Predicting Financial Crime: Augmenting the Predictive Policing Arsenal

In this paper we have presented our state-of-the-art model for predicting financial crime. By incorporating public data sources with a random forest classifier, we are able to achieve 90.12% predictive accuracy. We are confident that our model matches or exceeds industry standards for predictive policing tools.

Crucially, our model only provides an estimate of white collar crimes for a particular region. It does not go so far as to identify which individuals within a particular region are likely to commit the financial crime. That is, all entities within high risk zones are treated as uniformly suspicious.

Recently researchers have demonstrated the effectiveness of applying machine learning techniques to facial features to quantify the "criminality" of an individual.

We therefore plan to augment our model with facial analysis and psychometrics to identify potential financial crime at the individual level. As a proof of concept, we have downloaded the pictures of 7000 corporate executives whose LinkedIn profiles suggest they work for financial organizations, and then averaged their faces to produce generalized white collar criminal subjects unique to each high risk zone. Future efforts will allow us to predict white collar criminality through real-time facial analysis.

Previously, previously, previously, previously, previously, previously, previously, previously.

In dictionaries “democratization” means more democracy, first and foremost. In marketing it means something else. “Democratizing robotics” means more robotics for more people, not more democracy. “Democratizing Ecuador” means more democracy in Ecuador, not more Ecuador.

The very word “democracy” evokes shiny, high-minded ideals. Overloading “democratize” with “make more available” helps advertisers and activists bounce that light on what they’re pitching. They tend to get away with it, even if they’ve got no solid line to draw from what they sell to any institutions, civil society, or popular principles component to democracy.

Words change in sound and meaning. That is what they do. “Democracy” might be a particularly precious word. But what’s the harm in companies saying “make more available” and “we’re team democracy” all at once, with one word? What’s wrong with them flying the flag? Nothing. Until what they do picks a fight with the ideals they’re keen to associate.

In good times, when happy associations come to mind first, this mostly just means dodging obvious faceplants. You won’t find “democratizing surveillance” on DJI’s website. You’ll find it in book titles scaring us about their drones. You won’t see Signal or Telegram “democratizing conspiracy”. You’ll see them democratizing “privacy” or “security”, that kind of thing.

Whether Russia has or hasn’t actually used specific devices equipped with recent machine learning tech, it’s safe to say their coders—those who haven’t already quit or fled—remain ever grateful for GitHub, the package registries, and all that they can find in them. The prospect of autonomous battle use tickles our taste for drama. But there’s every reason to believe mass analysis on social media, voice-rec on radio, and image-rec on satellite occurred to military intelligence on both sides long before Bellingcat got in the game. Russia has satellites, too, of course. Not to mention spies and propaganda teams. And all the basic comms, logistical, mapping, record-keeping, and other generic needs served by software.

Nothing new here, of course. Giving software to everyone has long meant giving it also to the Kims of North Korea, the Al-Assads of Syria, and, in an earlier era of software history, to the Apartheid regime of South Africa. Global public distribution has long conflicted in principle with arms control, sanctions, and other, less violent alternatives to “boots on the ground”. All of these depend on coordination. They’re undermined by defectors.

The dynamic today is the same. The difference lies in how easy it is, emotionally and analytically, to avoid the issue or rationalize it away. Pretty easy for Americans in the middle ’90s, with the USSR fallen, their nukes secure, and the US economy booming, its homeland seemingly safe. Not so easy today, with Iranian drones overflying the Dnieper, Korean ones overflying the DMZ, Korean missiles whizzing over Japan, Chinese jets roaring around Taiwan, and Ukraine making the news every day.

If you’re thinking more about the nefarious potential users of your software, you’re not alone. But ask yourself: Is that because the world has really gotten so much harder? Or because it’s gotten harder not to see what was always there?

(Photo: The Royal Society, used under Creative Commons. Additional photoediting by me)

If I have one wish coming out of 2022, it’s that this is the year — finally — when the myth of the assumed competence and virtue of billionaires is buried in a shallow grave down by the river. 2022 was chock-a-block full of examples of people with more money than sense, losing a fair amount of that money and gaining no additional sense in return. Our most prominent trio of dimwitted poster children for this concept include Mark Zuckerberg, who has tanked his company’s stock chasing a social media revolution no one wants, including the people making it; Sam Bankman-Fried, who proved that the ponzi scheme is alive and well and has merely changed its name to “crypto;” and, of course, Elon Musk, who was revealed this year to be both incompetent and more than a little bit fashy, and whose antics are actively destroying two companies — Twitter and Tesla — and must be deeply thankful that a third (Space X) has long-term government contracts. As I’m writing this, Tesla’s stock price is down nine percent on the day. I’ve heard rumors Bill Gates has made a lot of money these days shorting the company’s stock. If true, at least someone is making a profit from Tesla; it’s not Musk or the company’s stock holders.

I feel vaguely smug about the billionaire comeuppance this year since The Kaiju Preservation Society, Travel By Bullet and Three Robots: Exit Strategies all whomped on jerk billionaires to a greater or lesser extent. TR:ES called out Musk by name, which a lot of Muskovites gave me grief for, but time has vindicated both me and the episode, as everyone now seems to agree that, given Musk’s hands-on butterfingering of Twitter, he’s the last person anyone would want to rely on to get us all to Mars. As for Bankman-Fried, several plot points of Travel By Bullet so closely mirror what’s actually happening at FTX and Alameda Research that I feel like I should sue him and some of his party pals for plagiarism, not that they have any money anymore. But the fact is I am no great soothsayer; I just understand that it’s easier to get rich when you have family money and/or are actively committing fraud.

Bankman-Fried is screwed; he’ll be spending a long time at the prison camp at Otisville or something similar. Musk will probably be fine financially, since, even if he’s no longer the World’s Richest Man, he has more than enough margin to get by. But the idea that anyone who is not actively licking his boots still considers him a genius, or, indeed, even competent, is laughable. As for Zuckerman, well, bless his heart, both he and Meta seem determined to ride the concept of Sunk Cost Fallacy all the way down to MySpaceLand.

(Oh! And also: Ye, aka Kanye West, who went full anti-Semite this year and because of it went from a billionaire on paper to — well, whatever he is now, being a billionaire sure ain’t it.)

(Oh! Oh! And also Donald Trump, currently hawking NFTs made with stolen art, whose tax returns show he’s better at not having money than having it, and who paid less in taxes over the last five years than almost every other American, because, on paper anyway, he’s a broke-ass loser.)

In all cases, damage, to a greater or lesser extent, has been done.

Which, well: Good. Being a billionaire is not a virtue. It doesn’t have to be an active detriment to one’s humanity (others can and do differ with me on this), but it doesn’t speak well of anyone either, and the valorization of billionaires for being billionaires is some real bullshit that has very clearly done more damage to the world than not. Musk and Trump and Ye and Zuckerberg and Bankman-Fried and any other billionaire do not deserve your respect simply for being rich, and that fact that people gave them respect because of that money allowed them to cover for their other and continuing ethical and moral deficiencies, of which there are many, and which continue to damage our society.

If 2022 sees the beginning of the end of indiscriminate billionaire worship, I will count that as a win. We can use all the wins we can get, coming into 2023.

— JS

by Craig Silverman and Ruth Talbot

In late 2021, the right-wing site Conservative Beaver published a story falsely claiming the FBI had arrested Pfizer’s CEO for fraud.

It wasn’t Conservative Beaver’s first brush with fabricated news. The site had falsely claimed Barack Obama was arrested for espionage, Pope Francis was arrested for possession of child pornography and “human trafficking,” and the Pfizer CEO’s wife died after being compelled to take a COVID-19 vaccine. As Conservative Beaver pumped out these and other lies, Google placed ads on the site and split the revenue with its then-anonymous owner.

Its owner was eventually identified as a Canadian man, Mark Slapinski, after Pfizer threatened to sue him for defamation, and Google removed ads from the site in November of last year due to public pressure. Soon, Conservative Beaver went offline.

But today, roughly a year later, Slapinski is still making money from Google ads.

He runs the conservative political site Toronto 99 and uses the same Google publisher account he had for Conservative Beaver to collect ad revenue. Google simply allowed Slapinski to start a new site and keep earning money. It’s the equivalent of taking away an unsafe driver’s car instead of their license.

In the nearly half-trillion-dollar digital ad industry, Google sets the rules of the road. More than any other company, Google determines the online ads we see, what they cost and who gets paid for them. It runs the biggest search ad business and provides the industry’s leading tools for buying, selling and displaying ads.

And if you have a website and want to earn money from digital ads, you can join the Display Network, where Google places ads on what it has publicly said are more than 2 million websites and an untold number of mobile apps. It’s the modern equivalent of a national network of billboards on nearly every highway being controlled by a single company — and reportedly generated $31 billion in revenue for Google last year.

But if you’re Slapinski, Google’s Display Network has another benefit besides its market share: its secrecy. Google is the only major ad platform that hides the vast majority of its ad-selling partners. This means Google does not disclose all the websites and apps where it places ads or the people and companies behind them. The company conceals this information even after helping establish and publicly supporting an industry transparency standard for disclosing such sellers, which its competitors have largely adopted.

Nandini Jammi of industry watchdog group Check My Ads called out Google’s relationship with Conservative Beaver in a Nov. 7, 2021 tweet. (ProPublica screenshot)

In response to questions, Slapinski denied running Conservative Beaver. “That’s fake news!” he wrote in a Facebook message, despite the large body of evidence he was behind the site. He acknowledged operating Toronto 99, but declined to explain why that site uses the same Google publisher account as Conservative Beaver. He did not respond to questions about Google ads and said he does not publish disinformation.

“I don't publish fake news,” he said. “I follow strict editorial standards.”

Google’s embrace of publisher confidentiality means roughly 1 million publishers can remain anonymous to companies and individuals who buy ads on its network to reach customers. This opens the door to a range of abuses and schemes that steal potentially billions of dollars a year and put lives and livelihoods at risk due to dangerous disinformation, fraud and scams.

Google’s ad business helps fund dangerous disinformation that puts public health and democracy at risk around the world, earns money from millions of gun ads while publicly claiming to block them, and allowed a sanctioned Russian ad tech company to harvest data on potentially millions of people, including possibly those in Ukraine, putting their security and privacy at risk.

It all makes the Display Network one of the world’s most lucrative black boxes. Ads are placed where they shouldn’t be. Money flows to someone other than the intended website or app owner. Publishers of banned sites can easily keep collecting ads and revenue from unsuspecting brands. But because of Google’s allegedly monopolistic dominance of the digital ad industry, companies ranging from mom and pop shops to the biggest brands in the world keep shoveling money into it, hoping for the best.

A Glossary for Understanding Digital Ad Buying and Selling

• A seller refers to an entity with ad space available for purchase. This is typically a publisher that runs websites and/or apps and makes money selling ads. ProPublica is a seller; Candy Crush is a seller. Or it can be an intermediary like an ad consultancy that works with many publishers to help them earn ad revenue from Google ads.
• The advertiser is the buyer.
• An ad network like Google’s Display Network aggregates the ad space available from sellers and makes it available for buyers to purchase via an automated auction system.
• Once accepted into the Display Network, each seller is given a unique ID that looks like this: pub-6728307037029826. A seller can use their ID on multiple websites or apps. A seller can also have multiple IDs. Money earned from ads placed on these properties is deposited by Google into the seller’s account(s).
• Ad networks like the Display Network release a public list of sellers they work with. This is called a sellers.json file. It is supposed to confirm if an ID is active in Google’s system, whether it belongs to a publisher or intermediary and the person/company and domain(s) associated with it.
• But unlike every other major ad network, Google’s sellers file is almost completely confidential. It is mostly a list of IDs like pub-6728307037029826, with no company, individuals or domains listed.

Google spokesperson Michael Aciman said the company uses a combination of human oversight, automation and self-serve tools to protect ad buyers and said publisher confidentiality is not associated with abuse or low quality.

“We want to see more publishers embrace greater transparency, and we conduct regular outreach to our partners to explain the benefits of opting out of confidentiality,” he said. “We do see a lag in consent among small-scale publishers, which may be because they are unaware of this option, or because their account includes personal information and they have legitimate privacy concerns.”

Aciman said the vast majority of ad revenue from Google’s systems goes to publishers who do not keep their information confidential.

ProPublica spent months trying to crack open Google’s black box ad business. We wrote thousands of lines of code to scan more than 7 million website domains looking for Google ad activity, sourced and analyzed data on millions more domains from half a dozen data partners, and spoke to some of the most knowledgeable experts about Google’s display ad business.

