HUMAN's collective signal network: how cross-customer telemetry feeds detection

A bot that touches one website looks like a visitor. The same bot touching ten thousand websites looks like a botnet. That difference is the entire premise of HUMAN Security’s detection model, and it is the reason a vendor that sees traffic across a large slice of the internet can catch things that a single site, watching only its own front door, never could.

The question this post is about is narrow and specific. When HUMAN claims it verifies trillions of interactions a week and uses that scale as a detection advantage, what is actually happening under the hood? How does telemetry collected on customer A’s checkout flow end up improving the verdict on customer B’s login page? And where does the collective-defense story hold up against the technical reality versus where it is marketing gloss over a more ordinary machine-learning pipeline? HUMAN’s lineage gives a useful way in, because the company that became HUMAN spent its first six years not protecting web apps at all. It hunted ad fraud, and ad fraud is a problem you can only solve by looking across the whole ecosystem at once.

The sections below walk that lineage and the mechanism. First, the White Ops origin and why verifying humanity at internet scale was the founding bet. Then the ad-fraud takedowns (Methbot, 3ve) that proved cross-publisher visibility catches coordinated automation. Then the Satori threat-intelligence model and the connected-TV botnets (PARETO, BADBOX) that extended it past the browser. Then the merger with PerimeterX and how a fraud-detection backend got wired to a web-app sensor. Then the actual signal-aggregation mechanism, what it can see and what it provably cannot. A note on sourcing runs through all of it: HUMAN publishes a great deal about its disruptions and its detection categories, far less about the exact field layouts, weights, and thresholds. Where this post describes documented mechanism it cites it, and where it describes inferred behaviour it says so.

The founding bet: verify humanity, not block bots

White Ops was founded in 2012 by Tamer Hassan, Michael Tiffany, Dan Kaminsky, and Ash Kalb. The framing they chose was inverted from most of the industry. Instead of building a list of bad things to block, they set out to verify that an interaction came from a real human, and treat everything that failed verification as suspect by default. The name change to HUMAN Security in 2020 made the thesis the brand.

That inversion matters more than it sounds. A blocklist is reactive. It catches the automation you have already seen and named. A humanity-verification model is, at least in principle, a denylist of one entry (not-human) and an allowlist of one entry (human), with the hard work pushed into the classifier that decides which an interaction is. The classifier needs signal, and lots of it, because sophisticated automation is built precisely to reproduce the surface markers of a human session. Kaminsky, who was the company’s chief scientist until his death in 2021, framed the work as an arms race where the defender wins by raising the cost of looking human faster than the attacker can pay it.

The economic argument sits underneath the technical one. HUMAN’s stated goal is to disrupt the economics of cybercrime by raising the attacker’s cost while lowering the cost of collective defense. The phrase to hold onto there is collective defense, because it is the load-bearing idea. A single site defending itself pays the full cost of detection alone and sees only its own traffic. A network of sites pooling signal through one vendor splits the cost and multiplies the visibility. The detection advantage is supposed to compound with every customer added. Whether it actually compounds, or merely adds, is a question worth returning to at the end.

2016: Methbot and the first proof that scale catches coordination

In December 2016, White Ops published its analysis of an operation it named Methbot, and it is the cleanest illustration of why ecosystem-wide visibility matters. Methbot was not a botnet of hijacked consumer machines. It was a purpose-built fraud farm: between 800 and 1,200 dedicated servers running out of data centers in the United States and the Netherlands, driving fake video ad impressions at industrial scale.

The operators did the homework. They leased 571,904 real IP addresses and registered them, fraudulently, to look like they belonged to residential ISPs such as Verizon, Comcast, and Spectrum, so the fake traffic would appear to originate from ordinary American homes rather than a server rack. They spoofed 6,111 premium publisher domains (vogue.com/video, espn.com/video and the like) and generated 250,267 distinct URLs that never existed, each one a fake page on which a fake video ad could be reported as viewed. They forged cursor movements, synthesized clicks, and faked social-network logins so each session carried the markers of an engaged, logged-in human. At peak the operation reported 200 to 300 million video impressions a day, at an average CPM of $13.04, for an estimated $3 to $5 million in daily theft.

