← back to blog

Cookie warming strategies that survive Facebook's 2026 review queue

Cookie warming strategies that survive Facebook’s 2026 review queue

The review queue is the wall every media buyer eventually runs into. you build a clean profile, fund an account, queue up a campaign, and then spend three days watching “In Review” spin. or worse, the ads go live for six hours, spend $40, and then the account gets disabled with a vague policy violation notice that meta’s support team can’t clarify. i’ve had this happen dozens of times. the accounts that survive are the ones where the cookie environment looked right before the first dollar was ever spent.

Cookie warming is not a magic fix and it is not a new concept. but what constitutes “looking right” has shifted materially since late 2024. meta’s behavioral signals team has been building toward a version of review scoring that weighs pre-ad-creation browser history, not just account age and payment method. the specific checkpoint i keep running into now is what operators shorthand as the “Q2 2026 review queue,” which refers to the stricter automated holds that rolled out around March 2026 across ad manager accounts under 90 days old. the failure modes are different from 2024 and the counter-strategies are different too.

This deep-dive is for people who already run antidetect setups, already know what a browser profile is, and want to understand what warming actually signals at the session level, why certain approaches fail now, and how to build a warming process that holds up. i’m writing this from Singapore, where i manage a mix of affiliate and direct-to-offer accounts across several verticals. the observations here are from production, not theory.

background and prior art

The concept of “cookie warming” originates in email deliverability, where senders use graduated volume increases to establish sender reputation before hitting full list volume. the browser equivalent emerged around 2018-2019 as Facebook’s automated systems became sophisticated enough to score not just account-level signals (phone, payment, age) but session-level signals. the question the classifier was asking changed from “is this account real?” to “does this browser environment look like it belongs to a real person?”

Early warming workflows were manual: you’d log into a fresh profile, scroll the feed, click some ads, visit a few websites, and call it a day. by 2022, tools like Multilogin and Dolphin Anty had built-in “warming” modes that scripted this behavior. the problem is that meta’s detection surface expanded to cover the exact patterns those scripts produced. uniform session timing, predictable scroll velocity, no variation in tab behavior, clean browser storage with no third-party cookie residue. a warmed profile that looked like it came out of a workflow template was arguably worse than an unwarmed one, because it triggered rule-based flags on top of the statistical ones.

The 2025 wave of changes, documented in part by researchers at the Stanford Internet Observatory who study coordinated inauthentic behavior takedowns, pushed the scoring further toward what i’d call “ambient legitimacy.” meta is not just looking at what you do inside Facebook. they’re inferring from the full cookie jar what kind of browsing environment this session comes from. a browser that has only ever touched facebook.com and a handful of landing pages looks different from one that has third-party cookies from analytics providers, ad networks, content sites, and SaaS tools that normal users accumulate passively.

the core mechanism

The core insight is that cookies are a record of browsing history that meta can partially read. when you load facebook.com, the page fires requests to dozens of third-party domains. some of those responses set or read cookies. meta’s pixel, google’s gpt.js, various analytics SDKs. the browser’s cookie jar at that moment is a fingerprint of where you’ve been. a fresh profile has an empty jar. a three-month-old profile belonging to someone who reads news sites, shops occasionally, and uses a few SaaS tools has hundreds of cookies from dozens of domains.

The warming process is about building that cookie jar in a way that looks coherent and non-mechanical. there are three layers to this:

layer 1: third-party cookie accumulation. you need your profile to have visited the kind of sites that normal users in your target region visit. this is not just about volume. it’s about the right domains. a profile that has cookies from stripe.com, mailchimp.com, typeform.com, and a few news publishers looks like a small business owner or marketer. a profile with cookies from fifty generic news sites but nothing from any SaaS tool looks like a scraper or bot.

layer 2: behavioral signal depth. meta’s pixel collects PageView, ViewContent, and other events via the browser’s activity. even before you run an ad, the pixel on external sites is logging that this browser exists and behaves like a human. scroll events, mouse movement variance, time-on-page, and tab focus events all feed into this. you can’t fake this easily with a script that just fetches URLs. you need actual browser rendering.

layer 3: session coherence. the timing and sequence of your browsing has to look plausible. a warming run that visits fifty sites in two minutes is obvious. a warming run that produces eight to twelve browsing sessions over seven to ten days, each lasting twenty to forty minutes with realistic inter-page timing, is much harder to distinguish from a real user.

