Yash Vekaria, Rishab Nithyanand, and Zubair Shafiq — researchers at UC Davis and the University of Iowa — spent 2022 and 2023 studying what happens when you take a publisher ID issued to a reputable site and insert it into the ads.txt file of a site with a different reputation. Their paper, "The Inventory is Dark and Full of Misinformation," published at the IEEE Symposium on Security & Privacy in 2024, describes the result: a dark pool.
The process is not complicated. A misinformation publisher — one the brand safety blocklist has correctly identified and excluded — copies a publisher account ID from a reputable site into its own ads.txt file. It then uses that ID in bid requests sent to ad exchanges. When an advertiser's demand-side platform queries the exchange, it sees the premium publisher ID attached to the bid. It bids. The ad appears. The invoice goes to the reputable brand. The money arrives at the misinformation site.
The ledger said the reputable publisher was authorized. It was. The reputable publisher was authorized. But so was the site that borrowed its ID.
What Vekaria, Nithyanand, and Shafiq found, studying 669 misinformation domains against the top 100,000 Tranco domains, was that 11 percent of all inventory pooling instances — roughly 8,700 distinct dark pools — involved at least one misinformation site. They identified nearly 79,000 unique pools. The problem was not rare. It was structural.
A follow-up study by the same research group, published in June 2024 (arXiv:2406.06958), tracked what happened when they notified the parties involved. Ad networks, when informed that their infrastructure was being used to launder misinfo inventory, resolved 81.6 percent of dark pools within the study window. Publishers, when notified, acted 4 percent of the time.
The asymmetry is structural. Ad networks profit from the volume. Publishers, in many cases, do not know the pooling is happening — or have plausible deniability. The misinformation site knows exactly what it is doing.
The paper describes specific pools. A pool of 14 websites — some with standard news formatting, some with no editorial identity — all disclosing the same Google-issued publisher ID in their ads.txt files. All receiving bids from the same campaigns, separated from the brands by several layers of intermediary. The brands thought they were on a specific set of sites. They were on a pool.
One DIRECT identifier, issued by conversantmedia.com, appeared in the ads.txt files of 42,412 distinct websites. The identifier exists to certify that conversant is authorized to sell each of those sites' inventory. It does not certify that those sites are related to each other, or that they share an operator, or that any of them are not misinformation sites. It certifies only that conversant has a commercial relationship with each.
The paper found that ad networks themselves facilitate pooling. Some do it deliberately — packaging together sites of varying reputation into a single seller ID and offering it to exchanges as a bundle. The brands buying the bundle cannot disaggregate it. They are buying the pool.
The researchers' regression analysis found a slope of -36.53 — meaning that as dark pooling increased, the effectiveness of brand safety tools decreased. The tools were not detecting the pools. They were being circumvented by them.
The ads.txt specification, developed by the IAB Technology Laboratory, requires publishers to list every entity authorized to sell their inventory. The sellers.json specification, introduced in 2019, requires ad networks to list every publisher they are authorized to represent. Together, the two files were meant to create an auditable chain: you can check whether the seller claiming to represent a given site is actually authorized to do so.
Nine years after ads.txt was introduced, the false rate has not converged toward zero. An audit published in March 2026 by the adtech-audit project found that 55 percent of sites claiming DIRECT status — the highest tier of authorized seller — were making false claims. Twenty-nine percent explicitly contradicted the SSP's own registry, which listed them as INTERMEDIARY rather than DIRECT. Twenty-six percent used seller IDs that did not exist in any registry. The audit described the state of authorization as "Net authorization: approximately 5 percent of ad-tech activity properly authorized."
A separate Carter Center analysis found that Google's sellers.json had 72.9 percent of entries classified as confidential — the default setting requires publishers to actively opt into making their information public, in contrast to an industry average of 0.5 percent classified records. This design means most Google publisher IDs in ads.txt files cannot be independently verified against a sellers.json record.
The Carter Center's 2024 disinformation economy analysis found that known disinformation publishers continued to appear in sellers.json files of major ad tech platforms as late as the end of 2022, despite those platforms having published policies prohibiting disinformation publishers. Thirty-five percent of evaluated ad tech systems had at least one disinformation publisher as a direct client. The publishers represented, on average, 2.9 percent of available impressions. The cost of removing them was low. The action was not taken.
The original Vekaria et al. study identified the mechanism. What subsequent research found was the scale of what the mechanism was funding.
A study published in JAMA Network Open in April 2026, covering the period 2021 to 2024, tracked government and health organization advertising on sites that NewsGuard had rated as misinformation publishers. It found $336.4 million in total advertising spend across 11 such sites. Thirty-five point seven million dollars — roughly one in ten dollars spent by health organizations on digital advertising — went directly to these sites. The health organizations were not choosing these sites. The programmatic system was placing them there automatically, by default, unless something had been explicitly configured to prevent it.
Stanford's Internet Observatory and NewsGuard, in a June 2024 joint analysis, found that 67 percent of advertisers had at least one programmatic ad placement on a misinformation website during the study period. Brands using demand-side platforms were ten times more likely to appear on misinformation sites than brands buying directly. The DSPs were optimizing for reach and price. The blocklists, which the DSPs maintained, were not keeping pace with the site creation rate.
The research is consistent across multiple methodologies: ads.txt and sellers.json created the infrastructure for transparency. That infrastructure can be used in ways that are technically compliant with the specification while functionally deceptive. The deception works at scale because the people being deceived — the brands — have no direct visibility into the pool their money entered, and the parties who could intervene — publishers, ad networks — have misaligned incentives.
The dark pooling problem is not a bug in the system. It is a consequence of the system's design. ads.txt authorizes accounts, not organizations. A publisher ID is a commercial relationship, not a reputation certification. When you combine those facts with a competitive landscape where ad networks compete on inventory volume and publishers compete on monetization rate, and you add the fundamental opacity of the RTB bid stream, you get an environment where copying a publisher ID is rational behavior for a site that wants to monetize.
The Vekaria et al. paper proposes countermeasures: better vetting of ad exchange partners, new transparency standards enabling end-to-end supply chain validation, and widespread deployment of independent audits. Nine years on, the independent audits exist. The vetting remains the discretion of individual exchanges. The standards have been updated — ads.txt 1.1 added fields for OWNERDOMAIN and MANAGERDOMAIN in 2023-2024 — but compliance remains structural.
What the research makes clear is that the inventory laundering problem is not a technical failure that better tools will solve. It is an incentive failure. The parties best positioned to prevent it — exchanges with market power, SSPs with direct relationships — profit from the volume the pools generate. The parties paying for the inventory do not have the visibility to know what they are buying. The mechanism is legal, transparent in the narrow sense that the files are publicly accessible, and functionally deceptive in the sense that the deception accomplishes exactly what it was designed to accomplish: reputable brands fund misinformation through a ledger they were told to trust.
The ledger was a start. It was not an answer.
---
Sources: