Introduction

In this research we dig into traffic sourcing on chessmoba.us, a site creating well over a hundred million daily impression opportunities. It is one of a handful of sites which have acted as cover for MangaOwl (a site which links readers to pirated web cartoons), and the extended MangaOwl family of web properties.

Using code snippets captured from live traffic, and other publicly available data sources, we will show how the vast majority of visits to chessmoba.us & its cohorts are actually laundered visits of users who are reading pirated manga / web cartoons (often sexually explicit in nature).

What’s of additional interest here is the laundering mechanism; users get an experience free of pop-unders & redirects, but advertisers still get zero visibility into the true source of traffic.

Maintaining & Monetizing a Piracy Site

Pirated content is, and always has been, one of the top things people will search for on the internet. Due to the questionable legal status of the content, most supply-side platforms (SSPs; aggregators of publisher inventory) have rules against pirated content appearing on their member publishers’ sites, and some advertisers try to avoid this content.

Google, the worlds largest aggregator of publisher inventory, has policies which specifically forbid pirated & sexually explicit content, both of which are in the scope of our conversation today. Without access to Google ad products, it becomes much harder to monetize at a large scale, especially if you are an individual, or small team.

Depending on the number of copyright claims made against these sites, they may have to constantly rotate domain names in order to avoid users arriving to a site that has been disabled by the hosting provider. The chances of this are more likely if the site hosts links to content produced by big Hollywood studios, because these studios have the resources to programmatically hunt down & make copyright complaints against each new site.

Sites hosting pirated content often turn to less-reputable ad networks which have no policy against their content. These 2nd / 3rd string monetization partners usually litter the page with near pornographic ads (adult sites are limited by which networks they can run their ads with; example below), or they create tons of pop-unders / redirects that take users off-site.

A Case Study in Monetizing Piracy: MangaOwl and Chessmoba.us
Example of advertisements on one of the most popular anime streaming sites: gogoanime

As we’ve written about in the past, these pop/redirect ad networks play a large part in the global cookie stuffing & traffic laundering marketplace:

If you’re looking for further reading into this topic at a high level, the Digital Citizens Alliance and Whitebullet have also done significant research into who supports piracy sites with on-page advertising (our writing today focuses more on the laundering aspect of the problem).

Teasing Out the Grey Areas

There exists a moral / technical grey area here when it comes to advertising to users on sites with pirated content: advertisers want to reach real people, and real people consume pirated content in high volume. As a consequence, there are billions of laundered impressions generated every day.

Advertisers often optimize their campaigns towards human users & viewable placements; both these things are often true of impressions generated from laundered traffic.

One of the main reasons that we built DeepSee is to suss out these opaque traffic laundering marketplaces. The laundering process tends to remove the true source a visitor was sent from, and creates destination-site visits that appear direct. This is clearly visible when you look at the inbound traffic mix for sites who buy a lot of laundered traffic using the free version of tools like Alexa or SimilarWeb, but more on that later.

Honestly, we wouldn’t think as poorly of these traffic acquisition channels if advertisers were alerted about the nature of the traffic sourcing in subsequent bid requests generated by the destination-site (the “clean” content site). This never happens though, and we won’t hold our breath.

We’re very interested to hear the opinions of our readers when it comes to the value of laundered traffic, please drop us a line on Twitter or LinkedIn to voice your opinion!

Introducing the Players & Explaining the Evidence

There are 2 seemingly separate factions involved here. In truth, they are all owned and operated by the same entity, allowing for some unique publisher fraud opportunities that would be very difficult to detect from within an ad creative.

On the other hand, the user experience here is one of the best you can find when it comes to reading pirated comics. As opposed to sites who monetize with pop-unders & redirects, users aren’t routed through dozens of nefarious intermediaries; instead, users stays in a single environment, controlled end-to-end by the MangaOwl developer.

The Players

  1. A group of piracy sites centered around MangaOwl, including (but not limited to):
    • mangaowl.net – Alexa rank ~17.8k
    • mangaowl.com – Alexa rank ~193k
    • mangaowls.com – Alexa rank ~51k
    • animeow.me – Alexa rank ~1.1mil
    • animeowl.net – Alexa rank ~525k
  2. A group of content sites headed by chessmoba.us in terms of visit volume (all bid volume projections made using Xandr’s forecasting API):
    • chessmoba.us – Estimated daily bid volume of over 100 million(forecast date: 10-27-2021)
    • mostraveller.com – Estimated daily bid volume of over 30 million (forecast date: 10-22-2021; seemingly discovered & cut-off by 10-27-2021)
    • fromyourinside.com – Estimated daily bid volume of over 10 million (forecast date: 10-27-2021)
    • chill-game.com – Estimated daily bid volume of just a few thousand (forecast date: 10-27-2021)
    • portablegamingdude.com – Estimated daily bid volume currently ~0 (forecast date: 10-27-2021)

The piracy sites are most obviously linked by footer links which are clearly visible on mangaowl.net, and also by naming convention

A Case Study in Monetizing Piracy: MangaOwl and Chessmoba.us
Footer on mangaowl.net showing the link to animeow & animeowl

The Content sites are not as clearly linked, but we argue that they behave in such a specific & atypical way that there is no other possibility besides that they have been configured by the same entity to do the same thing.

The Evidence

There Is a Common Owner Between Chessmoba.us and MangaOwl

Let’s get this out of the way first: chessmoba.us is absolutely registered by the operator of MangaOwl, and the proof is surprisingly easy to acquire.

It’s particularly easy to prove who the owner of chessmoba.us is, because you can’t register a domain with a .US suffix using WHOIS privacy protection. You can even check this right now by typing in the domain name on the .US WHOIS lookup service.

