Netflix and HBO shows are getting pirated on this app that's been bankrolled by advertisers such as Pandora, BET+ and TikTok

Warner Bros.
Joaquin Phoenix portrays Arthur Fleck in Warner Bros. "Joker."

Watching a bootleg version of "Joker" — albeit one that was obviously recorded from the back of a movie theater — is as easy as downloading an app from a website, finding the movie and clicking the play button.

There is one catch. Even though the content appears to be pirated, you'll still have to sit through ads.

Among the more popular places to find this sort of unauthorized content is a site called TeaTV. The online service offers a wide swath of pirated movies from major networks such as HBO and streaming services including Netflix as well as current releases from top movie studios. Video ads have shown up from brands including TikTok, streaming service BET+, the Madden Mobile video game, music streaming service Pandora, Pluto TV, Hulu, Yahoo Mail and many more.

Ads also were appearing for major advertisers including Walgreens, Amazon's Fire TV and Kia on the website through Google, The Trade Desk, Adroll and more but had stopped as of early October after CNBC began reaching out to advertisers and ad-tech companies. Most brand advertisers contacted by CNBC did not respond to requests for comment or did not comment on the record. A Walgreens spokesperson said the company wasn't aware of the issue and prohibits ads on sites with pirated content. The company added it was working to understand and resolve the matter.

Megan Graham
The homepage of TeaTV's Android app.

Consumers are given the option of downloading the app to Android, Windows or MacOS, where they can watch "free 1080p movies."

And even though many companies in the advertising space know it's an issue, the ads keep coming, on the app at least. At a recent meeting of major industry players in New York on the subject of ad-supported pirated content, TeaTV was one topic of conversation, according to a person in attendance.

Good luck trying to find who's behind the service. On TeaTV's website, there's no detail about where the company is located, or if it's even a company at all. There's no location or phone number provided, no individual's name included and the only contact information is a Gmail address. (CNBC reached out and didn't get a response.) The company does maintain an active Twitter profile, where it shares new releases and helps troubleshoot problems.

TeaTV isn't alone. Apps and websites providing pirated content proliferate at a pace that experts say make the problem difficult to manage. Those trying to take down the sites find themselves in a game of "whack-a-mole." Meanwhile, the digital content supply chain is so complex that it can be a challenge to keep track of where and why the ads are surfacing.

In the rapidly expanding and hypercompetitive world of content streaming, the industry is getting hammered by fraud. CreativeFuture, an advocacy organization that aims to combat content theft and protect intellectual property, citing a U.S. Chamber of Commerce figure says $29.2 billion is lost in the U.S. economy each year to global online piracy. That's a huge chunk of change considering the total digital ad spending market worldwide is expected to reach $333.3 billion this year, according to eMarketer.

Cesar Fishman, a senior vice president at CreativeFuture, said the scammy sites pull in ads from legitimate brands both to generate revenue and to make their service appear legitimate.

"All you need is a server in some undisclosed location where you store all this stuff, and you mask your IP address so you don't get taken down," said Fishman. "Your overhead is peanuts."

There's plenty of finger-pointing going on. Some in the industry argue that ad-tech players aren't scrupulous enough about where ads can be placed, and others suggest that brands need to more clearly lay out which sites are acceptable and unacceptable for showing their ads. And some say the entire digital advertising ecosystem in its sprawling state makes it nearly impossible to expect safety.

Megan Graham
BET+ ad on TeaTV

Augustine Fou, an independent ad fraud researcher and consultant, said despite the industry's supposed concern about having ads show up next to pirated and other content, the problem has just intensified.

"It is clear that despite industry trade bodies' talk at conferences and brand safety tech that advertisers have paid for for years, the problem of ads supporting piracy, porn, child abuse and hate has only gotten worse," he said. "And more dollars are at stake than ever before because digital ad dollars are at their highest point ever."

Asked why the advertising could still be so pervasive even after the TeaTV issue was brought up at that meeting in New York, Mike Zaneis, CEO of the Trustworthy Accountability Group, or TAG, said the industry is making substantial progress but that piracy is a problem that will never be completely fixed. TAG says it works to eliminate fraud, malware and piracy in advertising but has also been the recent subject of criticism for its strategies to combat issues like this.

"We're not perfect," Zaneis told CNBC. "We're never going to be perfect. We just want to solve as much of the problem as we can."

The supply chain

One tool that's supposed to help make the supply chain more transparent is a file called "ads.txt," which was created by the IAB Tech Lab, a nonprofit research and development consortium. It gives publishers and distributors working in the programmatic ad universe a way to declare who is authorized to sell their inventory.

This tool wasn't built to prevent piracy specifically but to help combat issues such as the sale of counterfeit inventory, where someone pretends to be selling inventory on a site and is actually putting it somewhere else, like a porn site or other scammy location. But it does give some clues about who could be monetizing TeaTV.

Megan Graham
TeaTV's ads.txt as of last month.

