A newly uncovered cloaking platform called 1Campaign is giving cybercriminals a powerful tool to push malicious advertisements through Google’s ad review system, putting everyday users at serious risk of phishing scams and cryptocurrency theft.
Google Ads is one of the most trusted advertising networks online. Millions of users click on sponsored search results daily, trusting those links lead to real businesses.
Attackers have long tried to exploit that trust by placing malicious ads, but Google’s screening process typically blocks them. That barrier is now weakening.
1Campaign was built specifically to defeat Google’s ad review workflow, letting threat actors run fraudulent campaigns covering phishing pages, fake software downloads, and cryptocurrency drainer sites without being flagged.
The developer behind 1Campaign operates under the handle DuppyMeister and has maintained this platform for over three years, with dedicated Telegram channels for support.
The tool combines real-time visitor filtering, fraud scoring, geographic targeting, and a bot guard script generator into a single dashboard. This accessibility makes it usable even for attackers with little technical skill, lowering the bar for large-scale ad fraud.
Varonis researchers identified and analyzed 1Campaign, revealing how deeply it is engineered to stay hidden from security teams.
Its core function is cloaking — showing a harmless “white page” to ad reviewers and automated scanners, while real visitors are quietly redirected to attacker-controlled phishing or scam pages.
Since Google’s reviewers see only the clean version, the malicious ad passes inspection and stays live until real victims report it or the campaign is manually flagged.
The impact is already measurable. One analyzed campaign called “Blockbyblockchain” targeted the domain bitcoinhorizon.pro and processed 1,676 visitors — approving only 10, a 0.6% pass rate.
The platform’s dashboard separately showed 4.3K total visitors with 99.2% blocked, confirming how aggressively it filters out security infrastructure.
How 1Campaign Filters and Targets Its Victims
The most technically precise part of 1Campaign is its real-time visitor filtering and fraud scoring engine.
.webp)
Every visitor is assigned a fraud score from 0 to 100 upon landing on a cloaked page.
Traffic from Microsoft Corporation, Google, Tencent Cloud Computing, OVH Hosting, and similar providers is automatically blocked — even when scores appear low — because the system identifies those IP ranges as automated scanners by their ISP and network identifiers.
The filtering works across several layers: IP reputation checks against known data centers and VPN exit nodes, device fingerprinting to catch headless browsers and automation tools, and behavioral signals like unusually fast page loads or missing JavaScript execution.
Any visitor triggering even one check is silently redirected to the benign white page, keeping the attacker’s content invisible to security teams.
.webp)
Geographic and device targeting adds further precision. Operators restrict campaigns to specific countries and device types, focusing on regions where phishing content is most effective while filtering traffic from areas common to security researchers.
Observed traffic came from the US, Netherlands, Canada, China, Germany, France, Hungary, Albania, and Japan.
For actual ad placement, 1Campaign includes a built-in Google Ads launcher that helps operators deploy both malicious and clean campaigns together.
The developer openly claims this bypasses Google Ads policy restrictions, letting operators use any branding or wording — including impersonating legitimate businesses.
.webp)
Security teams should treat static URL scanning as unreliable against cloaked infrastructure.
Effective detection requires tools that emulate genuine human browser behavior, rotate IP addresses, and engage with forms and authentication prompts that cloakers use to screen out scanners.
Individual users should verify URLs before clicking sponsored results, avoid downloading software through ad links, and report suspicious Google Ads promptly.
Organizations should flag the confirmed phishing indicator of compromise: the domain bitcoinhorizon.pro, directly tied to active 1Campaign operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