Here is the detection point. Every one of those forged signals was individually plausible. A single impression from a Comcast IP, on what looked like an ESPN video page, with a logged-in user and a moving cursor, is exactly what a legitimate impression looks like. No single ad server, looking at its own slice, had reason to flag it. What gave Methbot away was the view across the ecosystem: the same 571,904 IPs appearing in coordinated patterns across thousands of publishers, the impossible concentration of “premium” inventory, the statistical fingerprint of synthetic cursor paths repeated at a scale no organic audience produces. You catch that by correlating signal across publishers, not within one. White Ops shared the list of known Methbot IPs with the industry through the Trustworthy Accountability Group so the rest of the ecosystem could filter the same addresses.

*The same forged impression is invisible to a single publisher and obvious across the network. Methbot's 571,904 leased IPs were the thread that pulled the whole thing apart.*

2018: 3ve and the FBI takedown

Methbot proved the visibility argument. 3ve (pronounced “eve”) proved the disruption argument: that the same cross-ecosystem view could be turned into law-enforcement action.

3ve was larger and messier than Methbot. It was active since at least 2013, ran on two malware families (Boaxxe and Kovter) that infected consumer PCs, and at its peak drove fraudulent traffic from over a million residential and corporate IP addresses, across more than 10,000 spoofed websites, generating north of 3 billion fraudulent ad requests a day. White Ops and Google began comparing notes on a small shared botnet in early 2017, and that bilateral signal-sharing grew into an industry working group of around twenty organizations, with the FBI eventually coordinating the takedown.

When the takedown came in late 2018, the FBI seized 31 domains and information from 89 servers, and the U.S. unsealed indictments against eight individuals from Russia and Kazakhstan. HUMAN later described Hassan’s role as the lynchpin of that consortium, and the operation as one of the larger private-sector collaborations the FBI had run. The detail worth keeping is structural, not heroic. 3ve was not killed by any single company’s detection. It was killed by pooling detection across companies that each saw a different facet of the same fraud, then handing the assembled picture to an actor (the FBI) with the authority to seize infrastructure. That is collective defense taken to its logical end: signal aggregation as a precondition for disruption.

*Orange marks the two disruptions that ended in court or law-enforcement action. The thread connecting all five is cross-customer correlation.*

The Satori model: threat intel as a feedback loop

Methbot and 3ve were the work of a research function that HUMAN formalized as the Satori Threat Intelligence and Research Team. Satori is the part of the company that does the hunting (reverse-engineering malware, mapping command-and-control infrastructure, tracking the fraud operators) and it is the bridge between human investigation and the automated detection engine.

The relationship between the two is the point. Satori finds a novel scheme by digging into traffic anomalies that the automated engine surfaced but could not name. The researchers reverse the malware, identify the spoofed apps or the C2 domains, and produce a set of concrete indicators. Those indicators feed back into the detection engine as new signal, so that the next time the same operation (or a copycat) appears anywhere in the customer base, the engine catches it without a human in the loop. The manual hunt becomes automated coverage. That feedback loop is what makes the threat-intel team a multiplier on the network rather than a separate research vanity project.

Two connected-TV botnets show the model working past the browser. PARETO, disclosed in 2021, was nearly a million infected Android phones running dozens of mobile apps that spoofed more than 6,000 CTV apps, generating an average of 650 million fraudulent ad requests a day by pretending to be people watching ads on smart TVs. HUMAN found it in 2020 and worked with Google and Roku to disrupt it; Roku permanently disconnected the spoofed apps. What stood out technically was low-level network-protocol spoofing, which HUMAN noted is especially hard to detect, and which surfaced precisely because the team could compare the supposed CTV traffic against the genuine article across many properties at once.