TeaTV's "ads.txt" until recently claimed inventory on its site was being sold by a variety of "sellers" and "resellers," listing AT&T's Appnexus, Google and OpenX as well as lesser-known players such as Vidoomy or Beachfront. The file also claimed TeaTV was working with Opt Ad 360, a Polish company that helps publishers manage ads and generate revenue.

An "ads.txt" is not always accurate. Publishers can hypothetically copy the contents or parts of an "ads.txt" file from another site and hope no one notices. Sam Tingleff, the IAB Tech Lab's chief technology officer, said this can help a site appear more legitimate to attract advertising. When contacted by CNBC, many of these companies said that was the case.

But at least some of these companies listed on TeaTV's "ads.txt" played a role in having ads appear on the site, where TeaTV's various apps can be downloaded.

For instance, Adform said the site had "slipped through a very small loophole" and saw a "total of less than 10 euros transacted before we shut it down" after being contacted by CNBC.

Opt Ad 360 said in an email that it stopped its cooperation with TeaTV after a review prompted by a CNBC inquiry and asked to be removed from its "ads.txt" file. Opt Ad 360 appears on a list of sellers for AppNexus as an intermediary. Another seller that TeaTV claimed to be working with recently, Bebi, didn't respond to requests for comment.

As of last month, Google was receiving supply from Opt Ad 360, which was in turn receiving supply from TeaTV, according to an inventory quality manager at an ad-tech platform who asked not to be named because of the company's professional relationships. He said that supply was available to buy, and that if it had been blocked it wouldn't have been showing bid requests.

Google was not running auctions on the site a short time later, according to Ratko Vidakovic, of ad tech consultancy AdProfs, who reviewed the auction activity in September for CNBC.

Megan Graham
An ad for FireTV on TeaTV.

Google wouldn't comment on the specific situation, but a spokeswoman said when the sub-account of a partner is violating its policies, it will take action on that sub-account. The company said its policies prohibit running ads against pirated content.

"We regularly review sites for policy compliance, and have thousands of people dedicated to protecting our ads systems and safeguarding our advertisers' brands," a Google spokeswoman said. "If we find a page or website that violates our policies, we take immediate action."

OpenX said it officially banned TeaTV in September, but prior to that claimed it hadn't made money from the site. AppNexus declined to comment. Vidakovic and the other inventory manager both said they were able to see from a demand-side platform, which lets ad buyers manage their ad exchange accounts, that AppNexus was running auctions for the site as of September, though it wasn't clear how many of those actually ended up with ads being served. As of earlier this month, Vidakovic said AppNexus was no longer running the auctions.

Megan Graham
AdColony showed a variety of ads on TeaTV.

There's a version of "ads.txt" that's specific to apps, but TeaTV didn't appear to have one set up. However, CNBC viewed ads on TeaTV's app that claimed to be coming from mobile ad companies such as Vungle, StartApp, Unity Ads, AdColony, IronSource, Tapjoy and more. Vungle's spokesperson said TeaTV wasn't a customer and was investigating the presence of ads on the app. AdColony acknowledged a "limited number" of its ads were served "via a non-direct supply source" and said it took immediate action to halt exposure after being contacted by CNBC.

Unity Ads, which showed ads for advertisers including Pandora, was contacted by CNBC in September and was still showing ads this week. The company declined to comment on the record.

The other companies didn't respond to requests for comment.

On mobile apps, advertisers can sometimes become plugged into the ecosystem when fraudsters use a legitimate app as a Trojan horse to get inside an app that later becomes criminal, said Rachel Nyswander Thomas, COO of TAG. She said a developer can build an innocuous app and use standard approaches to start to work with advertising companies. Once those relationships are in place, the developer can rebuild the app to contain pirated content, yet the ads remain, she said.

"It's not that these legitimate companies are working with a criminal entity," said Thomas.

What this all means about the ecosystem

With industry initiatives such as "ads.txt," the IAB Tech Lab's hopes are for more transparency and more safety in the programmatic ecosystem. Tingleff said the cooperation of the industry will mean a "safer, more secure environment for advertisers and a better experience for all of us."

But as long as the confusing web of online ad sellers continues to operate, this kind of activity is hard to prevent. Even though the system has antibodies to detect sites like this, Vidakovic said that behavior tends to be reactive instead of proactive. He noted that initiatives such as MediaMath's new "Source" project, which aims to bring transparency to the supply chain, could be the kind of thing that would help.

For now, services such as TeaTV are making money ripping movies like "Joker," because consumers can just download a free app and hit "play" instead of coughing up the $15 to see it in a theater or to stream it legitimately. Dozens of YouTube videos promise to teach people how to watch TeaTV using their Amazon Fire Stick so they can watch on their televisions (the app also lets users cast videos to a connected screen).

And every day, consumers share on Twitter how they've watched shows or movies on TeaTV because they can't — or don't want to — watch legitimately.

Ironically, what might turn them off is all the ads.

"Don't know about anyone else but i'm beginning to want to switch off from TeaTV out of sheer frustration with the amount of ads which are littering this app," one Twitter user shared in early October.

Click to show more