At the browser level, RFC 6265 defines how cookies are stored and transmitted. the key attribute for warming purposes is the domain scope. a cookie set by google-analytics.com via a third-party embed is stored under that domain, not the publisher domain. this means that visiting a site that runs GA will add a google-analytics.com cookie to your jar, which is a signal that you have had normal web browsing behavior. meta’s own pixel cookies behave similarly. building up these third-party cookies passively, through rendering pages that embed common analytics and ad tags, is the foundation of any warming approach that works in 2026.

The tooling i currently use: Dolphin Anty for profile management (pricing around $89/month for the 100-profile tier), GoLogin as a secondary option when i need more fingerprint customization, and residential proxies via either Smartproxy or Bright Data. the proxy question matters a lot for warming. datacenter proxies produce IP-level signals that contradict the warm cookie jar you’re building. a residential IP from the same country as the account’s intended use is necessary. Bright Data’s residential network runs around $8.40/GB at current pricing. for warming-only usage, expect 2-4 GB per profile over a 10-day warming window.

worked examples

example 1: e-commerce dropship account, 10-day warm, Southeast Asia targeting

profile built in Dolphin Anty. fingerprint set to Windows 11 Chrome 124. residential proxy from Smartproxy’s Indonesia pool (approximately $7/GB at the time). the warming script ran through a custom playwright automation that i adapted from a community-shared base. the schedule was two sessions per day, each 15-25 minutes, visiting a mix of: regional news sites (Kompas, Detik), global news (BBC, Reuters), e-commerce (Tokopedia product pages, Shopee category pages), and SaaS marketing sites (Mailchimp, Canva, Figma). each session included facebook.com visits, scrolling the feed, clicking 4-6 organic posts, and visiting one or two advertiser landing pages linked from ads.

by day 7, the profile had cookies from 140+ domains. by day 10, i created the ad account, added payment, and launched a test campaign. it went through review in under 4 hours and ran for 11 days before i paused it for creative refresh. no holds, no disables.

example 2: lead gen account, US targeting, failed on day 14

same general setup, but i cut corners on the warming sessions. i ran the sessions from a datacenter proxy for the first five days because my residential allocation was used up. on day 6 i switched to residential. the cookie jar was there by the end of day 14, but the IP-level history in meta’s logs showed a jump from a datacenter range to residential that doesn’t happen for normal users.

the account was held in review for 72 hours after first ad creation, then approved. spent $200 over three days, then received an “unusual activity” flag and a request to verify the business. the business verification process itself is a separate issue, but the triggering event was almost certainly the proxy inconsistency in early sessions. since then i don’t start any profile with datacenter proxies regardless of the reason.

example 3: direct-to-offer nutra account, 21-day deep warm, UK targeting

this one i ran as a proper experiment with logging. 21-day warming window, three sessions per day, UK residential proxies throughout (Bright Data’s ISP proxy tier at a premium price, closer to $15/GB, but more stable ASN attribution). the session content was calibrated for the persona: health and wellness content, NHS.uk pages, fitness forums, a few recipe sites. the facebook sessions included interactions with health-related pages and several ad clicks within vertical.

by the end of the 21 days the cookie jar had 280+ domains and the facebook internal score, which you can’t read directly but can infer from how fast ads clear review and how aggressively the early CPMs are throttled, was clearly stronger. the first campaign hit its learning phase inside 48 hours and CPMs were in line with what i’d expect from an aged account. total proxy cost for warming: about $12. total time investment in scripting setup: 6 hours upfront, mostly one-time.

the account has been running for 11 weeks as of this writing. for more context on running these kinds of accounts at scale, the multiaccountops.com blog has good coverage of organizational structure and team workflows that complement the technical side.

edge cases and failure modes

failure mode 1: cookie jar without behavioral depth. the most common mistake i see is people who automate URL fetching rather than actual browser rendering. if you use a headless script that just makes HTTP GET requests to a list of domains, you accumulate some cookies but you don’t generate any of the JS-triggered events that meta’s pixel and third-party analytics track. meta can see from its own pixel that this browser has visited sites where the pixel fires, and whether those visits look like human interaction or bot fetches. use full browser automation with realistic interaction, not raw HTTP.

failure mode 2: proxy churn. every time you switch the IP pool for a given profile you create a signal anomaly. real users mostly browse from the same ISP. i allow for some IP variation within the same ASN (because mobile users switch cell towers), but jumping between ASN blocks, or between datacenter and residential, is a pattern meta’s systems have been trained to detect because it matches how operations teams typically cycle proxies. set the proxy before you start warming and don’t change it. if a proxy goes down, the correct response is to pause the warming, not swap to a different ISP.