BADBOX, and then BADBOX 2.0 in 2025, pushed it further into hardware. BADBOX 2.0 was a botnet of over a million infected devices, mostly cheap off-brand Android Open Source Project tablets, CTV boxes, projectors and car infotainment units manufactured in mainland China and shipped pre-compromised or infected on first boot. HUMAN observed associated traffic from 222 countries and territories. The backdoor, BB2DOOR, was derived from the Triada Android malware and pulled fraud modules on demand: hidden-ad and WebView fraud, click fraud, and residential-proxy abuse that rented the infected devices out as exit nodes. The disruption in March 2025 ran with Google, Trend Micro, and the Shadowserver Foundation, with Google later filing suit and the FBI issuing a public advisory in June 2025. The pattern is identical to 3ve seven years earlier, scaled to the supply chain and the living room. For the rebrand context that wrapped around this period, see the PerimeterX to HUMAN rebrand.

2022: the PerimeterX merger and the two halves of the engine

For its first decade the company was strong in one place and weak in another. White Ops/HUMAN had the data science, the threat-intel muscle, and deep roots in advertising and media fraud. What it did not have was a mature web-application sensor: the client-side instrumentation that sits on an e-commerce site or a login page and collects device and behavioral signal in the browser. PerimeterX had exactly that, built around its sensor payload and the _px3 cookie, with real strength in e-commerce, account takeover, and product engineering.

The merger closed on July 27, 2022, at a combined valuation around $1.5 billion. The plan, stated at the time, was to wire HUMAN’s backend detection engine to the front of PerimeterX’s products within roughly six months, so that the client-side collection feeding PerimeterX’s verdicts would be scored by HUMAN’s engine. CEO Tamer Hassan put the rationale in network terms: combining the companies increased the amount of joint data across verticals, giving an unparalleled source to improve overall detection. That is the collective-defense thesis applied to a merger. Two pools of telemetry, previously separate, joined into one.

The technical consequence is that the engine now sees two very different kinds of signal. From the ad-fraud heritage it has impression-level and ecosystem-level telemetry. From the PerimeterX heritage it has session-level, per-request browser signal: the sensor payload, the VID, and the bello challenge on the web side, and the _px3 cookie and PXHD device-continuity flow that tie a browser to a history. The interesting claim is that scoring both through one engine lets a pattern learned in one domain inform the other. A residential-proxy network identified through CTV ad fraud is the same proxy network that might show up fronting account-takeover attempts on a retail login, and now the same engine has seen both. Whether that cross-domain transfer is as clean in practice as on the slide is unknowable from outside, but the data plumbing to attempt it is there.

How the aggregation actually works

Strip the marketing and the mechanism is a fairly standard large-scale ML detection pipeline with one distinguishing property: the training and inference data is pooled across a very large, very diverse customer base. HUMAN states it verifies more than 20 trillion digital interactions a week across about 3 billion unique devices, up from a figure of 15 trillion cited in 2022. Its Decision Engine is described as examining more than 2,500 signals per interaction and running them through more than 400 algorithms and adaptive machine-learning models to reach a bot-or-not decision in milliseconds. The exact signal list, the field names in the payloads, and the model weights are not public, and anyone claiming otherwise is guessing. What follows is the documented architecture plus what can be reasonably inferred about how cross-customer signal feeds it.

Three kinds of signal cross customer boundaries cleanly, and they are the backbone of the network effect.

The first is network identity. IP addresses, autonomous-system numbers, and proxy/datacenter classification are global facts about the internet, not facts about any one customer. When the Methbot IP list was assembled, it was useful to every publisher at once. When BADBOX turned a million devices into residential exit nodes, the addresses of those exit nodes were the same regardless of which customer’s login page they hit. An IP reputation built from misbehavior observed on customer A is immediately valid for customer B, because the IP is the IP. This is the least controversial and probably the most valuable shared signal.

