Confiant Exposes A Cookie-Stuffing Scheme That’s Been Stealing Attribution Credit For Years

Ad safety firm Confiant claims it has recognized an ongoing cookie-stuffing scheme allegedly perpetrated by Dataly Media, an online marketing platform primarily based in Ecuador.
Dataly Media’s purported cookie-stuffing practices date again to no less than 2015 and underpin a big a part of the corporate’s online marketing enterprise carried out since that point, based on Confiant. However, Confiant was not capable of present an estimate of how a lot income Dataly Media has earned from these practices.
Dataly Media served roughly 125 million show advert impressions in 2022 alone, Confiant estimates, however it’s unclear what number of of those placements had been topic to cookie stuffing. In 2022, Dataly Media was lively on no less than 4 DSPs; Confiant declined to call these DSPs.
What is cookie stuffing?
“Cookie stuffing is basically stealing conversions,” stated Jerome Dangu, co-founder and CTO of Confiant.
Dataly Media could be paid for these allegedly stolen conversions by advertisers operating cost-per-click (CPC), cost-per-lead (CPL) and cost-per-acquisition (CPA) campaigns.

In online marketing, monitoring pixels show whether or not a conversion (like a subscription signup or product buy) resulted from a consumer visiting a specific website or clicking a specific online marketing hyperlink.
But in a cookie stuffing scheme, a foul actor embeds code into advert inventive. The code drops a monitoring pixel for a web site aside from the one a consumer is presently visiting, with out the consumer’s information or consent. Affiliate advertising and marketing platforms then attribute any conversions a consumer makes to a website that consumer by no means visited.
Because it has a seat on DSPs, Dataly Media is ready to bid on advert stock auctioned by unsuspecting writer websites. Upon successful an advert public sale, Dataly Media would place advertisements that had been allegedly embedded with cookie-stuffing code that will load a number of hidden iframes throughout the advert inventive.
An advertiser’s touchdown web page, together with related click on trackers, would then render inside these hidden iframes unbeknownst to the consumer. The click on trackers set off attribution in Dataly Media’s Eficads online marketing platform in addition to third-party online marketing platforms and attribution distributors.
The impact is similar as if the consumer had clicked an advert for a product and landed on the advertiser’s touchdown web page. But quite than attribute the touchdown web page go to and any accomplished transactions to the location the consumer really visited, the monitoring pixels attribute conversions to a totally separate made-for-advertising (MFA) online marketing website owned and operated by Dataly Media – for instance, Then, advertisers are on the hook to pay the writer operated by Dataly Media for his or her CPC, CPL and CPA campaigns.
“Dirty” and “clear” provide paths
Dataly Media allegedly operates plenty of MFA websites which are used to siphon attribution credit score. These MFA websites seem reliable as a result of they appeal to a good quantity of legitimate site visitors, albeit site visitors that’s bought by means of content material suggestion widgets like Taboola.
In this sense, the purported cookie-stuffing scheme includes what Confiant refers to as a “soiled” provide path that incorporates invalid site visitors generated by malvertising and a “clear” path that incorporates legitimate (though principally paid) site visitors.
Dataly Media allegedly launders the invalid website site visitors manufactured by the cookie-stuffing scheme by muddling it with the legitimate site visitors garnered from native promoting.

For instance, Dataly Media’s MFA website focuses on “Top 3” lists that promote merchandise by means of affiliate hyperlinks. So, if an advertiser is operating an online marketing marketing campaign by means of, it wouldn’t be stunned to see a lot of attributed landing-page visits coming from But a few of these landing-page visits are manufactured by way of the alleged cookie-stuffing scheme and stolen from different writer websites.
“So, if an advertiser or an affiliate platform had been to have a look at the info, they’d see they’ve many guests from and a great quantity of conversions. But the variety of [valid] guests is basically fabricated from site visitors that’s purchased on Taboola for very low cost,” Dangu stated.
In addition to Dataly Media, Confiant recognized three major authorized entities concerned within the purported cookie-stuffing scheme: Just Media Group (rebranded from Just Click Media), Eficads and Tredia Solutions. Dataly Media, Eficads and Tredia Solutions seem like operated by the overarching Just Media Group, however the group’s possession construction is unclear, Dangu stated.
To keep forward of efforts to determine any purported malfeasance, Dataly Media allegedly created greater than 100 advert serving domains and partnered with a variety of promoting platforms.
Cookie stuffing usually goes unnoticed and unpunished as a result of online marketing is rife with unhealthy actors, Dangu stated. The drawback could also be extra widespread than the business desires to confess, he stated. The duty usually falls on distributors who look at advert inventive and impression-level advert fraud to boost a pink flag on these practices.
“This isn’t bot site visitors, and it’s technically not attacking customers a lot as creating pretend impressions. So, as a lot as this dilutes the standard of affiliate applications, it’s fully hidden within the math of the accounting and the way the business is organized to deal with this drawback,” Dangu stated.
The hurt finished
But Dataly Media’s alleged cookie-stuffing practices create a variety of issues for publishers and advertisers alike, he stated.
For advertisers, the invalid site visitors degrades marketing campaign efficiency and skews information used for concentrating on. Invalid site visitors may have an effect on efficiency metrics like cost-per-click.
Meanwhile, writer websites get slowed down by the community load required to render the iframes hidden within the advert inventive, which causes latency points for website guests.
And the dearth of consumer consent for using third-party monitoring pixels means unwitting events could possibly be on the hook for not complying with information privateness laws like Europe’s GDPR. In reality, Confiant discovered that 76% of alleged cookie-stuffing advertisements served by Dataly Media in 2022 had been served to European customers in violation of GDPR.
Dataly Media is registered below the TCF Global Vendor List below the identify Tredia Solutions. However, its machine storage disclosure solely incorporates a number of of Dataly Media’s related domains, with plenty of domains undeclared below TCF.
“The IAB has some jurisdiction right here for enforcement, as a result of [Dataly Media] is a non-compliant vendor [under TCF],” stated Kaileigh McCrea, privateness engineer at Confiant. “The GDPR-level violation would usually be enforced by the Data Protection Authority within the nation the place the corporate is headquartered. In addition, there could also be some actions that could possibly be filed on behalf of customers in sure international locations.”
Confiant has introduced its findings to the eye of IAB Europe. It additionally contacted Just Media Group, however acquired no response.
AdExchanger reached out to each IAB Europe and Dataly Media however didn’t hear again earlier than publication.

Recommended For You