Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

Black Hat USA 2025 | No Hoodies Here: Organized Crime in AdTech

•March 16, 2026

Black Hat

Black Hat•Mar 16, 2026

Why It Matters

Malicious ad‑tech siphons revenue and spreads malware at scale, forcing enterprises to overhaul ad‑network security and supply‑chain vetting to protect brand integrity and bottom lines.

Key Takeaways

•Malicious ad tech fuels organized crime money‑laundering
•VEX Trio compromises 40% of WordPress sites rapidly
•Affiliate‑style networks hide scams via smart links
•Operators traced to Italian and Eastern‑European groups
•Front‑company ecosystem evades detection and funds cybercrime

Summary

The Black Hat USA 2025 talk unveiled how the advertising ecosystem has become a lucrative conduit for organized crime. Speakers Dave Mitchell and Renee Burton detailed the rise of malicious ad‑tech networks—most notably VEX Trio—showing how they infiltrate legitimate ad platforms, hijack WordPress sites, and distribute malware through affiliate‑style traffic.

Key insights highlighted that VEX Trio can push malicious traffic to the top‑10 000 domains in under a month, accounting for roughly 40 % of compromised sites in 2024. The group mimics legitimate affiliate marketing, profiling users, deploying “smart links,” push‑notification scams, and even tailoring decoy pages for security researchers. Their operations rely on a sprawling web of front‑companies—Los Puyos, Taco Loco, AdsPro, and others—linked through passive DNS and shared infrastructure.

A striking example was a single frame from a Russian‑language YouTube video that revealed the VEX Trio URL pattern, allowing investigators to connect the dots to a network of micro‑companies across Italy, Russia, Belarus, and Montenegro, all converging in Lugano by 2020. The presenters also cited pop‑culture references—Breaking Bad motifs and a “robot capture” mascot—to illustrate the group’s branding tactics.

The findings underscore the urgent need for advertisers, security teams, and DNS providers to scrutinize traffic sources, enforce stricter vetting of affiliate networks, and monitor anomalous domain activity. As malicious ad‑tech siphons billions and spreads malware, businesses risk both financial loss and reputational damage if the ecosystem remains unchecked.

Original Description

For nearly a decade, traffic distribution systems (TDSs) have enabled cybercriminals to hide the true nature of their operations. A TDS serves not only to 'cloak' their activity but also to ensure that victims are 'delivered' to the malicious bait they are most likely to take. These systems are so complex that they are often disregarded with off-hand references to 'a bunch of redirects,' but TDSs are critical enablers to a wide range of crime, from scams to information stealers. In this talk, we will unveil the true identity and nature of one of the most pervasive TDS operators in the landscape, which serves as a cautionary tale of how organized crime actors have created an adtech sector unnoticed by the security community.

VexTrio operates the oldest documented (dating back to 2015), most prolific criminal TDS. For years, it was assumed that VexTrio was a gang of 'hackers in hoodies' operating in the dark web as part of the underground economy. In reality, VexTrio operates in the corporate world and their activities go far beyond traffic distribution. They run a vast enterprise that includes dozens of companies across adjacent industries (not just adtech) on multiple continents. We'll share how we unraveled their operations and how they responded to coordinated exposure, cementing our confidence in the conclusions.

Unmasking VexTrio has been a watershed moment in understanding the role of organized crime within the adtech industry. Numerous other syndicates were discovered as a result, as well as their affiliations with one another. With this new perspective, attendees working in threat intelligence will see TDS in a different light, allowing them to help advance the industry's knowledge and capabilities to fight against malicious adtech. While at the same time, attendees working in defender positions will understand events in their own network better.

By:

Renée Burton | VP of Threat Intel, Infoblox

Dave Mitchell | Senior Director, Threat Intel, Infoblox

Christopher Kim | Senior Staff Threat Researcher, Infoblox

Full Session Details Available at:

https://blackhat.com/us-25/briefings/schedule/#no-hoodies-here-organized-crime-in-adtech-46001

Comments

Want to join the conversation?

Loading comments...