• Colossus SSP systematically forges cookie identifiers in requests to sell advertising inventory via openRTB, mimicking more expensive cookies.
• However, the SSP itself claims that it is not directly connected to The Trade Desk DSP and blames the intermediary, BidSwitch, for the issues.
• The situation is exacerbated by the consequences for small publishers, whose interests Colossus SSP represents, and questions about compliance with NASDAQ requirements.

Colossus SSP, owned by Direct Digital Holdings (DDH), became the "hero" of the latest Adalytics investigation published on Friday, May 10. By comparing logs and using Chrome DevTools, it was documented that SSP repeatedly adjusted cookie identifiers in openRTB protocol requests. Moreover, these fake cookie identifiers repeated those recently bid on by The Trade Desk DSP.

According to #Adalytics, the vast majority of impressions sold through Colossus #SSP to The Trade Desk over several months did not match the identifier specified by the browser at the time of the ad request.

Adalytics also checked 15 other SSPs, and their identifiers matched every time.

Where's the Problem?

Mark Walker, CEO of Colossus SSP, in a conversation with #AdExchanger, blamed BidSwitch, which the company uses to manage traffic and demand, and declared Colossus SSP as an indirect seller.

«Since Colossus SSP is connected to The Trade Desk DSP not directly, but through an intermediary [they mean BidSwitch, owned by #Criteo], Colossus SSP does not alter or transmit user identifiers of The Trade Desk in the ad request in accordance with Open RTB protocols and The Trade Desk requirements», — states DDH's public statement.

In its statement, DDH also pointed to a general shortcoming of Adalytics reports: «Adalytics refused to provide us with an opportunity to review the report before its publication, which we believe matches Adalytics' strategy of seeking sensational headlines».

For the report, Adalytics also checked other SSPs such as TrustX and MediaGrid (formerly Iponweb, now also Criteo), which also use BidSwitch and found no fake cookies there.

Nevertheless, somehow fake identifiers make their way into ad show requests. And BidSwitch claims it's not them.

«Any claims or insinuations by Colossus SSP that BidSwitch is to blame for manipulating ad requests are not true, and we encourage all parties to conduct further investigations into the substance of any such claims before publishing inaccurate statements», — states Ryan Damon, Criteo's chief legal counsel.

BidSwitch is just an intermediary here, added Damon. It does not alter ad show bid requests and bid responses from advertisers.

Who Knows?

And what about Trade Desk? Why haven't they detected the problem?

«The Trade Desk Marketplace Quality team has been aware of issues with the SSPs mentioned in the Adalytics report for over a year», — says a company representative.

When The Trade Desk DSP makes a bid to purchase advertising, it never buys inventory from Colossus SSP. The TD team detected discrepancies in Colossus SSP's operations last year and pieced the puzzle together, said a source in the company. If an identifier was changed or entered to represent a different audience, it is considered sophisticated invalid traffic (SIVT).

The recent update of the MRC guide on identifying low-quality inventory. SIVT is sophisticated fraudulent inventory, where bots and other automated systems are used to mimic user actions, artificially inflating advertising metrics.

«The only exception is when an advertiser comes to us to conduct a direct deal with this SSP», — the statement said.

In other words, if an advertiser bought a direct deal through Colossus SSP, then #The Trade Desk DSP would still act as an intermediary.

Trade Desk is not the only #DSP that has encountered problems working with Colossus SSP. According to a source at #Google, who spoke on the condition of anonymity, Display & Video 360 also faced this issue last year. But then Colossus SSP was able to quickly resolve the problem and access for the platform was restored.

Colossus SSP is an unusual SSP because it works with sites owned by various minorities and claims compliance with DEI principles (Diversity, Equity, and Inclusion). It earns most of its money on direct deals. Many major brands and agency holdings require spending budgets through organizations that adhere to such principles.

Consecutive accountability is another reason why no one wanted to deal with Colossus SSP. Trade Desk and other DSPs could withhold payment to Colossus SSP for displays recognized as SIVT. But these would be funds meant for minority-owned sites. And in such a case, it is the publishers who would suffer most. However, publishers are not to blame as they generate real traffic. The substitution occurs at the next levels.

The 'F' Word

If you believe the Adalytics report, the actions of Colossus SSP are outright #fraud, says Jay Friedman, CEO of the agency Goodway Group. But, according to the head of the agency, ID substitution is just one of many problems in programmatic advertising. They all relate to advertising agencies extracting money from advertisers, either intentionally or cynically not delivering what was sold.

Last month, Adalytics caught Forbes selling inventory on the subdomain "www3.forbes.com" to advertisers, who obviously expected to see themselves on Forbes's main site.

Read more about this story under the hashtag #Forbes. Here you can learn more about "ad sites."

Another controversial practice is bid caching. This technique, which saves a bid that lost at one auction and uses it for the next possible display of an ad to a user, allows ad exchanges to more effectively use bids and potentially increase advertising revenues.

For example, this practice allowed #Index Exchange to increase its market share and offer publishers higher CPMs. Index Exchange claims that this practice is legal. Bid caching is still used today, Friedman said.

Does anyone remember centroid? Long ago in mobile traffic, publishers realized that advertisers paid more for displays with location data. So they simply attached random location information, made up out of thin air.

According to Friedman, much of the problem lies in the fact that SSPs rarely face sanctions from other advertising companies. Ultimately, even The Trade Desk, which knew exactly what Colossus was doing, continued to purchase inventory there.

Where are the Verifiers?

Adalytics noticed mismatching identifiers coming from Colossus SSP in the bid request simply using Google Chrome DevTools. Theoretically, any experienced user could have done this.

And just like in the recent case with the Forbes subdomain, there was a discrepancy that no one reported, even the #verifiers. Instead, it all ends up in public scandals.

«We [at Goodway Group] changed our position in 2024 and now advise advertisers not to use verifiers», says Friedman.

According to him, familiar verifiers — IAS, DoubleVerify, HUMAN, and Moat — are no longer suitable for this purpose. Instead of using verifiers, companies should turn to analytics firms that assess data obtained after a campaign for discrepancies. Options could include: Adalytics, FouAnalytics, and a few others.

«We realized that they don't actually work», says Friedman about the "big four" verifiers, which mostly use pre-bid technology, which allows determining which ad will be shown even before the start of the auction for ad space, based on contextual information about the page content. «We were able to detect losses orders of magnitude greater than when using verifiers».

What Happens to Colossus?

For DDH and Colossus SSP, this scandal erupted at the most inopportune time.

A month ago, the company was forced to delay its earnings and loss report and also announced that its accounting firm had resigned. Two weeks ago, Nasdaq notified DDH that it has 60 days to submit a plan to restore compliance with requirements, or the company will be delisted.

Individually, these are normal and surmountable problems. But all together, especially with compelling evidence of fraud at SSP — there are too many alarm bells.

Friedman stated he knows nothing about what is happening inside Colossus. But he added that while this particular problem is unique to Colossus and not found in other SSPs, it nonetheless reflects systemic issues in programmatic advertising.

«Was I surprised?» — he reflects on this Adalytics report. «With over 40 SSPs in the market, if you told me tomorrow that they're mostly scammers, I wouldn't be surprised».

For Publishers

You need to monitor the entire supply chain of advertising on your site. The better you understand it, the better for you.

Forecast

In the future, oversight of the entire chain will become even stricter, and transparency requirements will increase.

Other Materials on This Topic:

• The rise of fraud in Runet
• FM Scam: Audio Advertising in Danger
• Attack through VAST
• DSP Accuses SSP and Publishers of Manipulating User Data