failure mode 3: over-templated session behavior. if you’re running warming across fifty profiles simultaneously with the same script, the behavioral signatures will cluster. visit sequences, timing distributions, scroll patterns. meta’s models are good at detecting behavioral clustering across sessions that shouldn’t be correlated. introduce real variation: randomize the site list, use different session start times, vary the session length. the easiest way to do this programmatically is to build a pool of 200+ URLs in the target vertical and sample randomly rather than using a fixed list.

failure mode 4: mismatched locale signals. a profile using a UK residential proxy should have the system locale, browser language, and timezone set to UK defaults. i’ve seen profiles fail review not because the cookies were wrong but because the browser reported en-US locale with a UTC+0 timezone on a UK IP. meta’s review system correlates these signals. in Dolphin Anty, check the Timezone and Language settings in the profile config, not just the fingerprint. for GoLogin users, the same settings are in the “General” tab of the profile editor.

failure mode 5: rushing the first ad creation. there is a documented pattern where accounts that create their first campaign within 24-48 hours of account creation trigger additional scrutiny regardless of the cookie state. i now enforce a minimum 7-day gap between account creation and first ad creation, even if the profile warming started well before account creation. the exact threshold is not public, but the Meta Business Help Center documentation on account review states that “account history” is a factor, which practitioners generally interpret to include the gap between account creation and first advertising activity.

what we learned in production

The biggest operational shift i’ve made in the last six months is separating the warming phase from the account phase. i build a stock of warmed browser profiles without Facebook accounts attached, keep them warm with maintenance sessions every 3-4 days, and only add the account once i have a specific use case. this means i can attach an account to a profile that already has 30-45 days of browsing history rather than starting the warming clock from day zero. the cookie jar has more depth, the behavioral signals are more varied, and the time to first review approval is measurably shorter.

i also stopped tracking “warming success” by whether the first campaign cleared review. that’s a noisy metric because review outcomes depend on creative, landing page, and offer too. i now track warming quality by the number of days the account runs before any kind of flag or hold. the accounts with 21+ day warming windows and clean proxy discipline are averaging around 8 weeks before any intervention. the accounts with 7-day warming windows or any datacenter proxy exposure average around 3 weeks. that difference in account lifespan changes the economics of any campaign that has meaningful upfront setup costs.

For operators who are also working on the airdrop and multi-chain side of things, cookie warming for web3 platforms uses the same core principles. there’s a good primer on session reputation for non-Facebook contexts at airdropfarming.org/blog/ that’s worth reading alongside this piece. the browser-level signals differ but the layering logic, third-party cookie accumulation, behavioral depth, session coherence, transfers across platforms.

references and further reading

  1. RFC 6265: HTTP State Management Mechanism, IETF. the foundational spec for how cookies are stored, scoped, and transmitted. essential reading for understanding what signals are actually visible in the browser cookie jar.

  2. Meta Business Help Center: About Ad Review, Meta. official documentation on how the ad review process works, including account history as a factor. the specifics are vague but the framing is useful.

  3. Stanford Internet Observatory research on coordinated inauthentic behavior, Stanford University. academic context for how platform-level detection of inauthentic behavior works. not operator-specific, but the signal taxonomy overlaps with what practitioners observe.

  4. Meta’s ad policies overview, Meta Platforms. direct reference for policy grounds that trigger review holds. most review failures cite one of a small set of policy categories; knowing which ones apply to your vertical helps calibrate warming and creative choices together.

  5. Bright Data product documentation: Residential Proxies, Bright Data. current pricing and network attribution data for the proxy tier i reference in the worked examples. ISP proxy documentation is in the same section and worth comparing if you’re choosing between proxy types.

For related reading on this site, the browser fingerprint audit guide covers how to verify that your antidetect profile is actually producing the fingerprint you intend before you start warming. the Dolphin Anty vs GoLogin comparison for 2026 goes deeper on profile management tooling. and the residential proxy provider roundup has current pricing and network quality notes across the main providers referenced here.

Back to the blog index.

Written by Xavier Fok

disclosure: this article may contain affiliate links. if you buy through them we may earn a commission at no extra cost to you. verdicts are independent of payouts. last reviewed by Xavier Fok on 2026-05-19.

need infra for this today?

cloud phones
cloudf.one

real Android phones in a SG datacenter. run Telegram on persistent hardware with a real mobile IP. free trial.

try a cloud phone →
mobile proxies
SingaporeMobileProxy

real 4G/5G IPs from Singtel, M1, Starhub. for Telegram on desktop, app automation, or scraping. from $35/mo.

get a mobile IP →