Ad security company Confiant claims it has identified an ongoing cookie-stuffing scheme allegedly perpetrated by Dataly Media, an affiliate marketing platform based in Ecuador.
Dataly Media’s purported cookie-stuffing practices date back to at least 2015 and underpin a large part of the company’s affiliate marketing business conducted since that time, according to Confiant. However, Confiant was not able to provide an estimate of how much revenue Dataly Media has earned from these practices.
Dataly Media served roughly 125 million display ad impressions in 2022 alone, Confiant estimates, but it is unclear how many of these placements were subject to cookie stuffing. In 2022, Dataly Media was active on at least four DSPs; Confiant declined to name these DSPs.
What is cookie stuffing?
“Cookie stuffing is essentially stealing conversions,” said Jerome Dangu, co-founder and CTO of Confiant.
Dataly Media would be paid for these allegedly stolen conversions by advertisers running cost-per-click (CPC), cost-per-lead (CPL) and cost-per-acquisition (CPA) campaigns.
In affiliate marketing, tracking pixels prove whether a conversion (like a subscription signup or product purchase) resulted from a user visiting a particular site or clicking a particular affiliate marketing link.
But in a cookie stuffing scheme, a bad actor embeds code into ad creative. The code drops a tracking pixel for a website other than the one a user is currently visiting, without the user’s knowledge or consent. Affiliate marketing platforms then attribute any conversions a user makes to a site that user never visited.
Because it has a seat on DSPs, Dataly Media is able to bid on ad inventory auctioned by unsuspecting publisher sites. Upon winning an ad auction, Dataly Media would place…