A sophisticated new cloaking platform, named 1Campaign, is empowering cybercriminals to bypass Google Ads’ screening mechanisms and distribute malicious advertisements. This development poses a significant threat to internet users, increasing their vulnerability to phishing schemes and cryptocurrency theft. Google Ads, a widely trusted online advertising network, relies on stringent screening to block fraudulent content. However, 1Campaign has been engineered to circumvent these protections, enabling malicious campaigns that promote phishing pages, counterfeit software downloads, and cryptocurrency drainer websites.
The platform, developed by an individual known as DuppyMeister, has been operational for over three years and includes dedicated support channels on Telegram. Cybersecurity researchers from Varonis have analyzed 1Campaign, detailing its advanced cloaking capabilities. This technology allows attackers to display a benign webpage to ad reviewers and automated scanners, while redirecting genuine visitors to fraudulent sites. This tactic ensures that malicious ads remain live until they are reported by victims or manually flagged by Google.
How 1Campaign Filters and Targets Its Victims
A core feature of 1Campaign is its real-time visitor filtering and fraud scoring engine. Researchers observed a campaign dubbed “Blockbyblockchain” targeting the domain bitcoinhorizon.pro, which processed 1,676 visitors with a low approval rate of just 0.6%. The platform’s dashboard indicated a total of 4.3K visitors, with 99.2% being blocked, demonstrating its aggressive approach to evading security infrastructure.
The filtering process assigns a fraud score to each visitor from 0 to 100. Traffic originating from major tech providers such as Microsoft Corporation, Google, Tencent Cloud Computing, and OVH Hosting is automatically blocked. This is due to the system’s ability to identify these IP ranges as automated scanners based on ISP and network identifiers, regardless of their fraud score.
The filtering operates on multiple layers. It includes IP reputation checks against known data centers and VPN exit nodes, device fingerprinting to detect headless browsers and automation tools, and behavioral analysis, such as unusually fast page loads or the absence of JavaScript execution. Any visitor triggering a single check is silently redirected to a harmless “white page,” thus concealing the attacker’s malicious content from security assessments.
Additionally, 1Campaign employs geographic and device targeting to refine its operations. Campaign operators can restrict ads to specific countries and device types. This allows them to focus on regions where phishing content is most effective while filtering out traffic from areas commonly used by security researchers. Observed traffic originated from a diverse range of countries including the United States, Netherlands, Canada, China, Germany, France, Hungary, Albania, and Japan.
For ad placement, 1Campaign integrates a Google Ads launcher. This tool assists operators in deploying both malicious and clean campaigns simultaneously. The developer purportedly claims that this method bypasses Google Ads policy restrictions, enabling the use of any branding or wording, including the impersonation of legitimate businesses. This capability highlights the challenge platform providers face in robustly verifying all submitted advertising content.
Security teams are advised that static URL scanning is insufficient against cloaked infrastructure. Effective detection requires tools that can emulate genuine human browser behavior, rotate IP addresses, and interact with forms and authentication prompts that cloaking services utilize to screen out scanners. The domain bitcoinhorizon.pro has been identified as a confirmed indicator of compromise directly linked to active 1Campaign operations. Users are encouraged to verify URLs before clicking sponsored results, avoid downloading software via ad links, and report suspicious Google Ads. Organizations should monitor for this specific domain as a warning sign.