A cybercrime service called 1Campaign has enabled hackers to deploy malicious Google Ads for three years, targeting highly relevant users while dodging Google’s screening processes.
How 1Campaign Works as a Cloaker
This tool functions as a cloaker, displaying phishing or scam pages to victims while presenting a blank page to security researchers, ad reviewers, and automated scanners. This tactic helps fraudulent campaigns pass initial checks and remain active longer.
Advanced Features for Evasion
Beyond basic cloaking, 1Campaign provides real-time analytics, visitor profiling, and fraud scoring. Each visitor receives a score from 0 to 100, with high scores assigned to traffic from Microsoft, Google, Tencent Cloud, OVH Hosting, and other providers, automatically blocking them.
Security scanners get detected via IP ranges, ISPs, and behavior patterns, allowing attackers to control precisely who views malicious content.
Global Reach and Ad Launch Capabilities
Developed by a hacker known as DuppyMeister, the platform distributes traffic across the United States, Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania.
It includes a Google Ads launcher that supports both malicious and legitimate campaigns, bypassing restrictions to impersonate any brand. DuppyMeister claims this enables launching ads “as anyone.”
Analysis reveals this setup facilitates large-scale ad fraud, letting attackers mimic trusted brands in Google Ads while avoiding automated enforcement.
