In the first quarter of 2025, DoubleVerify's Fraud Lab catalogued a problem that was, in the most literal sense, a resolution failure. The operation — since named ShadowBot — had generated more than 35 million spoofed mobile device signatures using emulator farms and VPN IP addresses. It was producing more than three million fake device profiles per day. It had extracted approximately $2.5 million from advertisers running campaigns without protection.
The scheme was uncovered because someone at DV noticed that the fake devices were reporting a screen resolution of 800 by 600 pixels.
800×600 is a display setting associated with the CRT monitor era — it was the standard VGA resolution through much of the 1990s and early 2000s. It is not a resolution that any contemporary mobile device reports. It is, however, a default setting in mobile emulators — the software tools developers use to simulate mobile device behavior in a desktop environment.
The fraudsters had not bothered to change it.
DoubleVerify's fraud analysts catalogued the ShadowBot operation's failures in a June 2025 report. The 800×600 resolution was the most public of these mistakes, and the one that attracted the most attention. But it was not the only one.
**First: the resolution itself.** Emulators default to generic display settings, and the ShadowBot operators did not override them. A modern iPhone 15 Pro reports 1179×2556. A Samsung Galaxy S24 reports 1080×2340. A fleet of spoofed devices all reporting 800×600 is a fleet of devices that have not been configured to resemble anything real.
**Second: app engagement velocity.** The simulated devices were switching between ten applications in nine minutes. The average human mobile user does not switch applications at this rate. The rate at which a script cycles through a list of installed apps, firing off impression events in sequence, is approximately this rate. The pattern was recognizable as machine-generated behavior.
**Third: impression uniformity.** Each spoofed device had a nearly identical impression count. Human users do not consume content uniformly. One user sees twelve ads on a Tuesday morning. Another sees none. A fleet of emulators running the same script will generate the same impression counts across every instance, because they are running the same script.
**Fourth: IP infrastructure.** The operation routed traffic through anonymizing proxy services that had documented histories of abuse, fake testimonials, and broken contact URLs. The network reputation of these IP sources was available in standard threat intelligence feeds. It was not consulted.
**Fifth: volume timing.** The traffic generation was aggressive beyond reasonable seasonal variation. Impressions arrived at a rate consistent with an automated process, not a growing user base.
The $2.5 million figure represents losses to advertisers running mobile and CTV campaigns without DoubleVerify's detection systems in place. DV's own clients were protected. The unprotected lost money.
The ShadowBot case is notable for its simplicity. It was not a sophisticated operation. It was an emulator farm with a 1990s display setting. The sophistication, if any, was in the scale — 35 million spoofed devices — not in the operational security.
But it arrives at a moment when the industry is already fighting an expensive war on multiple fronts. CTV is the most contested terrain.
DoubleVerify's 2025 Global Insights report documented the scope of the problem: in 2024, bot fraud accounted for 65 percent of all fraud in CTV environments — a share 14 percentage points higher than in other digital channels. More than one in four CTV video impressions, without adequate protection, fails to meet minimum criteria for being fraud-free, viewable, brand-safe, and brand-suitable. A single bot variant, operating at scale, can cost advertisers more than $7.5 million per month in wasted media spend, based on average industry CPMs.
North America specifically saw bot fraud surge 101 percent year-over-year according to DoubleVerify's 2025 Global Insights report covering 2024 data; the United States alone showed a 106 percent increase, driven primarily by mobile app video ads. The volume peaked in the second half of 2024, with Q4 showing a 234 percent increase over Q2 2023.
The vulnerability is structural. CTV environments sit at the intersection of multiple poorly-audited systems: the connected device itself, the operating system, the SSP or supply-side platform, the DSP on the buy side, and the attribution and measurement layer. Each handoff is a point where a spoofed signal can enter the ecosystem and exit with money.
"Emerging media types, including mobile and CTV environments, are especially susceptible to fraud due to limited visibility and rapid growth," said Lisa Toledano, then VP of brand safety and fraud at DoubleVerify.
The 2018 case was instructive. In November 2018, DV's Fraud Lab identified the first scaled botnet attack specifically targeting CTV devices — a 40 percent spike in CTV traffic that was fraudulent, with roughly one-third originating from gaming consoles and two-thirds from smart TVs, according to DV's own announcement of the discovery. The attack was detectable because it was volumetric. The current generation of operations is more calibrated: lower and slower, designed to stay beneath threshold detection.
