AdTraces monitors the advertising supply chains of Hungarian news websites for signs of foreign interference. Every day, it scans public files that declare which advertising companies are allowed to place ads on each site. When a Russian or otherwise high-risk ad platform is found with direct access, it flags that as a potential vector for manipulation.
How online advertising works
What is ads.txt?
Every website that shows online ads must publish a small text file called ads.txt (Authorized Digital Sellers). It lists every advertising company that is allowed to sell ad space on that site. Anyone can read it. Just type lemonde.fr/ads.txt into a browser.
Each line in the file contains four pieces of information:
google.com, pub-1234567890, DIRECT, f08c47fec0942fa0
What is sellers.json?
The other half of the verification chain. Each ad network must publish its own sellers.json file confirming which websites it actually works with. When a site's ads.txt says "we work with Network X, account 12345" but Network X's sellers.json has no record of that account, something is wrong. The entry may be fake, expired, or deliberately obscured.
Together, ads.txt and sellers.json create a public, verifiable chain of custody for online advertising. When the chain breaks, it means someone's identity cannot be confirmed.
What is the IAB TCF vendor registry?
The Interactive Advertising Bureau (IAB) maintains a Transparency and Consent Framework (TCF) that ad technology companies can register with. Registration means the company has agreed to a set of standards around data handling, user consent, and transparency. The registry is public and contains over 1,100 vendors.
This dashboard cross-references every ad domain found in ads.txt files against the IAB TCF registry. Matching is done by comparing the ads.txt domain against vendor privacy policy URLs and a set of known aliases (for example, appnexus.com is matched to Xandr, rubiconproject.com to Magnite). A TCF badge means a match was found. A no TCF badge means no match could be identified.
Important: "no match" does not always mean the vendor is unregistered. Some vendors may be registered under a different company name or domain that the matching did not identify. However, for the Russian state-linked platforms (Yandex, VK Group, Sberbank and all their sub-domains), the absence from the registry has been manually verified.
Why this matters
The election context
Hungary holds parliamentary elections in April 2026. Programmatic advertising is a pipeline: whoever is authorised in a site's ads.txt can place content in front of that site's readers. If a Russian state-linked ad platform has "direct" access to Hungarian news sites, it has a delivery mechanism for targeted messaging, potentially including information manipulation, to Hungarian voters.
This monitor scans the ads.txt files of Hungarian news sites daily to detect when high-risk actors gain or lose access to Hungarian audiences.
Who are the key players?
What is KESMA?
The Central European Press and Media Foundation (KESMA) is a conglomerate aligned with Hungary's governing Fidesz party. In November 2018, owners of 476 media outlets donated them to KESMA in a single coordinated action. These outlets, including national newspapers, regional county papers and online portals, share centralised infrastructure managed by Mediaworks, KESMA's publishing arm.
Our data shows that origo.hu, magyarnemzet.hu, ripost.hu and associated KESMA outlets share an identical programmatic advertising file. This means that when KESMA's advertising team authorises an ad network, including high-risk ones, that decision applies across all sites sharing the file simultaneously. A single authorisation can give a foreign actor access to multiple major news outlets at once.
High-risk ad platforms
These are Russian state-linked or state-influenced entities. All are subject to varying degrees of Kremlin influence. None except myTarget are registered with the IAB TCF.
Russia's largest technology company. Government holds a "golden share" and VTB (state bank) holds a stake. Adfox is Yandex's ad server, acquired in 2014.
Russian social media and advertising conglomerate. State-influenced via Gazprom-linked Sogaz ownership. Operates VKontakte, Odnoklassniki, Mail.ru, myTarget (now VK Ads), and Dzen (formerly Yandex.Zen, transferred to VK post-2022).
Advertising platform of Sberbank, Russia's largest bank. Majority state-owned, EU and US sanctioned.
Medium-risk ad platforms
Low-transparency ad intermediaries, often Eastern European, with limited public information about ownership. Not confirmed threats, but their presence is notable.
Each row is a news website. The columns show how many problems were found, grouped by how serious they are. The coloured tag shows who owns the site. Click any row to jump to that site's findings.
How to read the severity levels: Confirmed critical means multiple danger signs on a single entry, requiring urgent review. Critical means a known high-risk actor (like Yandex) has direct access. High means something looks wrong but needs investigation. Medium is a lesser anomaly, still of interest.
This diagram shows which news sites share the same advertising partners. Sites that share many ad entries are grouped into communities, shown as coloured clusters. The main red cluster is the group with the most Russian state-linked ad entries (Yandex, VK Group, Sberbank). Every site inside it shares the same compromised supply chain. Other clusters that also contain some high-risk entries have a dashed red outline but keep their own colour. Individual high-risk nodes (Yandex, VK Group, Sberbank) always appear as red dots, making them easy to spot in any cluster. Click any node to see its connections.
A "shell cluster" is when the same seller account number appears under multiple different company names. This is a strong sign that seemingly separate ad companies are actually the same entity operating under different names. Cards with a red border contain a known high-risk domain.
| Severity | Site | Type of problem | Ad entry | What was found | When |
|---|
This view tracks how the ad supply chains change from one daily scan to the next. New entries mean a site has authorised a new ad partner; removed entries mean an authorisation was withdrawn. Sudden changes, especially new high-risk entries appearing close to election day, are the most important signals this monitor can produce.
How to use this dashboard
For a quick assessment
Look at the top of the page. The risk indicator and the confirmed critical count tell you whether something urgent has been found. The headline states the key finding in plain language.
To see which sites are affected
The "Which sites are affected?" tab shows a table of every monitored site, with columns for each severity level. The number in each cell is a count of problems found. Rows are sorted by owner group so you can see the KESMA block, the Indamedia block, and the independent sites separately. Click any row to jump to that site's detailed findings.
To understand the connections
"How are they connected?" shows a network diagram of which sites share the same advertising partners. Sites that share many ad entries are grouped into coloured clusters. The main red cluster contains the Russian and high-risk ad entries. Use the "Only show Russian / high-risk entries" toggle to focus on the most important connections. You can scroll to zoom and drag to pan. Clicking any node highlights its direct connections.
To browse all findings
The "Full list of findings" tab shows every individual problem found during the scan. Use the severity buttons at the top to show or hide different levels. You can filter by site, political alignment, owner group, or search for a specific ad network. Click any row to expand the full detail, including whether the ad domain is registered with the IAB TCF. The "Russian / high-risk only" toggle is a quick way to see just the most concerning entries. You can export your filtered results as a spreadsheet.
To track changes over time
"Changes over time" shows what happened between daily scans. The most important signals are new high-risk entries appearing close to election day. Removed entries can also be significant: they may indicate that someone noticed the monitoring and cleaned up. Each scan date is expandable to show exactly which entries were added or removed.
Understanding the signals
The scanner checks for several types of problems. Each finding has a severity level and a category. Here is what each one means.
What it means: A single ads.txt entry triggered two or more serious danger signs simultaneously. For example, a Russian ad platform that also has no verification record. These overlapping signals are not explainable by normal ad industry practices.
What it means: The site has authorised a known high-risk ad platform (Yandex, VK Group, or Sberbank), typically with a "direct" relationship, meaning no middleman. This includes all domains in their ecosystems: yandex.com, adfox.ru, vk.com, mail.ru, ok.ru, dzen.ru, mytarget.ru, my.com, sber.ru.
Why it matters: This actor can serve ads directly to the site's readers. It is the primary FIMI signal.
What it means: A high-risk domain has access across multiple political blocs, not just government-aligned sites but also independent or neutral ones. This widens the potential audience for manipulation.
What it means: A site's ads.txt claims to work with a particular ad network and account, but the ad network's own records (sellers.json) do not list that account. The relationship is unverifiable. It could be a ghost entry, an expired account, or a spoofed identity.
Why it matters: This is the most common "high" finding. A broken verification chain means nobody can confirm who is actually serving ads through that slot.
What it means: A "direct" ad partner, one with a first-hand relationship to the site, has no IAB certification tag. The tag is an industry-standard way to verify an ad partner's identity. Without it, the partner's identity is unverifiable.
What it means: The same seller account number appears under three or more different company names. This is a strong indicator that seemingly separate ad companies are actually the same entity operating under different names, a "shell company" pattern.
What it means: The exact same (ad network, account number) pair appears on three or more different websites. This indicates centralised ads.txt management, meaning one person or organisation is controlling which ad networks have access to all those sites at once.
Why it matters: For KESMA sites this is expected (they share infrastructure) but operationally significant. When a shared entry involves a high-risk domain, the blast radius is the entire media group.
What it means: This ad partner was not present in the previous scan. Someone added it between scans. New entries that involve high-risk domains close to election day are the single most important signal this monitor can produce.
What it means: The site has authorised an ad network with limited transparency, typically small Eastern European intermediaries with minimal public information about their ownership or operations. Not a confirmed threat, but their presence is concerning.
What it means: The ad network confirms the account exists in its sellers.json, but has marked the seller's identity as "confidential". The relationship is real, but who is behind it is deliberately hidden.
What it means: A single site has multiple "direct" accounts with the same ad network. Legitimate publishers usually have one. Multiple accounts can indicate multiple entities sharing a single site, or administrative disorder that makes the supply chain harder to audit.
Note: this check is suppressed for news aggregators and regional papers, where multiple accounts are normal.