Here is a summary of what you’ll see:

A Case Study in Monetizing Piracy: MangaOwl and Chessmoba.us
Summary of information gathered from a chessmoba.us whois lookup

The “owl” in the registrant email “zzowl[email protected]” is a good hint, but we can additionally see that this email is linked to the moderator of MangaOwl by doing a quick google search for the email address.

A Case Study in Monetizing Piracy: MangaOwl and Chessmoba.us
MangaOwl Moderator “ZZ” lists the email [email protected] as the inbox where copyrighted materials should be sent

If you go through that process, you’ll end up on the above post before reaching the 2nd page of the Google search results. It shows a message from a MangaOwl moderator named “ZZ” who instructs members to send their copyrighted materials to “zz[email protected]” in order to have them shared with the community.

The other domains in our “content-site” group are registered as sites with a .COM suffix, and they are WHOIS privacy protected such that you can’t as easily infer ownership. However, we will show they are linked by means of behavior, in such a way that they could ONLY be managed by the same person.

When MangaOwl Users Are Reading Pirated & Adult Content, Advertisers Think They Are On Chessmoba.us

The following video demonstrates how a typical mangaowl.net reader generates laundered impressions to chessmoba.us:

  • Note: Due to the fact that many of our readers may be watching this while at work, or in a professional setting, we chose to showcase a comic that is safe for work. However, you will have no trouble finding sexually explicit content on MangaOwl if you go looking for it.
Video showing specifics of the exploit; best viewed full screen

We asked our CTO to break down the activity into a summary for those who can’t watch the video, or just need more elaboration. Particularly, we asked him to elaborate on if it’s even possible for this to happen without collaboration between the piracy & “clean” content sites:

The behavior kicks off when a user clicks a link from mangaowl, and is navigated to a reader URL over at chessmoba.us such as (https://chessmoba.us/reader/reader/73165/1461957/{…}). If the advertiser saw this URL, the whole scheme would become obvious to them, because this is the URL which takes you to the manga content.

This reader page loads an image based slideshow viewer, presenting the user with the content they intended to browse to, however, upon page load there is a somewhat obfuscated script that constructs a new, advertising friendly URL (https://chessmoba.us/team/{…}) that replaces the reader one using History.replaceState().

The important detail is that the containing site does not react to this change by redirecting to the advertiser friendly page. This allows chessmoba to render ad impressions attributed to a URL that shows different content if you browse to it directly. Furthermore, History.replaceState() only works to modify the URL the browser displays if the new URL belongs to the same origin as the one housing the script making the change.

That, along with other signals (like a verified SSL certificate) point to the fact that, barring an exploit and a very (to put it lightly) relaxed system administrator at chessmoba, this would definitely require cooperation from the operators of mangaowl and chessmoba.

Moreso there is evidence of referrer spoofing, and the presence of chessmoba’s google tag manager account IDs on the fraudulent reader page signals that chessmoba is 100% in on it. Another tidbit that shows intent is the fact that the script that updates the URL to the advertiser friendly one removes itself after 500 milliseconds.

-Antonio Torres, CTO & Co-Founder @ deepsee.io

For anyone interested, he also did a breakdown of the code which manipulates the URL that advertisers would detect.

As you may recall from the video, this reader code is recycled across all of the content sites that show manga, further confirming the shared purpose / ownership assigned to each. You can take a “reader/reader/” link from chessmoba.us, replace the host with mostraveller.com, or fromyourinside.com, and the link still works the exact same way. Essentially, the content sites are interchangeable; just fancy fronts for the advertising business of MangaOwl.

The anime video laundering fronts aren’t as interchangeable, but work in basically the same way to obfuscate the source of traffic. For example:

Video showing how the video side of the equation operates; best viewed full screen

Piracy is the Primary Reason Anyone Ends Up On These Content Sites

Using publicly available information, such as Alexa traffic flows, we can confirm that over 50% of visits to these content sites are precipitated by a visit to one of the MangaOwl sites.

For example, take chessmoba.us’ traffic flow:

A Case Study in Monetizing Piracy: MangaOwl and Chessmoba.us
The site flow report clearly shows that 55%+ of visits to chessmoba.us came from mangaowl sites

Or, take the mostraveller.com flow:

A Case Study in Monetizing Piracy: MangaOwl and Chessmoba.us
The site flow report clearly shows that 58%+ of visits to mostraveller.com came from mangaowl sites

This exercise can be repeated ad-nauseam for each of the content sites we list, but we don’t want to bloat the page. Suffice it to say, 50% is a conservative estimate of how much traffic is spoofed to each of these sites. We project the number is closer to 80-100% depending on the site.

Conclusion

This novel approach to impression laundering is only made possible by shared management between the content sites and the pirate sites. It succeeds, because:

  1. The URLs that advertisers & verification services detect takes you to a real content page, with a completely “safe” look & feel.
  2. The pirate sites don’t have any advertising on them; they were very careful to keep the advertising aspect of the business separate from the pirated content indexing.
    • This means there is no chance for advertisers, or any ad-tech org whose primary source of data comes from scripts appended to ad creatives, to leverage user cookies to detect that a user was on MangaOwl before they went to chessmoba.
    • Tools like Alexa are able to infer the traffic flow because they track users outside of the context of advertising.
  3. Users get a clean browsing experience, and don’t really have a reason to complain. For this same reason, the site doesn’t set off malware / maladverising flags.

Based on this research, and using our robust historical data on how sites relate to each other, we have developed the tools to flag such sites dynamically as they appear. If you are looking for an audit of your media spend, don’t hesitate to reach out! We are happy to look over delivery reports with you, and point out any risky patterns & publishers.

If you would like to continue the conversation, or if you have any questions that are not covered here, please reach out to us on Twitter, or on LinkedIn.