Camu Unmasked: The Billion-Dollar Pirated Content Ad Scheme
Human Security has uncovered a significant scheme for monetizing pirated content through advertising networks. The perpetrators behind these sites place advertisements on pages hosting pirated content to generate revenue. Visitors to these sites become a source of traffic that attracts advertisers, who pay the site owners for displaying ads.
However, most advertisers and advertising networks are unwilling to place their ads alongside pirated content, compelling the perpetrators to conceal their activities.
A striking example of such a scheme is the operation known as “Camu” (from Portuguese, meaning “camouflage”). Based in Brazil, this scheme serves as a mechanism for cashing out revenue from pirated content. The operation works by directing users seeking access to pirated movies and TV shows to a specialized site—a “cashing” domain. When users visit these domains directly, they see innocuous blogs that do not arouse suspicion among advertisers. However, if a visitor arrives at the site through specific links, they are shown pirated content and a plethora of advertisements.
At the height of its activity, Camu processed up to 2.5 billion ad requests daily across 132 domains created specifically for this scheme. For comparison, this figure roughly matches the daily ad request activity in cities like Atlanta or Sacramento in the United States. Efforts by specialists have significantly reduced the volume of requests on domains associated with Camu to 100 million per day over the past nine months. The operation is still ongoing, remaining the largest camouflage scheme ever discovered.
One of the key features of Operation Camu is the method of domain masking. When a user accesses a site with pirated content, they are assigned a special token that passes through several stages of redirection before reaching the target site. The token adds a cookie to the user’s browser, and the presence or absence of this cookie determines whether the system displays the version of the site with pirated content or the ordinary blog.
The perpetrators also employ more sophisticated methods to deceive advertising networks, such as falsifying referral data, making the connection between the pirated sites and the advertising domains less apparent. In some cases, instead of being redirected to a site with pirated content, users may be redirected to phishing sites or pages containing malware.
