No, they don't actually serve all ads. I imagine they know not to pass off a request from a HTTPS page to a HTTP-only server (mixed-content blocking would give a near-100% failure rate) but here is an example of Google's Doubleclick network being used to spread malware: https://blog.malwarebytes.org/threat-analysis/2014/09/google...