A discovery from fraud company Forensiq claims advertisers are losing big money from a stealthy bot that’s using a new tactic to siphon millions of dollars away from sports websites including NFL team domains, ESPN and CBS Sports.

The firm’s technology uncovered the sports bot after tracking web traffic to all 32 NFL team sites for 90 days as well as bigger sports sites such as ESPN, CBS Sports and NBA and MLB properties, totaling 340 million impressions. Unlike more well-known tactics where fraudsters target so-called long-tail websites where content is never seen by consumers, Forensiq believes this bot is targeting premium content, essentially hijacking legitimate publishers’ online ad space through malware. Specifically, the bot is focused on video ad units, which typically have higher cost-per-thousand, or CPM, prices.

“This bot is injecting ads on the sites and then monetizing them through networks and other types of traffic sources so that the site is not losing any revenue from the bot but their name is being taken advantage of,” said Amit Joshi, director of data science at Forensiq.

Here’s how Forensiq thinks it happens:

Someone downloads a program with malware, which helps the fraudsters access an internet browser. From there, they trigger browsers to open in the background, causing hundreds of ads to be served that are not seen by humans.

“If you look at the IPs [internet protocols] the impressions are coming from, they look like normal, residential IPs where the bot is opening invisible browser windows and loading the ads legitimately on the sites,” Joshi said. “[The bot] then poses as a publisher and selling them into a network so that ESPN doesn’t get any of the ad revenue and the bot can profit.”

All told, Forensiq analyzed 9.7 billion prebid requests across 46 domains over 90 days and estimates that $200 million to $250 million in advertising is lost to the sports bot per year.

While tech vendors and agencies have taken steps to clamp down on fraud in recent years, the issue will still cost advertisers $6.5 billion this year, according to the Association of National Advertisers.

Interestingly, Forensiq found that most of the sites—ESPN and CBS Sports are the exceptions—have not implemented ads.txt code into their websites. Ads.txt is an initiative by the Interactive Advertising Bureau Tech Lab that prevents unauthorized tech vendors from selling ads on a publisher’s website.

“Perhaps some of this injection would be cut down [if publishers implemented the tool],” said David Sendroff, CEO of Forensiq.

The firm said it was able to sniff out the problems because of improvements to its fraud-detection algorithm that uses machine learning to dig deeper into browsing behavior that can then separate human and bot traffic.

“It’s analyzing specific behavior at the user level so we can identify anonymous behavior indicative of bots and other types of automated browsing,” Sendroff said. “We’re analyzing networks of users that move between sites, and we identify clusters of browsing behavior—the algorithm is learning in real time to always pick up new patterns of fraud.”

That’s partly because fraudsters continue to become more sophisticated. In this case, the bot found a work-around to viewability, and the bogus ad impressions were deemed viewable, per the widely used definition set by the Media Rating Council. According to Forensiq, up to 90 percent of the ads served by the sports bot were deemed viewable.

Faking viewability may just be a quick and easy way for the bot to confuse advertisers into thinking that their ads were served correctly to consumers.

“The impression was scored as viewable, but we know that the viewer is not human,” Joshi said. “So the bot is somehow rendering the page in a way to fake the standard signals that vendors use to measure viewability.”