CPABuild’s website, which lists its legal registry in Nevada, describes itself as a “content-locking network first and foremost.” The company, which has existed since 2016, hosts tasks from its customers, such as giving people the chance to win money by submitting their email and postal code details. Then users of CPABuild, often known as affiliates, try to get people to complete these offers. They often do so via spamming links to YouTube comments or creating the kind of pop-up “locker” pages towards the end of the poison PDF click chain. This results-based process is known as a cost per action (CPA) by advertisers and marketers.

WIRED contacted multiple email addresses listed on CPABuild’s website, as well as sending questions via a contact form, but we did not receive any response. The company website does not name any individuals who are behind CPABuild and is sparse on overall details. The website claims it has “daily” fraud checks in place to catch bad actors abusing its platform, and its terms of service prohibit those using it from being involved in fraud and from sharing multiple kinds of content.

The website claims it has paid out more than $40 million to publishers and has thousands of templates and landing pages. Within CPABuild, there are various tiers of users. The website’s affiliate structure is displayed in an image on its homepage. Members can be categorized as managers, devils, demons, wizards, masters, and knights. In one video uploaded by a CPABuild member on August 11, an admin account can be seen sharing a message with users that indicates the company has taken steps to prevent the platform from being used for fraud. “We are still getting reports that CPABuild publishers are promoting offers in ways that violate our terms of service,” a message seen on the screen reads. Edwards’ research shows, however, that whatever efforts CPABuild has taken have failed to prevent its users from engaging in rampant fraud.

“CPA fraud, which includes cost per app install, is very common,” says Augustine Fou, an independent cybersecurity and ad fraud investigator, who reviewed a summary of Edwards’ findings. “Specialists like the ones identified in the research carve out a niche where they become the category leader in a particular kind of fraud,” Fou says. “Customers come to them for that speciality.”

Scores of websites are currently impacted by the PDFs. This week, the New York State Department of Financial Services removed PDFs uploaded after being contacted by WIRED. Ciara Marangas, a spokesperson for the department, says the issue was first identified in 2022, and following a review and additional steps, the files were removed.

In 2022, Edwards says, he alerted the US Cybersecurity Infrastructure Agency (CISA) to more than 50 compromised websites, which included the Oak Ridge National Laboratory and the Lawrence Berkeley National Laboratory. A spokesperson for Oak Ridge said it “immediately” responded to CISA’s alert, “deleted the suspicious content, and resolved the issue.” No data belonging to the laboratory was impacted, they say. Meanwhile, a spokesperson for Lawrence Berkeley National Laboratory said it cannot comment on the individual case but “no vulnerability has resulted in the compromise of systems for visitors” to its website. CISA's .gov registry manager, Cameron Dixon, says when it is made aware of vulnerabilities in government websites, it notifies them and offers assistance. “In any given day, you could have a list this big of new victims,” Edwards says. (In 2020, Italy’s Computer Security Incident Response Team, CIRST, issued an alert about compromised domains Edwards had found.)