Skip to content

IVT Taxonomy

Pinokio classifies every invalid transaction according to the Media Rating Council (MRC) definition of Invalid Traffic (IVT). At the top level, IVT is split into two classes: General Invalid Traffic (GIVT) and Sophisticated Invalid Traffic (SIVT).

In reports and on the Dashboard, SIVT is further broken down into four subcategories, giving you five possible IVT buckets:

  • GIVT
  • SIVT
    • Spoofed Identity
    • Automated Browsing
    • Tunneled Traffic
    • Virtual Environment

Every invalid transaction lands in exactly one of those five buckets. Below is what each includes and why it matters.

GIVT is invalid traffic that can be identified with routine detection — filters, well-known exclusion lists, and simple pattern checks. It’s usually not malicious, but it’s still traffic that shouldn’t have been bid on.

Pinokio’s GIVT bucket includes:

  • Known crawlers and bots — user agents that match the IAB/ABC International Spiders and Bots List, TAG-declared crawlers, AI agents that self-identify, and other automated tooling that announces itself in the request.
  • Known data-center traffic — IPs on industry-recognized data-center ranges (TAG Data Center IP List and equivalent), with no signal that the request is a real user routed through a VPN or proxy.
  • Blank or malformed user agents — requests with missing UAs, truncated UAs, or UAs that don’t parse cleanly.
  • Invalid transaction parameters — bid requests with missing, misconfigured, or malformed OpenRTB fields.
  • Invalid placements — impressions rendered inside a 0×0 iframe or other placement that a human user cannot see.
  • Irregular patterns — mechanical repetition of impressions or clicks, non-disclosed auto-refresh, duplicate transactions inside a tight window.

Because GIVT is cheap and reliable to detect, most bid workflows drop it outright.

SIVT is invalid traffic that looks legitimate on the surface. It requires more than a filter list to catch — cross-signal analysis, behavioral models, device fingerprinting, and correlation across sessions. Pinokio splits SIVT into four subcategories in reports.

Traffic where the identifying information reported to the exchange does not match what actually rendered the ad. The bid request says one thing; the impression says another.

Includes:

  • App spoofing — the app bundle ID in the request does not match the app detected at render.
  • Domain spoofing — the domain in the request does not match the domain where the tag actually loaded.
  • Parameter mismatch — declared device, OS, geo, or media type does not match the detected values (e.g. request declares iOS, impression detected on Windows).
  • Environment mismatch — OpenRTB parameters advertise one environment (CTV, in-app, DOOH) while signals show another.
  • Device/model impersonation — device model claims a real handset but the fingerprint doesn’t match the OS or hardware profile of that device.
  • Spoofed measurements — request properties were altered to hide evidence of automation.

Spoofed Identity almost always concentrates at specific supply paths — the same source or seller ID repeatedly produces mismatched impressions. It’s high-value to catch because those impressions were bought under false pretenses.

Programs and scripts that request web content — including ads — without user involvement and without identifying themselves as bots. Everything a GIVT crawler would do, but hidden.

Includes:

  • Botnets — coordinated networks of infected devices generating impressions and clicks under real residential IPs.
  • General automated browsing — scripts that browse and load ads without belonging to a known botnet, using undisclosed automation.
  • Click farms — human-in-the-loop farms driving impression and click patterns.
  • Impression and click generation — statistically inflated impression or click rates from the same browser, cookie, or device.
  • Session hijacking — statistically inflated session counts on a single device or browser, indicating one user identity is being reused mechanically.
  • Cookie or device-ID stuffing — a single cookie or device ID appearing across an unnatural spread of IPs, apps, or locations.

The common theme: no real human intent behind the impression.

Traffic routed through intermediary infrastructure that hides the true origin. The user (or bot) is real but the network path is deliberately obscured.

Includes:

  • Data-center proxies — proxy services running inside data centers that pass traffic through to manipulate counts or launder invalid traffic. Distinct from clean data-center GIVT because these proxies are actively used to hide fraud.
  • Residential proxy networks — traffic routed through residential IPs sold as a service, often used to make fraudulent traffic look like real users.
  • VPN and anonymizer chains — high-risk VPN exits used to bypass geo, targeting, or reputation rules.
  • High-risk IPs and ranges — IPs on Pinokio’s high-risk lists that have historically laundered invalid traffic.
  • Supply-chain laundering — traffic routed through supply chain (schain) nodes flagged as high-risk, hiding the real origin of the impression.

Tunneled traffic is dangerous because the actual bid signals (IP reputation, geo) look plausible until you correlate them against traffic patterns.

Traffic originating from environments that are not real end-user devices. Emulators, simulators, and automation frameworks pretending to be phones, tablets, TVs, or browsers.

Includes:

  • Emulators masquerading as real devices — Android emulators, iOS simulators, and desktop VMs that report themselves as real handsets or CTV devices.
  • Impossible device/OS combinations — hardware profiles that can’t physically exist (e.g. a model that never shipped with the reported OS version).
  • Headless browsers — Chromium, Firefox, and WebKit in headless mode used to render ads without a real display.
  • Automation frameworks — Selenium, Puppeteer, Playwright, WebDriver, and other test-automation tools driving a browser at scale.
  • Cloud device farms — hosted phone/tablet emulator services generating impressions.
  • Defased apps — apps that were removed from their official store but continue to send impressions.

Virtual Environment traffic is technically “real” in the sense that a browser loaded the ad — but no human ever saw it.

Every transaction Pinokio flags carries a specific reason beneath the top-level category. The Analytics dashboard and standard Reporting API return the five categories above. Detailed IVT reasons — the specific signal or subcategory that triggered the flag (e.g. “app spoofing – bundle ID mismatch” or “automated browsing – headless Chrome fingerprint”) — are available as an additional report.