudsters Hide Malicious Pages","description":"Learn how ad cloaking hides malicious pages behind clean review versions, and why continuous checks matter after approval.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/ad-cloaking\/","og_locale":"en_US","og_type":"article","og_title":"Ad Cloaking: How Fraudsters Hide Malicious Pages","og_description":"Learn how ad cloaking hides malicious pages behind clean review versions, and why continuous checks matter after approval.","og_url":"https:\/\/adex.com\/blog\/ad-cloaking\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2026-06-25T08:06:44+00:00","article_modified_time":"2026-06-25T08:06:45+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/Adex-Ad-Cloaking-Reviewer-User-Split.png","type":"image\/png"}],"author":"Kira Vessiari","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Kira Vessiari","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/ad-cloaking\/"},"author":{"name":"Kira Vessiari","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61"},"headline":"Ad Cloaking: When Fraudsters Show Moderators One Page and Users Another","datePublished":"2026-06-25T08:06:44+00:00","dateModified":"2026-06-25T08:06:45+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/ad-cloaking\/"},"wordCount":3395,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/Adex-Ad-Cloaking-Reviewer-User-Split.png","keywords":["Fraud","Threat"],"articleSection":["Current risks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/ad-cloaking\/","url":"https:\/\/adex.com\/blog\/ad-cloaking\/","name":"Ad Cloaking: How Fraudsters Hide Malicious Pages","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/Adex-Ad-Cloaking-Reviewer-User-Split.png","datePublished":"2026-06-25T08:06:44+00:00","dateModified":"2026-06-25T08:06:45+00:00","description":"Learn how ad cloaking hides malicious pages behind clean review versions, and why continuous checks matter after approval.","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/ad-cloaking\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/Adex-Ad-Cloaking-Reviewer-User-Split.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/Adex-Ad-Cloaking-Reviewer-User-Split.png","width":1200,"height":628,"caption":"Adex - ad cloaking and reviewer-user split, showing how fraudsters serve clean pages to moderators and malicious pages to real users."},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/ad-cloaking\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Ad Cloaking: When Fraudsters Show Moderators One Page and Users Another"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61","name":"Kira Vessiari","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","caption":"Kira Vessiari"},"sameAs":["https:\/\/adex.com","https:\/\/www.linkedin.com\/in\/kiravessiari\/"]}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5829"}],"version-history":[{"count":11,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5829\/revisions"}],"predecessor-version":[{"id":5845,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5829\/revisions\/5845"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5837"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}