In the end, we matched 70% of the accounts in Google’s ad sellers list to one or more domains or apps, more than any dataset ProPublica is aware of. But we couldn’t find all of Google’s publisher partners. What we did find was a system so large, secretive and bafflingly complex that it proved impossible to uncover everyone Google works with and where it’s sending advertisers’ money.

Alongside reputable publishers and popular games and online tools, we uncovered scores of previously unreported peddlers of pirated content, porn and fake audiences that take advantage of Google’s lax oversight to rake in revenue.

In one example, a Bulgarian company helped scores of piracy sites with close to 1 billion monthly visitors earn money from Google ads. Most alarming, Google knew from its own data that these sites were engaging in mass copyright theft, yet it allowed the sites to receive ads and money from major brands such as Nike and HSBC Bank right up until we contacted Google.

As for what else lurks in the black box, only Google knows.

Most Google Sellers Are Confidential

Each time someone visits Toronto 99, the site sends digital requests to Google asking it to place ads on the page. Each of those requests contains this series of numbers and letters: pub-5958167306013620.

It’s a unique ID that identifies Slapinksi’s Google publisher account, much like how your Social Security number identifies you to the government. Google issued Slapinski the account ID when it accepted him as a publisher in the Google Display Network, greenlighting sites he launched to receive ads. The same ID was used by Conservative Beaver.

Google has issued millions of account IDs in the more than 200 countries where its Display Network is active. Anyone operating a website or app in those countries can apply to join.

Once a publisher has an ID, they can add it to new sites and apps that they operate, as Slapinski apparently did. Google also allows publishers to register for more than one ID. The result is an ad network with millions of constantly shifting publishers, sites, apps and IDs.

To help ad buyers navigate this murky ecosystem, ad networks are supposed to disclose a list of the publisher accounts they work with. For Google, this list — which is called a sellers.json file or sellers list — should contain all the websites and apps Google has authorized to earn money in its Display Network, from big publishers like The New York Times to small bloggers. When done correctly, the list should allow advertisers to match Slapinski and the ID pub-5958167306013620 to Toronto 99 and block the site if they wish.

Google itself helped create this concept three years ago and publicly champions it and related standards, saying they “provide advertisers with a greater visibility into the overall supply chain, which can help them inform future buying decisions.”

But among the roughly 1.3 million IDs in Google’s sellers list, over 75% are marked “confidential” and contain only the ID, including Slapinki’s. It’s the default setting in Google’s system. ProPublica’s Google ID was also marked confidential but is being changed to disclose the organization name and affiliated domains.

As of this fall, only 23% of Google’s records listed a person or company name, and just 11% also included the domain of their organization. Google’s competitors almost always publicly list all account IDs alongside such information as the name of a person or company connected to it and the associated domain or domains.

Google Is Less Transparent Than Its Competitors

Google’s list of the websites and apps it provides ads to has far more confidential and partially confidential entries than its competitors, meaning it hides either the name or the domain associated with the account, or both.

(Jounce Media)

On their own, a list of these IDs provides no useful information — it’s like wiping the names from your phone’s contact list, leaving just the numbers.

The upshot is that the largest ad network in the world won’t reveal the identities of the vast majority of its publisher partners. The risks go beyond a lone disinformation peddler like Slapinski. Legislators, including Sen. Mark Warner, chair of the Senate Intelligence Committee, have warned that the opaque and fraud-ridden digital ad ecosystem led by Google poses a national security risk. Each layer of confidentiality further obscures where money and consumer data flows in the digital ad industry, undermining trust and exacerbating risks.

“The lack of transparency and regulation in the digital advertising space is an issue that I have been concerned about for many years,” Warner said in a statement to ProPublica. “Unfortunately, the industry hasn’t improved its practices since I first raised concerns back in 2017, as advertisers consistently appear to lack meaningful control over the types of content that is seen alongside their ads and are oftentimes completely unaware of where their advertisements are being displayed.”

Last year, Warner and a bipartisan group of senators expressed alarm that Google and other companies share data about Americans with undisclosed foreign partners as part of the ad buying and selling process, and that billions of dollars flow through Google to unknown parties around the world.

