PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Hackers Made Millions Using Infected PCs in Click Fraud Scheme

On Tuesday, the US Justice Department and Google announced they had shut down a massive click fraud operation, which involved infecting thousands of Windows computers to click on internet ads.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A massive cybercriminal operation that infected more than 1.7 million computers to generate clicks on internet ads has been taken offline.

SecurityWatch

On Tuesday, the US Justice Department and Google announced they had shut down the click fraud operation, which was raking in tens of millions of dollars for the hackers behind it.

Dubbed "3ve" (pronounced Eve), the click fraud involved cybercriminals taking over Windows PCs, and secretly automating them to visit certain websites to generate the fake clicks over online ads. The operation was so large that 3ve was able to produce between 3 billion to 12 billion ad clicks per day.

To infect PCs, the hackers used a malware strain, called Kovter, which can run a hidden browser over a computer without the user ever aware. Kovter was spread via spam email attachments and compromised websites, which tricked victims into downloading fake Chrome, Firefox and Flash updates. An estimated 700,000 Windows computers were actively infected at any given time by the malware.

3ve operation

In addition, the operators of 3ve used a separate malware strain, called Boaxxe, to remotely control computers in data centers. These machines initially pretended to be desktops, but eventually transitioned to masquerading as Android devices.

The computers ensnared in the click fraud scheme resided in North America and Europe, and in both home and corporate spaces, according to Google and the security firm White Ops. In a white paper, both companies wrote that 3ve was "one of the most widespread ad fraud operations ever uncovered." To pull in more revenue, the hackers created thousands of counterfeit webpages of popular domains. Infected computer would then download the fabricated webpages, and engage in the click fraud.

Doing this allowed the hackers to fool advertisers into thinking their ads had been served on the top websites. According to the Justice Department, the scheme was so successful it forced businesses to pay more than $29 million for ads that were never viewed by real human users.

The 3ve operation started in Dec. 2015 and went on to this year. To take down the click fraud scheme, US authorities have been seizing the domain names and servers the hackers used to control the infected machines. On Tuesday, federal investigators also unsealed an indictment that claims three people ran the 3ve operation. Two of the suspects, Sergey Ovsyannikov and Yevgeniy Timchenko, were recently arrested in Malaysia and Estonia, and are awaiting extradition to the US. The remaining suspect, Aleksandr Isaev, is still at large.

It isn't totally clear how US investigators identified the suspects in the case, but several security firms, including ESET, Trend Micro and Malwarebytes, assisted with the investigation.

If you suspect your computer has been infected by the Kovter or Boaxxe malware strain, US cyber authorities are suggesting you run a free anti-virus tools to get rid of the malicious code. You can find more information here.

On the same day, the Justice Department unsealed indictments against five other suspects for running a separate click fraud scheme, called Methbot, that involved renting out computer servers in a datacenter in Texas to generate the fake clicks. The fraud forced businesses to pay more than $7 million for ads that were also never seen.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio