Ok, so this is the story I *really* wanted to share with you since this thread started.
I didn't until this point (and no one else knows about it until now, except for 5-6 people that worked with me at that company) because it's a rare combination of something I'm ashamed of but also very proud of.
It's a really bad play, but they had it coming, and it was really successful. So here we go...
A long long time ago, back when I was young, handsome, creative and a huge prick, I worked at a company that had a competitor that didn't like losing and didn't like to play by the rules.
In other words, they sabotaged us constantly and kept falsely reporting us to the regulators (costing us millions in fighting these claims and getting fines), so I decided to get even.
Back then, remarketing tags were really important because they were also used for creating "similar audiences", which were Google's equivalent to FB's lookalike, and used by most advertisers instead of the crappy display targeting Google used to have back then (mostly contextual).
Most often than not, a user gets into a remarketing list upon meeting 2 conditions:
1. Visiting a page with the remarketing code
2. Meeting a criteria set by the ad account manager (usually 'url contains')
So my plan was to kill their main remarketing list, which in most cases, users get to upon visiting any page on an advertiser's domain (url contains:domain.com) as well as any other remarketing list triggered by visiting key pages on their site.
You can kill a remarketing list by adding tons of crappy users to it, but you can also make Google remove it, if you add users in conditions that break Google's remarketing privacy policies, such as medical conditions.
I didn't just want to mess with this competitor, I wanted him to lose his data and delete their remarketing lists. We ended up doing a lot more than this, by the way.
You might think that this is a small hit for a big company, but in such a "lucrative" industry, your first direct response campaigns are just the beginning, and you must keep moving users through your funnel with remarketing (those who visited an LP keep getting back to it, those who left their details get to the next stage through remarketing and it keeps going until they deposit, and then it becomes crucial to keep them engaged with your system so they deposit more and more).
Anyway, I knew they were using URL contains triggers, so I bought a domain that would allow me to rebuild their entire funnel and trash every single one of their lists, as well as their Google Ads (back then it was still AdWords) conversion data.
Their domain was, for example, competitor.com. So, I bought a domain named that contained it (abcdefghijkcomprtitor.com) and mapped their entire funnel , deposit pages, and thank you pages.
So let's say these are the key pages they had, and the corresponding list I assumed they added users to:
1. URL contains: competitor.com - all users
2. URL contains: competitor.com/lp/ LP Visitors
3. URL contains: competitor.com/thankyou - Leads
4. URL contains: competitor.com/add-funds - Deposit page
5. URL contains: competitor.com/typ-deposit - a thankyou page for completing a deposit.
So the plan was to recreate their url structure on a site that we controlled that contained content that would force Google to delete the competitors' remarketing lists. Bonus points if we could mess with their conversion data as well.
Now, bear in mind that conversions worked a bit differently back then. We had a different code snippet for each conversion and there were no triggers, only pages that contained the conversion code triggered the conversion event.
Another requirement for a conversion to "fire" was to have a click from the same ad account.
We started by recreating their site on a domain that looks like this, so all their triggers would also apply to our domain to make sure our users get into their remarketing lists:
abcdefghijkcompetitor.com
So, by using this domain and their url structure and remarketing and conversion codes we could easily inject users to their lists, but we couldn't yet mess with their conversion data.
So we started a popup campaign in their target geo, adding hundreds of thousands of users (over a few months) to their remarketing lists, making them practically useless. At this point our site was still using content that allowed them to be used for remarketing, scraped content from a BHW seller.
The page we promoted was supposed to hit as many lists as possible:
abcdefghijkcompetitor.com/?utm_source=competitor.com/lp/competitor.com/thankyou/competitor.com/typ-deposit/competitor.com/add-funds/
So now we added users to all of their remarketing lists, but we weren't sure on which remarketing campaigns these users would see because they could have (and probably did) exclude 'leads' from their 'all visitors' lists and so on.. so they can make sure to only target the users they want in each list, so we switched the initial setup and sent users separately to these pages:
abcdefghijkcompetitor.com
abcdefghijkcompetitor.com/lp
abcdefghijkcompetitor.com/add-funds
To ruin their conversion data, I needed to wait until they started targeting them on their campaigns, as it was a requirement to fire a conversion event.
A couple of months later, we started sending traffic separately to these pages as well:
abcdefghijkcompetitor.com/thankyou
abcdefghijkcompetitor.com/typ-deposit
But we also added each page the conversion code that fits, meaning they should have started getting fake conversions reported into their Google Ads account, because the majority of the users were also seeing their real remarketing campaigns (fulfilling the click from the same ad account requirement)
After a few weeks of doing that we reached the final stage: killing their remarketing lists.
We replaced all the content on our fake site to sensitive medical information like ED, STDs and such, so Google will have to delete their lists.
NO more than a week later we saw that they completely shut their display campaign (most likely lost the remarketing list and the similar audience lists), so we shut ours as well, deleted everything from that domain and carried on with our lives.
Again, I'm not very proud of it but I also am.. I shared it mostly so you can make sure your accounts are not set up in a way that is vulnerable to the same type of attack, even though this specific one won't work these days. There are still ways to sabotaging competitors by exploiting the common ways marketers set up their accounts, so whenever to set stuff up, try to make it as hard as possible to mess wit you.
.
Bronze Star