After the U.S. sanctioned several Russian websites following the invasion of Ukraine, ad tech researcher Krzysztof Franaszek showed that two months later, Google continued to allow many of them to earn money from ads. He also revealed the company placed ads on other sanctioned Russian, Iranian and Syrian sites for years. Critically, nearly 90% of the sanctioned sites earning money from Google ads contained no identifying information in Google’s master ad sellers list, according to Franaszek. Like Slapinski, their accounts were confidential, listing nothing more than a Google account ID.

Aciman said Google works to comply with all relevant sanctions and emphasized that publisher confidentiality should not be seen as nefarious.

“By no means does confidentiality indicate that a publisher is engaging in fraud or other nefarious activity,” he said. “The vast majority of our publishers, including those who are listed as confidential in their sellers.json, are well intentioned, policy compliant, and contribute to the overall vibrancy of our network.”

But industry experts and critics say there’s no way to prove that without Google meeting the same standard as its competitors.

“Google has manufactured a uniquely explosive situation: sending billions of ad dollars everyday to unknown individuals around the world. It is effectively one of the largest dark money transfers in the world — and it’s funded by all our ad campaigns,” wrote Nandini Jammi and Claire Atkin of the Check My Ads Institute, an ad industry watchdog, in a recent article.

They called upon Google to release a full deanonymized sellers file.

Google’s actions thus far suggest major changes are unlikely to happen quickly. The company waited a year after other ad networks began publishing their sellers files to release its own, overwhelmingly anonymous version in 2020. Following pushback, the company offered excuses, including having to update help center documentation, conduct training and contact all the account owners. The company also said there could be privacy and security risks to requiring all of its publisher partners to disclose the individual or company associated with an ID. It said things would improve.

Two years later, Google has increased the total number of fully public entries in its sellers file from 5% to 11% — still by far the worst in the industry. Google’s file also carries a notice not seen in its competitors’: “This file is a beta and is unverified.”

Google declined to comment on the notice. Aciman said publisher transparency is a “critical” part of the ad ecosystem, and pointed to a Google Help Center article that encourages publishers to make their information transparent.

“Google has a unique publisher base and we want to ensure we’re balancing both industry transparency and publisher confidentiality and choice,” he said.

But as of today, new publishers signing up with Google’s ad network are still confidential by default.

Over 380,000 of Google’s Partners Remain a Mystery

After months of data collection and analysis, 70% of the account IDs in Google’s sellers file were matched to one or more websites or apps (11% of these were accounts that Google provided public information on). But 30% of these accounts weren’t declared by Google or in our or our partners’ data, leaving us and Google’s advertising partners in the dark about where their money might be getting spent.

So we attempted to do what Google would not: connect the company’s list of more than 1 million account IDs to the actual sites and apps where ads appear. We were able to match almost 900,000, or 70%, of the accounts in Google’s file to one or more domains or apps and found over 5 million sites that are or were associated with Google publisher accounts. But over 380,000 account IDs remain ghosts, perhaps never used by the entity that registered them or used in a way our data couldn’t capture, perhaps active on a mobile app or site outside of the roughly 300 million available to us in our data and that of our partners.

Some accounts were associated with hundreds of sites, some moved from site to site like a game of whack-a-mole, some were seen on sites before or after being publicly listed in Google’s sellers file. And thousands of accounts are added and removed to the file every week, rendering a given week’s list of publishing partners almost immediately obsolete. This effectively prevents ad buyers from having a basic understanding of the sites and apps where their ads could appear, and who they fund as a result.

Google’s reasons for not disclosing its publisher partners are “rubbish,” according to Ruben Schreurs, the chief product officer of Ebiquity, a media research company that has worked with such brands as L’Oréal, Sony, Nestlé, and Audi. He said it’s in Google’s business interest to keep ad buyers in the dark, because the Display Network is filled with sites and apps most advertisers would not want to do business with.

“They have so many obviously nefarious or even sanctioned partners that use Google’s technology,” Schreurs said.

Porn and “Crap”

Google placed ads on Female Prison Pals, where inmates share photos and answer adult-oriented questions such as their favorite sexual position. (ProPublica screenshot)

Our effort to deanonymize Google’s vast network of publishers revealed a bewildering array of sites and apps. There are news and sports sites in many languages, food blogs, utility sites such as spell-checkers and percentage calculators, and gaming sites. There are sources of disinformation, such as OANN and many others around the world, and the fetish site WikiFeet, which features photos of women’s feet, often without their permission.

In spite of a policy banning sexually explicit content, we found Google placing ads on adult sites like Sexlexikon.net, iSexyChat and Female Prison Pals. On the last of these, Google showed ads to us when we visited pages with photos of female inmates in the United States accompanied by their responses to a questionnaire with prompts such as their favorite sexual position and the age at which they lost their virginity.

Since Google doesn’t release a list of the sites and apps where it places ads, ad buyers ranging from major brands like Nike to small local businesses can’t exclude all of the unsuitable publishers in Google’s network. They can preemptively block problematic sites and apps they know about, but then they must await reports from Google about where their ads were placed.

Even then, Google keeps customers partially in the dark. In most campaigns, the company conceals a percentage of ad placements. This means Google does not reveal all the sites and apps that received the ads and associated revenue. Call it the black hole in Google’s black box.

In an example revealed by watchdog group Check My Ads in May, 10% of all the ads in a million-dollar campaign run via Google were listed as “anonymous” in the report generated for the advertiser. Roughly $100,000 worth of ads were placed on sites and apps, but Google wouldn’t say which ones. (The campaign data was shared with Check My Ads on the condition it not name the brand that ran the ads.)

Schreurs analyzed $1 billion worth of ads placed for his company’s clients and found that 3.6%, or $36 million worth, went to unknown websites and apps. Google isn’t the only company that conceals a percentage of advertiser placements and spending. But the company combines the practice with other methods of obfuscation, like its largely anonymized sellers file, that thwart transparency and accountability.

Google also doesn’t allow ad buyers to block by account ID. Even if buyers know that pub-5958167306013620 is the publisher account for the owner of Conservative Beaver, they can’t direct Google to block their ads from appearing on sites or apps using that ID.

Aciman said the company is currently beta-testing a tool that allows ad buyers to block by seller ID.

“This would enable buyers to block confidential sellers by adding those sellers to their blocklist,” he said. “The tool is expected to launch for general availability in 2023. This would go beyond our existing tools that provide advertisers with robust controls that lets them decide where their ads appear.”

Ruben Schreurs, chief product officer of Ebiquity, a media research firm (Ebiquity)

Schreurs said Google has a financial interest in concealing which sites and apps it works with. The company earns money by taking a cut of each ad placement — the higher the volume, the more Google makes. To maintain that volume, the company needs to work with low-quality and risky publishers, he said.

“We all know that most of Google’s inventory is crap,” he said.

Aciman disputed the quality concerns and said that most of the money flowing through Google’s ad system does not go to confidential publishers. In late 2020, a Google executive said more than 90% of revenue goes to the small percentage of partners that are publicly identified in its sellers file. Aciman said the percentage is even higher now.

If that’s true, it begs the question of why Google risks working with so many sites and apps. But the concerns about Google’s ad network go beyond the hidden identities of its publishers and sites.

Attack of the Manga Pirates

PapayAds, a Bulgarian company, works with piracy sites and listed false information in its public Google account information. (ProPublica screenshot)

Last year, a marketer working for a Fortune 500 company launched a multimillion-dollar ad campaign.

The goal was to reach business owners in the U.S. by placing digital ads on websites and apps in Google’s Display Network. Using Google’s DV360 ad buying tool, the marketer entered details about their desired audience, uploaded a list of risky or otherwise inappropriate sites and apps to block from receiving ads and launched the campaign. The marketer said they were not authorized to share campaign data publicly, and did so on the condition that their name and that of the Fortune 500 company not be disclosed.

Over the next few months, Google placed more than 1.3 trillion of the company’s ads on over 150,000 different websites and apps. The biggest recipient of ads — more than 49 million — was a website called PapayAds. The company was registered in Bulgaria less than two years ago and lists one employee, CEO Andrea De Donatis, on LinkedIn. Its site is a single page that says it helps publishers increase their ad revenue. PapayAds has just one ad slot on its page, which is presented as a demo for prospective clients to see what banner ads look like. One of its customer testimonials comes from someone using a pseudonym.