The second is device and client fingerprints. A TLS fingerprint, an HTTP/2 frame profile, a browser-environment signature: these describe the client, not the site. If a particular automation toolkit produces a recognizable fingerprint, observing it abusing one customer lets the engine flag the same fingerprint elsewhere before it has done any damage there. This is the same logic as Cloudflare’s or Akamai’s fingerprint sharing across their networks, and it is where HUMAN’s scale most directly buys coverage. The catch, well understood by both sides, is that fingerprints drift; a signature is good until the toolkit changes one byte, and that window closes on a cycle measured in weeks.

The third is behavioral and coordination patterns. This is the abstract layer: not a specific IP or fingerprint but the shape of an attack. The cadence of a credential-stuffing run, the statistical signature of synthetic cursor movement, the impossible concentration of “premium” inventory that gave Methbot away. These patterns are learned from aggregate traffic and applied as model features, and they are what the engine reaches for when the attacker has rotated every concrete identifier. They are also the hardest to validate from outside and the easiest to overclaim.

*Three signal classes pool across the customer base with very different reliability. Network identity transfers cleanly; behavioral patterns are powerful but fuzzy, and the easiest layer to overclaim.*

A pseudocode sketch of the loop, kept deliberately abstract because the real thing is proprietary and this is a defensive reference, not a recipe:

1
on interaction(session, customer):
2
    feats = collect(session)              # 2,500+ signals: net, client, behavioral
3
    verdict, score = engine.score(feats)  # 400+ models, shared across customers
4
    emit(customer, verdict, score)
5

6
    # the network-effect part: enrich shared state from this interaction
7
    if verdict == BOT or anomaly(feats):
8
        ip_rep.update(feats.ip, feats)        # global, customer-agnostic
9
        fp_index.update(feats.fingerprint)    # global
10
        if novel(feats):
11
            satori.queue_for_investigation(feats)  # human hunt -> new signal later

The line that matters is the enrichment step. A bad verdict on one customer updates shared state (IP reputation, fingerprint indices) that every other customer’s next request reads from. That is the whole network effect, expressed in four lines. Everything else is the quality of the models and the breadth of the input.

What the network can and cannot see

The collective model has real limits, and a senior engineer reading this should hold both halves in mind.

What it sees well is anything that repeats across sites. Coordinated campaigns, reused infrastructure, known toolkits, residential-proxy pools, credential lists being stuffed against many targets at once. These are exactly the threats a single site cannot see, and exactly where pooling wins. The ad-fraud heritage tuned the company for this: ad fraud only exists across publishers, so the detection muscle was built cross-site from day one. HUMAN was the first vendor to earn Media Rating Council accreditation for both pre-bid and post-bid sophisticated-invalid-traffic detection across desktop, mobile web, mobile in-app, and connected TV, which is an external check that the cross-ecosystem detection holds up to audit.

What the network sees less well is the bespoke, low-volume attack tuned to one target. Here the network’s own scale works against it, and the cleanest articulation of why comes not from HUMAN but from a Cloudflare engineering post in September 2025. Their point: a request from a sophisticated bot “might not look anomalous when compared to the trillions of requests we see across the Cloudflare network, but would appear anomalous when compared to the established patterns of legitimate users on a specific website.” A global baseline is a blunt instrument against an attacker who has shaped their traffic to sit comfortably inside the global average. The defense against that is a per-customer baseline, a model of what normal looks like on this site specifically, which is a different thing from network-wide pooling and in some ways its opposite. Mature vendors, HUMAN included, run both: the network model for coordinated threats and per-application models for the bespoke ones. The network effect is one axis of detection, not the whole of it, and treating it as a silver bullet is the marketing version of the story rather than the engineering one.