ShadowBot was not subtle. It generated three million spoofed device signatures per day. It was caught because it was also careless.
The interesting question is not whether 800×600 exposed ShadowBot — it did — but why screen resolution is a useful signal at all.
Device fingerprinting in programmatic advertising collects between twenty and thirty attributes per device: screen resolution, GPU renderer, installed fonts, CPU model, timezone, user agent string, touch point configuration, audio codec support. Individual attributes are not discriminative. 800×600 alone is not meaningful; it is a configuration option available in many emulators. What is meaningful is the combination: a device claiming to be a modern Android smartphone with a 2024 user agent string, but reporting 800×600 screen resolution, no touch capability, and a desktop-grade CPU configuration. That assembled profile is incoherent in ways that are trivial to detect.
Academic research from 2024 — "FP-Inconsistent: Measurement and Analysis of Fingerprint Inconsistencies in Evasive Bot Traffic" (arXiv:2406.07647) — found that evasive bots can alter individual fingerprint attributes with reasonable accuracy, but produce attribute combinations that are statistically anomalous. The inconsistency between, say, screen resolution and GPU renderer is a more reliable indicator than either attribute alone.
The detection architecture that caught ShadowBot combines four layers: device fingerprint analysis, behavioral pattern analysis, network intelligence (IP reputation and proxy transparency), and volume timing analysis. No single layer would have been sufficient. The 800×600 resolution flagged the operation for fingerprint review. The app-switching velocity confirmed it was automated. The impression uniformity across devices confirmed it was scripted. The IP reputation confirmed it was intentional infrastructure and not a misconfiguration.
"The fraud scheme operator didn't even bother to match its fake device signals to a proper mobile device," said Gilit Saporta, VP Product for Fraud and Quality at DoubleVerify. "It's alarming to see $2.5 million lost to bots using resolutions of an old CRT screen we all used back in the 1990s."
There is a structural problem in the economics of bot detection that the ShadowBot case makes visible. Building a fake human is cheap. Detecting fake humans requires maintaining a current, comprehensive, and adaptive detection stack. The attacker needs to get one thing right — enough fidelity to pass sampling — while the defender needs to get everything right — every signal, every configuration, every behavioral pattern.
The modern emulator is not a crude tool. Headless browser frameworks like Puppeteer and Playwright can be configured with anti-detection plugins that randomize viewport sizes, match GPU renderers to claimed device types, generate plausible scroll patterns, and introduce human-like dwell times. The operational security of a fraud operation is a direct function of how much the operator is willing to pay for realism.
What the 1990s resolution revealed was the floor of that tradeoff. At sufficient scale, with sufficient budget, the marginal cost of configuring device fingerprints to match claimed device types exceeds the marginal revenue from the impressions those fingerprints generate. The operator of ShadowBot made a rational economic decision: the probability of detection multiplied by the cost of detection was lower than the cost of maintaining realistic device profiles across 35 million spoofed devices.
This is the uncanny valley of bot detection, if the phrase is useful: not a failure of visual realism, but a failure of the economic model. The fake human that passes scrutiny is often not the most sophisticated one — it is the one where the operator correctly calculated the detection threshold and stopped just beneath it. ShadowBot did not stop beneath the threshold. It did not approach it.
The ShadowBot case is not evidence that programmatic advertising's fraud problem is solved. It is evidence that the fraud problem is distributed across a wide competence range — from operations like ShadowBot, which are detectable with commodity tooling, to operations that are genuinely sophisticated, expensive to run, and difficult to attribute.
The 2024 surge in North American bot fraud — 101 percent year-over-year, as documented in DV's July 2025 report — is not a story about a single operation. It is a story about an equilibrium, in which detection capability and fraud capability improve in parallel, with the gap between them determined by economics, visibility, and institutional investment. ShadowBot was detected. The question the industry has not answered is how many operations of comparable scale are running in environments where the detection infrastructure is thinner, the attribution is more diffuse, and the economic incentive to look away is higher.
The 800×600 resolution is a useful marker for that uncertainty. It tells you that this particular operator was not trying very hard. It does not tell you how many operators are trying considerably harder.
---