In just the past three weeks, Grindr, the popular gay dating app, has been slammed by the Norwegian Consumer Council for exposing users’ personal information, suspended from Twitter’s ad network as a result of that investigation, and alleged to have been the way a Michigan hairstylist met the man who brutally murdered him.

Adding to those concerns is new research showing that the company’s Android app was exploited by ad fraudsters in a scheme that stole money from advertisers — and drained the phone batteries and depleted the data plans of Grindr’s users.

Amin Bandeali, CTO of Pixalate, the Palo Alto ad fraud detection firm that identified the scam, said Grindr was likely targeted because of its large user base.

“If I’m a fraudster, I would love to target an app that has a lot of user engagement. These dating apps — users are on them constantly,” he told BuzzFeed News.

Along with Grindr, the scheme exploited Roku apps and devices. Brands are projected to spend $7 billion this year to show ads on connected devices, like Roku, and over-the-top media services, which are streaming platforms like Hulu. Yet close to a quarter of that money will be stolen by fraudsters, according to data from Pixalate.

“This scheme is just one example in the universe of [over-the-top] fraud,” Pixalate CEO Jalal Nasir told BuzzFeed News. Pixalate dubbed the scheme “DiCaprio” after seeing that word used in a file containing some of the malicious code.

“DiCaprio is one of the most sophisticated OTT ad fraud schemes we have seen to date,” Nasir said.

A Grindr spokesperson told BuzzFeed News the company wasn’t aware of the scheme prior to being contacted for this story but was “taking steps to address it and are continually working to implement new strategies to protect our users.”

“Grindr is committed to creating a safe and secure environment to help our community connect and thrive. Any fraudulent activity is a clear violation of our and conditions and something we take very seriously,” the spokesperson said.

Tricia Mifsud, Roku’s vice president of communications, said brands need to take steps to protect themselves when they purchase OTT ads using open exchanges rather than buying direct from publishers or platforms.

“We recommend that OTT ad buyers buy directly from Roku or publishers on the platform. When buying from other sources and especially open exchanges, the buyer may be better served to use technology that can help with verifying the source of the ad requests,” she said.

Ad spoofing

Here’s how the scheme worked: A normal banner ad was bought on Grindr’s Android app. The fraudsters then attached code that disguised the Grindr banner ad to look like a Roku video ad slot. This fake ad space was sold on programmatic advertising exchanges, the online marketplaces where digital ads are bought and sold. Making one ad unit look like another is called spoofing, and it has been a problem for years. This attack is similar to one revealed by BuzzFeed News and detection firm Protected Media last year. In both cases, cheap banner ads were used to resell more expensive video ads.

Nasir said this kind of video ad can cost as much as 25 times that of a mobile banner ad: “So that’s very lucrative for someone to make quick money — and a lot of it.”

These video ads did not appear in the Roku app and were never seen by humans. But the ad tech middleware vendors who facilitated the ad placement still took their cuts.

One such company is S&W Media, an Israeli firm that operates an ad network that places ads in Roku apps and on other connected TV platforms. The company also operates roughly 20 of its own Roku content channels under the SnowTV brand. Pixalate’s research, reporting by BuzzFeed News, and data from a company used by the fraudsters to deliver the video ads suggested multiple connections between S&W Media and the scheme. As a result, at least one partner has ended its relationship with S&W, calling its activity “highly suspect.”

CEO Nadav Slutzky denies involvement, telling BuzzFeed News this type of spoofing has occurred on his ad platform in the past and that he has refunded advertisers when fraud was detected.

“In August 2019, one of our advertisers brought to our attention that some of the traffic we were sending him was suspected of being fake. We immediately worked to locate the traffic sources and stopped working with this supply, in addition to not paying them for this traffic,” he said. “We do everything in our power to battle fraudulent traffic including using third-party verifications tools. We as a mediator have suffered the most from this kind of activity and will do anything in our power to stop it, including developing inside tools to fight this.”

The code that placed the invalid video ads used S&W’s ad network, called AdservME, to track the ads being sold and included instruction to display an ad for a jewelry business owned in part by Slutzky if a paid ad were not purchased to fill the slot.

Slutzky said the section of code referencing AdservME, and the use of an Austaras banner, was standard code used by his company and was copied by the fraudsters.

Another section of malicious code identified by Pixalate included a list of Roku apps owned and operated by S&W’s SnowTV. These apps would have been spoofed as part of the scheme, and any video ads placed as a result would have earned S&W money as both the ad network selling the inventory and the publisher of the app.