That’s not the only time De Donatis used fake or misleading names. PapayAds is among the small percentage of Google partners that list both the name or names of people associated with the company and its domain in Google's sellers file. At least two of PapayAds’ sellers accounts list the name of De Donatis. But the rest are registered to his girlfriend, his brother and a set of dubious names that Google and De Donatis confirmed are also not associated with the company. One account is in the name of Luca Brasi, the famed character in the first Godfather film.

Google placed ads in a single slot on the PapayAds’ corporate website, such as this one from Royal Caribbean. (ProPublica screenshot)

It seems impossible that 49 million ads were legitimately placed and viewed on PapayAds’ site over the span of several months. In an interview with ProPublica, even De Donatis expressed skepticism. “I don’t have an explanation for this,” he said, adding that he does not recall receiving payment for such a large volume of ads.

Google declined to comment on the campaign, rendering the 50 million ads it charged a Fortune 500 company for one of many mysteries of its black box.

But the story of Google’s relationship with PapayAds goes deeper. It also includes a possibly related scheme involving online piracy, fraudulent advertising and fake online traffic. And even after discovering at least part of the operation, Google didn’t take steps to remove PapayAds or the many piracy sites it works with from the Display Network.

Here’s how the scheme worked. First, PapayAds signed up website publishers to help them earn money from ads. At least 679 websites list PapayAds as their Google Ads partner, based on our findings and data from Well-Known, a site that tracks advertising systems. This means these sites publicly declare that they use PapayAds account IDs to help receive ads and money from Google.

Nearly all of the of PapayAds client sites we examined specialize in publishing pirated versions of Japanese comics, known as manga, or Korean comics, known as manhwa. Others feature pirated Japanese animated films and shows, or pornographic manga known as hentai. Google and other ad networks ban ads from appearing on copyright infringing content. Google also bans ads from appearing on pages containing hentai.

This past summer, PapayAds used code that misled Google and ad buyers into thinking Google ads were being placed on PapayAds’ site when they in fact appeared on manga piracy sites, according to Pixalate, a digital ad fraud protection and privacy compliance company that examined PapayAds at our request.

De Donatis described this as a “test” he attempted with some manga sites, and said his company did not realize it broke Google’s rules. PapayAds is merely providing a service to clients approved by Google, he said.

“I’m just providing some IT technology,” De Donatis said. “I don’t think I did anything bad.” (His first language is Italian, but he spoke English during two phone interviews.)

Pixalate also found the operation included an element of deception to maximize profit: bots. It found that some of the web traffic on PapayAds and its manga piracy partners was automated. Bots artificially inflate the number of ads viewed on a website, thereby increasing revenue.

“I can tell you that we never used bot traffic or fake traffic,” De Donatis said.

Pixalate’s findings did not attribute the automated traffic to a particular entity. It’s possible the bot activity was connected to PapayAds’ clients or another entity.

Google detected the improper activity over the summer and withheld the associated ad revenue earned by PapayAds clients from their August and September payments, according to De Donatis. According to Google policy, that money should have been refunded to advertisers.

De Donatis didn’t say how much was withheld, but described it as a large amount relative to his and his partners’ typical earnings. (He claimed on his LinkedIn profile that PapayAds generates $400,000 in revenue per month, but removed that information after speaking with ProPublica.)

Google declined to comment on the withheld revenue and overall scheme. Speaking generally, Aciman said the company is “engaged in a comprehensive effort to detect and stop invalid traffic, which is powered by a combination of technology, operations teams, and policy.”

But what did Google do after detecting what by industry definition is an ad fraud scheme involving a set of manga piracy sites filled with stolen content? It kept placing ads on them, and kept working with PapayAds up until being contacted by ProPublica.

This occurred in spite of the fact that Google has at least two years of data showing that many manga sites working with PapayAds are serial copyright infringers.

We selected a sample of 50 manga sites from the list of more than 650 sites that publicly said they work with PapayAds to receive Google ads. Data from Google’s transparency report shows that since 2020 Google has removed 1.9 million of these manga sites’ URLs from search results due to copyright infringing content. Yet 34 of the 50 sites appeared in the Fortune 500 company ad buy under their own domains, and the full list of 50 continued to receive Google ads until very recently.

Google could see in its own data that these sites were engaging in mass piracy, and that they were working with PapayAds to receive ads and revenue. But it did not take action to kick them, or PapayAds, out of its ad system.

