Cloaking drives surge in PropellerAds ad safety blocks

PropellerAds reported an increase in enforcement actions and moderation blocks across its advertising platform in 2025. Cloaking drove most advertiser account suspensions, while malware-linked activity remained a major risk.

The Ads Safety Report 2025 outlines results from preventive moderation and confirmed enforcement. It also describes fraud patterns observed by policy and security teams, including multi-layer cloaking, direct file distribution through ad infrastructure, and attempts to hijack messaging accounts.

PropellerAds recorded a 35% year-on-year increase in campaigns flagged and declined during moderation, which it attributed to expanded preventive controls and broader moderation coverage.

The figures reflect rejections or blocks, not unique campaigns. A single campaign can trigger multiple actions if it is checked repeatedly or breaches more than one policy.

Pre-launch blocks

Adult, pornographic, sexual, or erotic content made up the largest share of moderation outcomes, accounting for 60% of rejects or blocks in 2025 (439,927 actions).

Antivirus alerts or malware detected on campaign-related domains accounted for 26% (191,103 actions). Automatic file downloads on desktop or mobile represented 3.4% (24,500 actions).

Other policy violations made up 3.0% of moderation outcomes (22,127 actions). The remaining categories were smaller but covered a broad set of risks and compliance issues.

Region-specific restricted content represented 2.1% of rejects or blocks. Trademark violations accounted for 1.7%, and inaccessible destination URLs during moderation represented 1.1%.

Prohibited products made up 1.0% of actions. Malware-related scare claims represented 0.7%, and deceptive financial-advice promises accounted for 0.5%.

The breakdown shows that ad platforms increasingly treat destination infrastructure as part of the risk surface, not just the creative or landing-page text. Malware detections, download behaviour, and unreachable URLs often appear in the same investigations, even when a campaign's visible content seems compliant.

Account suspensions

For confirmed, high-risk, or repeated violations, cloaking was the most common reason for advertiser account suspensions. It accounted for 78.2% of suspensions (1,311 cases).

Malware-related violations represented 7.6% of suspensions (127 cases). Other violations accounted for 6.0% (100 cases).

Ransomware attacks represented 2.9% of suspensions (49 cases). Failed KYC checks, described as "fake ID", accounted for 2.6% (44 cases).

Scam landing pages represented 2.0% of suspensions (33 cases). Confirmed fraud combining multiple signals accounted for 0.7% (12 cases).

The dominance of cloaking in the suspension breakdown underscores its role as a core ad-fraud technique. Cloaking complicates review by showing different content to different users or reviewers. The report describes "infrastructure-heavy" cloaking that relies on multi-layer routing and conditional delivery.

Fraud patterns

The report highlights four patterns seen during 2025. The first is infrastructure-heavy cloaking using multi-layer set-ups and conditional logic. These configurations can route users through intermediaries, with final content varying by geography, device type, or other signals.

The second pattern is malvertising through direct file distribution, which uses ad workflows to deliver files rather than sending users only to a web page. Automatic file downloads were among the reasons campaigns were blocked during pre-launch moderation.

The third pattern covers attempts to hijack Telegram and WhatsApp accounts. This reflects a broader shift in social engineering and credential theft, with attackers seeking access to accounts that can be used for scams, impersonation, or distribution.

The fourth pattern involves compromised infrastructure and hijacked domains, including expired domains and breached servers. These assets can host payloads, redirect traffic, or provide an apparently reputable domain history.

About 80% of identified attack vectors were concentrated on Windows and Android environments. This aligns with the scale of those platforms in consumer computing and mobile usage, and with malware operators' focus on common environments for reach.

The report also describes internal detection and enforcement systems. AI and machine-learning tools support anomaly detection, interaction-pattern analysis, and prioritisation of high-risk signals, while infrastructure checks and expert review remain central to enforcement decisions.