CPA (Cost Per Action) fraud has become one of the most profitable and scalable forms of online crime in 2026. At its core, attackers get paid when they generate fake actions; sign-ups, app installs, form submissions, clicks, or conversions on behalf of advertisers.
The entire operation rests on two critical pieces of infrastructure: bot farms and device farms. Without them, most large-scale CPA fraud would be impossible.
What Are Bot Farms and Device Farms?
Bot Farms: Collections of automated software-based bots that can mimic human behaviors on a large scale via virtual machines, cloud instances or emulators doing some combination or all of the following:
1. Create hundreds or even thousands of fraudulent user accounts
2. Complete forms
3. Click on ads
4. Participate in various types of surveys or offers
Farms using more current versions of the above technologies may include but are not limited to:
1. Headless browsers with realistic fingerprints
2. AI-generated mouse movements and general typing patterns
3. Residential proxy networks, allowing the bot to appear as if they are a real user located in a particular geographic area
4. Complex behavioral scripts that mimic how human beings typically would make decisions
Device Farms: Device farms consist of actual or virtual collections of real smartphones and/or tablets usually managed remotely by one or more individuals. They contain thousands of devices used to respond correctly to the target system's genuine device signals; something that no bot is capable of perfectly matching to be effective.
Examples include:
1. Real device identifiers and Actual hardware fingerprints
2. Actual app store behavior
3. Push notification interaction
4. Location services and sensor data
Device farms are particularly important for mobile CPA fraud (app installs, in-app actions, mobile ad clicks).
How They Work Together in CPA Fraud
A typical modern CPA fraud operation uses both:
1. The bot farm will generate the initial setup and perform low-level interactions (i.e., clicks or signups).
2. The device farm will conduct the "heavy lifting" actions that genuinely require a mobile signal (i.e., installing apps, purchasing items from within an app, or interacting with a banking/fintech app).
3. A central management system is used to coordinate both systems so that multiple tasks can be assigned by controlling the devices and/or switching proxies and to capture earnings
Combining the bot's front-line agent role, along with the legitimate mobile signs from the device farm, will allow the fraudster to scale from hundreds to millions of fraudulent activities each day, by avoiding many of the methods utilized in the detection of fraud.
Why This Model Works So Well
1. High-success rate: The combination of real devices with advanced bots provides a more effective means of achieving results than do the vast majority of Anti-Fraud detection systems currently in existence.
2. Low-cost: Fraudsters are able to achieve very high profit margins due to the use of low-cost VM's to operate their bots and to purchase Used Mobile Phones in bulk as their device farms.
3. Quick scaling: A new campaign can be executed within a few hours from start to finish.
4. Difficult to terminate: Bots and devices are located in different countries, and the majority are on home internet connections using residential proxies and "bulletproof" hosting services.
Common Targets
1. Campaigns for mobile application installations
2. Sign-Up Bonuses for Fintech & Crypto
3. Cashback & Referral Programs for E-commerce
4. Survey/Offer Wall
5. Advertisement Networks Paying for Qualified Leads.
Practical Defense Perspective
From a defensive perspective with regard to how advertisers and platforms can combat this type of behavior, the following should be implemented:
1. Enhanced Device Fingerprinting - This ability should identify devices using more than simple ID's to help track and label devices used for fraud.
2. Behavioral Analysis - Even if a real device is being used, there should be a way to identify abnormal patterns in behavior.
3. Cross-Device Correlation - Identify when different devices are or have been coordinated together at the same time.
4. Limitations on High-Value Activities - Strict limits to detect and limit activities that are considered high value.
For the average user, the greatest risk of involvement in these schemes will be to be a victim of a malware infection, where your device is added to a farm, or being scammed into believing that the farms that are being used for the fraud are truely authentic.
The current structure of CPA fraud no longer relies on simple script-based crime, but rather on the use of sophisticated forms of bot-farming and real device farming methods that are working together to perpetrate fraud. Understanding this infrastructure helps explain why so many “too good to be true” online offers turn out to be fraudulent.
