Apple’s iCloud Private Relay Facilitating A Multi-Million Dollar Scam Says Ad Tech Firm

Well, Apple isn’t having a good time. After this and this came to light, a report from Gizmodo has Apple under new scrutiny over the iCloud Private Relay feature and how it facilitates a massive scam:

As you read this, there’s an army of bots pretending to be Apple users surfing the web and looking at ads, according to new research shared exclusively with Gizmodo. The ad fraud scheme is weaponizing a privacy feature called Private Relay, coopting a vast swath of traffic to show ads to robots and costing advertisers tens of millions of dollars in the process, researchers’ tests found. Apple has promised that the tool has “built-in fraud detection” and that advertising platforms can trust it, but the researchers say the fraud has only gotten worse in the months since they first reported it to the company.

The new report finds that criminals are exploiting Apple’s Private Relay tool, a feature available on on Apple devices for users who subscribe to iCloud+. Turn it on, and Private Relay will hide your web browsing and assign you a dummy IP address to help stop companies from tracking you. Pixalate, the ad tech firm that authored the study, released Tuesday, says the problem will cost US advertisers an estimated $65 million in 2022 alone. The study finds that 90% of web traffic that looks like it’s coming from Private Relay is actually fraudulent.

That’s not a good look for Apple. Here’s why:

“Apple says you can trust that connections through Private Relay are secure and free of fraud, so scammers are just presenting their traffic as coming from Apple,” said Amit Shetty, vice president of product at Pixalate. “It seems like they’re just hoping people are going to put the traffic on ‘allow lists’ because it’s considered to be safe.”


Apple promised in several public statements that apps, websites, and ad tech companies can trust that iCPR addresses represent real people.The company says Private Relay has “built-in fraud protection,” and it’s “designed to ensure only valid Apple devices and accounts in good standing are allowed to use the service.” Apple goes even further, proclaiming that “Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple.”

Apple has been silent about this and their other issues. However as these sort of issues continue to come to light, Apple will have less ability to pretend that they don’t exist and they will have to say something. Because their use of the “reality distortion field” isn’t working. Especially when Apple markets itself as the privacy and security company.

Leave a Reply

%d bloggers like this: