The $8,000 Hallucination: Deconstructing a Google Ads Bot Attack

My dashboard showed a Customer Acquisition Cost (CAC) of $42. My bank account showed a CAC of Infinity.

The Spend: $8,150. The Reported Revenue: $24,000. The Actual Revenue: $0.

Here is the technical autopsy of how Google's "AI" fell in love with a script, spent my money buying it dinner, and thanked me for the privilege.

Phase 1: The Anomaly (The "Too Good to Be True" Signal) It started on a Tuesday. My PMax (Performance Max) campaign suddenly found a vein of gold. We went from 15 conversions a day to 60. The ROAS (Return on Ad Spend) climbed to 4.5x.

I didn't celebrate. I panicked. In data science, when a metric improves by 300% overnight without a change in strategy, you haven't found a breakthrough; you've found a bug.

I checked Stripe. Silence. I checked the Google Ads "Conversions" column. Party time.

There was a delta of 450 "purchases" that existed purely as pixels firing in a browser, with zero transaction IDs hitting the payment gateway.

Phase 2: The Forensic Audit (Logs & Recordings) I bypassed Google Analytics—it samples data and smooths over edges. I went straight to the raw Nginx access logs and cross-referenced them with Microsoft Clarity recordings.

The "User" Behavior: I watched 50 sessions. They were terrifyingly efficient.

The Viewport: 30% of the traffic had a viewport resolution of 800x600. No modern human browses the web in 800x600. That is the default resolution of a headless Linux server. The Interaction: Humans scroll, pause, read, and hover. These visitors "teleported." They arrived, and 200ms later, the "Add to Cart" event fired. They didn't scroll to the button; they injected the click event directly into the DOM. The Checkout: They filled out the address forms using autofill events, but here was the smoking gun: They were pasting the Zip Code into the City field. A human corrects this. The bot just hit "Submit" repeatedly, triggering the error message, then eventually brute-forced the pixel fire by hitting the URL endpoint for the "Thank You" page directly, bypassing the payment gate entirely. The Network Signature: I ran a whois on the top 20 converting IP addresses. They weren't residential IPs (Comcast, Verizon, AT&T). They were:

M247 Ltd (VPN/Proxy provider) DigitalOcean, LLC (Cloud hosting) Choopa, LLC (Vultr hosting) Google's Smart Bidding was aggressively bidding on traffic coming from a server farm in New Jersey to sell them women's apparel.

Phase 3: The Feedback Loop (Why Smart Bidding Failed) This is the technical tragedy. Smart Bidding is a machine learning model. It craves positive reinforcement.

The Probe: A bot farm (likely checking for ad fraud or scraping pricing) clicked an ad. The False Positive: The bot triggered the conversion_purchase pixel (client-side). The Reward: Google Ads saw this "conversion" and thought, "Excellent. This user profile (Linux OS, Data Center IP, Headless Chrome) converts at 100%. Let's find more of them." The Spiral: The algorithm shifted my budget away from expensive, messy humans (who browse and abandon carts) and poured it into the "high-efficiency" bot traffic. The algorithm wasn't broken. It was doing exactly what it was told to do: maximize the number of times that pixel fired for the lowest cost.

Phase 4: The Support Transcript (The Gaslighting) I opened a ticket. I didn't ask for a refund; I asked for an explanation.

Me: "I have server logs showing 90% of my conversions are coming from Data Center IPs using Headless Chrome. Why is PMax optimizing for this?"

Google Support (Rep ID: [Redacted]): "I have reviewed your account. The system is working as intended. Smart Bidding takes time to learn. We recommend waiting 14 days for the learning phase to complete."

Me: "If I wait 14 days, I will lose another $4,000. These are not humans. Look at the User Agents. Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/98.0.4758.0 Safari/537.36. That is a server."

Google Support: "We filter invalid traffic automatically. If the clicks were charged, our system deemed them valid. Perhaps users are using VPNs for privacy. Have you checked your attribution window?"

They refused to acknowledge the difference between a "valid click" (a real interaction) and a "valid conversion" (a real purchase).

Phase 5: The Fix (The "Air Gap") I realized I couldn't stop the bots from clicking. But I could stop Google from enjoying it. I had to starve the algorithm.

1. Kill Client-Side Tracking: I deleted the Google Ads conversion tag from the website header. If a bot loads the "Thank You" page, Google sees nothing. Darkness.

2. Implement Offline Conversion Import (OCI): I wrote a script connecting my Stripe webhook to the Google Ads API.

Logic: User buys -> Stripe charges card -> Success 200 OK -> Wait 6 hours (to allow for immediate fraud reversals) -> Send GCLID + Value to Google Ads. 3. The Result: For 48 hours, my Google Ads account showed 0 conversions. The algorithm panicked. It had lost its easy dopamine hit from the bots. Then, slowly, real sales started trickling in via the API. Because bots never clear a Stripe charge, the feedback loop was severed. Smart Bidding was forced to go back to hunting humans, because only humans have valid credit cards.

The Aftermath: My CPA went up to $65 (reality hurts). My conversion volume dropped by 80%. But my bank account finally matched my dashboard.

The Lesson: Never trust a metric you can't deposit.