There is also a structural cost that the collective model rarely advertises. Pooling signal across customers means the vendor, not the customer, holds the aggregate. A site gains the network’s visibility but gives up some control over the verdict logic and inherits the network’s blind spots and its biases. When a global IP-reputation model decides a residential range is dirty because of abuse seen on some other customer, the legitimate users behind that range on your site pay for it. Network defense and false positives are the same coin: the breadth that catches a botnet is the breadth that occasionally sweeps up a privacy-conscious user on a VPN. That tradeoff is inherent, not a bug to be patched away.

The shape of the thing

HUMAN’s collective signal network is best understood as an ad-fraud detection architecture that got pointed at the rest of the bot problem. The founding bet (verify humanity at scale) and the founding domain (ad fraud, which is only visible across publishers) committed the company to cross-customer correlation before “network effect” was a slide in everyone’s deck. Methbot and 3ve proved the visibility and the disruption arguments in the harshest possible venue, a federal indictment. The Satori loop turned manual hunts into automated coverage. The PerimeterX merger bolted a web-app sensor onto the front so the same engine could score a login the way it scored an impression. The 20-trillion-interactions figure is the input to all of it, and the genuine technical advantage is real for the class of threats that repeat across the network.

The honest version of the story keeps the caveat attached. Pooled signal is decisive against coordinated automation and weak against the bespoke attack that hides inside the global average, which is why the same vendors that sell the network effect quietly run per-customer models alongside it. The breadth that makes the network powerful is the same breadth that makes its false positives somebody else’s problem. None of that diminishes what the model catches. It just means the right mental picture is a very large correlation engine with a known blind spot in the middle of its own average, not an all-seeing eye. The Methbot IP list, shared in 2016 so that every publisher could filter the same 571,904 addresses, is still the clearest single artifact of how the whole thing works: detection that is only possible because someone was looking across all the doors at once.

Sources & further reading

White Ops / MarTech (2016), White Ops reports biggest ad fraud botnet found yet: Methbot — the original Methbot disclosure with server counts, the 571,904 leased IPs, and daily-revenue figures.
Wikipedia (2024), 3ve — consolidated technical and takedown record: Boaxxe/Kovter malware, 1M+ IPs, 10,000+ sites, 3B+ daily requests, FBI seizures and indictments.
BuzzFeed News / Craig Silverman (2018), Killing 3ve: How The FBI And Tech Industry Took Down A Massive Ad Fraud Scheme — narrative of the industry coalition and the coordinated takedown.
HUMAN Security / Business Wire (2021), HUMAN, with Google and Roku, announces discovery and disruption of the PARETO CTV botnet — PARETO scale (≈1M Android phones, 6,000+ spoofed CTV apps, 650M daily requests) and the Human Collective.
The Hacker News (2025), BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse — BB2DOOR/Triada lineage, the four threat-actor groups, geographic spread, and partner disruption.
TechCrunch (2022), Human Security merges with PerimeterX to thwart bots and automated fraud — merger terms, the two companies’ complementary strengths, and Hassan’s network-data rationale.
CTech / Calcalist (2022), PerimeterX to merge with HUMAN Security at estimated combined valuation of $1.5 billion — valuation and the plan to put HUMAN’s backend behind PerimeterX’s front end.
Cloudflare / Jin-Hee Lee et al. (2025), Building unique, per-customer defenses against advanced bot threats in the AI era — the network-baseline-versus-per-customer-baseline trade-off, in a competitor’s own words.
HUMAN Security (2021), White Ops is the first company to receive MRC accreditation for both pre-bid and post-bid invalid traffic detection across desktop, mobile web, mobile in-app and CTV — external accreditation of the cross-ecosystem SIVT detection.
BleepingComputer (2016), Russian Methbot Operation Makes up to $5 Million per Day from Click-Fraud — independent reporting corroborating the Methbot economics and infrastructure.
CyberScoop (2018), FBI investigators describe Methbot/3ve investigation — law-enforcement perspective on the coordinated shutdown.