The 50 sites in our sample collectively received close to 750 million visits in September, according to analytics company Similarweb, and were able to make money from that traffic thanks in part to Google. We were shown ads placed by Google for major brands including Nike, Sephora and HSBC Bank when visiting manga piracy sites. The brands did not respond to requests for comment.

Google placed a Nike ad on TV y Manga, a site it has delisted more than 10,000 URLs from in its search engine due to copyright infringement. (ProPublica screenshot)

Jalal Nasir, the CEO of Pixalate, expressed concern that Google is directly placing ads on such obvious piracy sites.

“I’m a little surprised that Google with their big team is not able to detect this stuff happening,” he said.

Nasir also said it’s a huge red flag that PapayAds does not have a privacy policy, a requirement for any Google partner and a necessity for compliance with data protection laws. “Do they have proper due diligence in place?” he said of Google.

After speaking with ProPublica, De Donatis added a privacy policy to his site. He said he’s not responsible for the content of the sites that use his platform, and noted that nearly all of the manga sites were approved by Google to receive ads before signing on with him.

An ad for Google appeared on Reaper Scans, a manga piracy site. (Source: Rocky Moss)

“Like 90% of them already have Google ads when they come to us,” he said.

Google also failed to take action against PapayAds and the raft of manga sites it works with after being warned about them almost two months ago. Rocky Moss, the co-founder of fraud detection company DeepSee.io, identified PapayAds as a major player helping piracy sites earn money. On Oct. 25, he emailed his contact at Google to draw their attention to the company.

“Just wanted to flag a particularly egregious pirate traffic seller,” he wrote. Moss attached an image of a concerning ad he’d seen placed on Reaper Scans, a manga piracy site working with PapayAds for which Google has received and acted on thousands of copyright infringement reports.

The advertiser in question? Google.

Moss said the tech giant’s inaction is disappointing but not surprising.

“There are good people working at Google who want to do the right thing. They just can’t get the approval to solve the problem,” he said.

After we contacted Google with our findings, the company removed all of PapayAds’ seller accounts.

“We are in the process of reviewing the specific sites shared with us by ProPublica and have already removed ads from several and have terminated the accounts associated with PapayAds,” Aciman said. “We will continue to take action as we detect any additional policy violating content.”

Nasir and Moss expressed dismay that Google failed to stop PapayAds and the piracy sites sooner. They said there are likely an untold number of companies like PapayAds operating in the Display Network.

“It’s probably a drop in the ocean of what’s happening out there,” Nasir said.

Jeff Kao contributed reporting.

Truth or Dare

If a player chooses “truth,” they must reveal how much money they make. If they choose “dare,” they must hand someone their phone and let them look at every tab they have open on their browser.

Never Have I Ever

Each player reveals which of their goals from their twenties they were never actually able to accomplish until everyone except one person is crying.

MASH

One player selects a number between one and ten, while another determines whether they will live in a mansion, apartment, shack, or house, but in this economic climate, let’s face it, even a shack seems pretty aspirational. The game detours into a conversation about housing shortages, rising interest rates, and the general concept of real estate.

Would You Rather

When the pizza is delivered, a player must decide whether to pass on eating or indulge in a few moments of delicious bliss, only to endure debilitating heartburn later.

Spin the Bottle

A full bottle of wine is placed in the center of the circle. One player spins, and whoever the wine bottle points to must drink more than two glasses without apologizing that wine makes them sleepy, and they have to be up early to shop for a new ottoman.

Sardines

Players are shoulder to shoulder in a three-hundred-square-foot studio apartment, which the host insists they’re only staying in temporarily. After a few minutes of awkward chit-chat, it becomes clear that the game has been in progress the whole time.

Telephone

The starting player whispers the last news headline they heard into the ear of the person next to them. That person then whispers to the person next to them, and so on, until the final player is revealed to be a member of QAnon and this has been a demonstration of how easily misinformation could spread if you don’t keep up to date with NPR Morning Edition like a sensible adult.

Light as a Feather, Stiff as a Board

Each player must describe their last workout, where their joints hurt, and what exercises they’re currently doing to stretch their lower backs.

Seven Minutes in Heaven

One player enters a closet alone, without their partner, children, or pet, for seven minutes of pure peaceful “me” time.