Warning: this story contains references to child sexual abuse and exploitation, as well as pornography.
A bombshell report released last week by adtech researchers at Adalytics alleges that some of the industry’s largest adtech players—including Google, Microsoft and Amazon, as well as third-party verification providers Integral Ad Science (IAS) and DoubleVerify—were facilitating or monitoring ads for major clients placed across a website that hosts pornography and child sexual abuse material.
The report found that ads for a litany of important brands and organisations, including the US’ Department of Homeland Security, Kimberly-Clark, Honda, Uber Eats, Google Pixel, Adobe and Samsung were served on imgbb.com and its affiliate ibb.co.
These sites are ad-supported, anonymous, free, image and sharing website. Adalytics said that it gets more than 40 million page views per month, more than the Financial Times, for instance.
The US’ National Center for Missing & Exploited Children (NCMEC) has notified imgbb.com “dozens of times” over the course of 2021, 2022, and 2023 that the platform was hosting child sexual abuse materials (CSAM). It also hosts explicit adult content as well as potentially copyright infringing materials and potentially explicit depictions of canine-human bestiality and zoophilia, which may construe animal abuse.
During Adalytics’ research into a separate matter, it noticed that the URLScan.io bot (which it uses to find ads online) had recorded ads being served on a website called “imgbb.com” and “ibb.co” thousands of times as far back as 2017.
Investigating further, Adalytics found ads for major brands appearing adjacent to explicit adult content on imgbb.com and ibb.co, when URLScan.io’s bot had archived the page in 2024.
Examples
For instance, it found that an ad in the Department of Homeland Security’s ‘Blue Campaign’ to raise awareness of the signs of human trafficking appeared above pornography. It was accessed from an IP address in Italy, too. This ad was served, according to Adalytics, by Google’s DV360.
As it plumbed the depths of imgbb.com further, the bot found archived a particular URL in early November 2024, which showed explicit material featuring a young girl, thought to be aged between 4-6 years old. There were digital ads served to the bot whilst it was archiving that page.
As another example, in April last year, the bot crawled a “ibb.co” URL. While it was screenshotting the page, it was served a digital ad for Starhub served by Outbrain. In October 2023, crawling another ibb.co page URL that contained a photo of a woman’s exposed breasts, it was served an ad for Skyscanner via Criteo.
In November, on a page containing a photo of a man masturbating, the bot was served an ad for Duracell batteries by Amazon’s DSP.
Adalytics also found on another page, featuring two animated characters having sex, it was served an ad for phone brand OnePlus. The source code of the ad, said Adalytics, suggests that it may have been transacted by Quantcast DSP. It also includes references to “Publicis”. It also references “adsafeprotected.com’, a domain operated by IAS when loading its pixel or tags for measurement purposes.
It also found a video ad for Thrive Market with a screenshot of hardcore pornography. The source code of the Thrive Market ad mentions ad agency “Tinuiti” and “CTV”. The Thrive Market ad’s source code appears to include tags from DoubleVerify. These tags may not necessarily be used for brand safety blocking, instead they could be for ad delivery and/or ad measurement or monitoring.
A more comprehensive list of the examples can be found on Adalytics’ website—though we’d caution against opening it at work.
Responses
DoubleVerify
DoubleVerify released a statement saying that it finds the website’s content “abhorrent” and “a core part of our mission is to ensure that advertiser dollars do not support this, ever”.
“While we were not given access to their data prior to publication — and we have consistently seen them misrepresent how our tags work and how client campaigns are executed — we have reviewed initial coverage about the research and want to correct the record while outlining steps that all verification providers should adopt,” it continued.
“The site has a small advertising footprint, with an even smaller number of DV-measured ads — 0.000047 per cent of our total.
“Customers using DV’s pre-bid and post-bid controls benefited from multiple layers of protection; DV’s blocking controls alone prevented tens of thousands of ads from appearing on the site in the past 30 days.
“DV has taken immediate additional measures to block this site and affiliated sites for our customers, while we conduct our review.
