← whack.sh News

Malicious Traffic Distribution Systems: Our Take on the FBI's New Advisory

2026-06-27

The FBI's Internet Crime Complaint Center (IC3) recently published [PSA I-061826-PSA](https://www.ic3.gov/PSA/2026/PSA260618), warning the public about cyber criminals using malicious Traffic Distribution Systems (TDS) to redirect people to fraudulent and malicious websites. It's a welcome — and overdue — acknowledgement of a threat we watch constantly, so here's our take.

What the advisory describes

At its core, a malicious TDS is a filtering layer. Instead of sending every visitor to the same place, it evaluates who is arriving and decides, on the fly, what to show them. That's the FBI's key point, and it's the one that matters: these systems profile visitors and route them selectively, so the same link can behave completely differently for different people.

Why that matters more than it sounds

That selectivity is exactly what makes this class of threat so durable. An operator can show a harmless, ordinary-looking page to anything that resembles an automated check, while steering real people toward the actual harm. The link looks clean to the tools meant to catch it, and dangerous only to the person who clicks it.

The practical consequence: "we scanned it and it came back clean" is no longer a reliable statement. If a page can tell it's being inspected, a single check from a single vantage point will get the safe version every time — and the people you're trying to protect get the other one.

Our take

We think the FBI is pointing at exactly the right problem, and it lines up with the principle we built our service around: you cannot judge a cloaked page by looking at it once, from one place. The only dependable way to know what a site is truly doing is to view it the way its real visitors would, and then compare those views against each other. When the same link shows one thing to one visitor and something else to another, that difference is the tell — and it's the one thing an operator can't hide, because the entire scheme depends on it.

That comparison-first approach is the whole premise of whack.sh: we look at a site from multiple realistic vantage points at once and surface the discrepancies, so a "clean" result from one angle can't quietly mask a malicious one from another.

An advisory like this is a floor, not a ceiling. The technique is mature, profitable, and not going away on its own. The first — and hardest — step in dealing with it is simply being able to see it, and that's the gap we're focused on closing.