Pixalate’s Ad Fraud and Compliance team says there’s a potential exploit in Apple’s iCloud Private Relay Addresses

Over the last few months, Pixalate’s AFAC (Ad Fraud and Compliance) research team has investigated invalid traffic (“IVT,” or ad fraud) in connection with iCloud Private Relay IP Addresses. Pixalate, in conjunction with Basis Technologies, says it’s uncovered a widespread potential exploit – dubbed “iP64” – that Pixalate estimates may cost advertisers over US$65 million in 2022 in the U.S. alone.

According to Apple, normally when you browse the web, information contained in your web traffic, such as your DNS records and IP address, can be seen by your network provider and the websites you visit. This information could be used to determine your identity and build a profile of your location and browsing history over time. iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you’re visiting.

The AFAC findings, presented here, purportedly show ad fraudsters appear to be exploiting an unquestioning trust of Apple’s iCloud Private Relay IP Addresses – aided by the opacity of the ad tech supply chain. Pixalate is calling this ad fraud scheme iP64 because of the way in which apparent fraudsters seem to be inserting iCloud Private Relay IPv6 and IPv4 addresses into ad requests to masquerade the true source of the traffic. 

Pixalate first reported on this phenomenon in August 2022, noting that 90% of purported iCloud Private Relay (iCPR) traffic may actually be invalid — i.e., traffic that is only pretending to be protected by iCPR.