“DV’s classification system — designed for both pre-bid filtration and post-bid measurement — prioritises site and page classification based on impression volume. (As an ad technology company, it is not reasonably feasible to measure every URL or page on the internet at scale if ad impressions are extremely low.) Regardless of content category, classification is triggered once a page reaches a certain level of ad traffic. If a researcher identifies content on a URL, it does not necessarily mean that the page has met the threshold required for classification. In this instance, the page would be unclassified. However, customers using DV’s Authentic Brand Suitability (ABS) pre-bid solution can still choose to block unclassified pages, and the majority of ABS users are leveraging this safeguard today.
“For pages on imgBB.com that received sufficient traffic for classification, DV applied a range of content categories. Some pages contained pornographic material and were appropriately classified as ‘Adult & Sexual.’ This classification appears in post-bid reporting and allows for pre-bid filtration when enabled. DV strongly advises all clients to activate pre-bid controls to prevent ads from running on inappropriate content.
“In multiple instances, Adalytics has presented the presence of a DV tag on a page as evidence that our technology failed to block an ad. In reality, this is a misrepresentation of how verification works. The presence of a tag does not necessarily mean an ad was served due to a failure in our system — it may simply indicate that post-bid measurement was in place rather than pre-bid avoidance or blocking. Additionally, ad placement always follows client settings — meaning the appearance of an ad on a classified page may align with an advertiser’s specific campaign goals and configurations.”
DoubleVerify did not answer our other questions.
IAS
A spokesperson for IAS told B&T: “IAS has zero tolerance for any illegal activity, and we strongly condemn any conduct related to child sexual abuse material. We are reviewing the allegations and remain focused on ensuring media safety for all of our customers.”
In a statement on its website, IAS added that it immediately labelled the domains in the report to be ineligible for monetisation and was reviewing the sites and the findings of the report.
“IAS did not have the opportunity to review the full Adalytics report ahead of its publication, nor did we receive access to the underlying data prior to publication or have insight into how Adalytics analysed individual campaign settings,” it added.
“In several instances within the report, Adalytics acknowledges that they cannot determine if IAS tags were used for blocking or ad measurement. This is consistent with previous Adalytics reports that are unable to determine the way customers use our products and services, as well as the nuance of differing campaign settings that are available and selected by customers for measurement across the open web.
“Over the past 60 days, our analysis concluded that 88,000 total webpages from these two domains were observed across all eligible ad opportunities. By contrast, we saw nearly 1.9 billion total webpages throughout the same time period.”
A Google spokesperson told us that it has “zero-tolerance” to content promoting child sexual abuse and exploitation.
“As this report indicates, we took action on these sites last year. Our teams are constantly monitoring Google’s publisher network for this type of content and we refer information to the appropriate authorities,” the spokesperson added.
Amazon
An Amazon spokesperson told B&T: “We regret that this occurred and have swiftly taken action to block these websites from showing our ads. We have strict policies in place against serving ads on content of this nature, and we are taking additional steps to help ensure this does not happen in the future. We’ve received the Senators’ letter and are working on our response.”
The spokesperson did not our further questions.
Microsoft
Microsoft’s spokesperson said it was “committed” to creating a “safe online environment and protecting users from harmful content and conduct online”.
“In line with this commitment, we do not allow advertising on content that violates our advertising network policies or on user-generated content that is not sufficiently regulated or moderated. When we become aware of content that evades our detection mechanisms and violates our policies, we take immediate action to prevent ad delivery and remove offending web sites from our advertising network, as we’ve done in this case,” it said.
Outbrain
Outbrain did not reply to a request for comment prior to publication.
What now?
While all involved seem to have blocked the sites, the US government is starting to investigate.
Senators Marsha Blackburn (R-Tennessee) and Richard Blumenthal (D-Connecticut) have accused the adtech players, verification companies and watchdogs of at best negligence in allowing child porn distribution to be monetised. They also criticize ad verification companies for failing to properly flag sites and industry watchdogs for lacking teeth.
The senators issued public letters to the CEOs of Amazon, Google, DoubleVerify, Integral Ad Science, the Media Rating Council (MRC) and Trustworthy Accountability Group (TAG). The senators gave recipients until today to respond to extensive questions on how the ad placements happened and how industry watchdogs enforce their brand safety certifications and accreditations.
We’ll have to wait for their responses.
