This is a guest post by Peter Kireev, a leading expert with over a decade of experience in AdTech. He is the Co-founder and Chief Product Officer at Reliz, a product-led European company, where he leads the development of its AI-driven solutions.
The past few years have marked a fundamental shift in digital privacy standards. Regulatory frameworks like GDPR and CCPA, along with platform-level changes from Apple and Google, have placed user data protection at the center of the advertising ecosystem. These reforms have brought long-overdue safeguards, helping to rebalance a system that once prioritized tracking over transparency.
But they’ve also exposed a structural weakness. With the loss of deterministic identifiers and full attribution visibility, the ability to distinguish real users from fraudulent activity has sharply declined. Fraudsters have adapted faster than the industry, exploiting blind spots created by the same privacy-first policies meant to protect users.
According to AppsFlyer (2023), fraudulent installs now account for up to 25% of all paid user acquisition in some verticals.
Regulatory shifts that reshaped the foundations of AdTech
The introduction of the General Data Protection Regulation (GDPR) in the EU (2018), the California Consumer Privacy Act (CCPA) (2020), and Brazil’s Lei Geral de Proteção de Dados (LGPD) (2020) imposed stricter requirements on user consent, data transparency, and minimization. These regulations have global implications, affecting any platform handling international user data.
In addition to regulatory changes, platform-level privacy policies have accelerated these trends. Apple’s App Tracking Transparency (ATT) framework, introduced in 2021, significantly limited access to the Identifier for Advertisers (IDFA), with opt-in rates falling below 20%. This move curtailed advertisers’ ability to perform deterministic user tracking on iOS devices.
These developments have reduced the availability of deterministic identifiers across digital platforms, compelling advertisers to rely more on probabilistic signals and first-party data. This shift has significant implications for ad targeting, measurement, and fraud detection strategies.
Attribution gaps in the post-IDFA era
Before the wave of privacy reforms, advertising platforms relied on stable, deterministic identifiers — such as Apple’s IDFA — to accurately track a user’s journey from ad impression to install and in-app events. These identifiers were passed directly from the device, allowing marketing systems to confidently attribute outcomes to specific campaigns.
After the rollout of App Tracking Transparency in iOS 14.5 (April 2021), access to IDFA became contingent on explicit user consent. Opt-in rates stabilized at just 15–20%, effectively severing the attribution chain for the vast majority of iOS traffic. A similar trend is underway on Android, where the Privacy Sandbox is deprecating traditional cross-app identifiers.
Without these links, ad platforms lose the ability to reliably determine traffic sources or campaign effectiveness. This not only weakens optimization but also creates space for exploitation — particularly by fraud actors who now manipulate or mimic the few remaining weak signals.
Instead of deterministic attribution, platforms now rely on probabilistic models — systems that estimate how similar a user is to others who have already converted. This shift reduces attribution accuracy and opens the door to fraud: attackers no longer need to spoof unique identifiers, they only need to mimic behavioral patterns. The transition from direct identity matching to behavioral signatures has become a key enabler of fraud at scale.
How fraud exploits attribution gaps
The shift from deterministic to probabilistic attribution has not only weakened marketing effectiveness — it has created exploitable blind spots. When platforms can no longer reliably trace installs or purchases to a specific source, it becomes easier to intercept or fake those signals.
Fraudsters typically rely on two main strategies. The first is bot traffic: automated systems that simulate the behavior of real users. The second is misattribution: traffic from legitimate campaigns is artificially reassigned to suspicious sources. For example, a campaign running on Facebook might generate 10 purchases. Once a fraudulent traffic source is introduced, Facebook shows only 5 purchases, while the new source reports the remaining 5 — despite no real contribution. Turn off Facebook, and the conversions vanish.
These techniques are not limited to fringe actors — even large players sometimes engage in them. The problem is especially severe in the in-app segment, where billions of dollars in media spend are misallocated each year. The most well-known case is Uber’s 2017 lawsuit, which led to the recovery of nearly $6 million from a vendor supplying fraudulent traffic. Restitution payments are still ongoing.
Current industry response and the limits of available solutions
Despite the scale of the problem, the market still lacks a universal solution capable of effectively preventing fraud under today’s privacy constraints. Most tools rely on post-attribution analysis — detecting fraud only after traffic has been delivered and, in many cases, already paid for.
One of the few widely used tools is AppsFlyer’s Protect360. It analyzes behavioral patterns and can flag fraudulent installs and events within 2–3 days. According to a Forrester report, advertisers using Protect360 have recovered up to $1.8 million in ad spend that would have gone to fake clicks and installs. Still, the tool operates with a delay and requires data accumulation, making it less effective for short-run or fast-scaling campaigns.
Platform-level efforts to replace traditional attribution models are also underway. Apple’s SKAdNetwork (SKAN) aims to offer a privacy-friendly alternative based on aggregated, delayed signals. However, adoption remains low: as of early 2024, SKAN usage was below 30%, according to Branch. The main challenges are reporting delays, limited granularity, and poor integration with advertisers’ internal analytics.
Apple’s new initiative, AdAttributionKit — positioned as an eventual successor to SKAN — remains in early development. While the industry broadly agrees on the need for a more privacy-compliant but resilient attribution framework, the actual readiness of advertisers and platforms is still low.
In the meantime, fraudsters continue to exploit the attribution gaps. Most platforms fall back on internal monitoring and manual source-level controls to minimize damage. This approach is expensive, unscalable, and heavily reliant on in-house expertise — but for now, it’s the only practical line of defense.
