Executive Summary
Netcraft has identified scam advertising campaigns that impersonate trusted brands to drive consumers to unrelated online gambling sites. These campaigns utilize paid social ads, fake app store pages, and Progressive Web Apps to make users believe that well-known brands have launched “official” casino or slot products.
The scams begin with an ad on social media platforms such as Facebook, Instagram, and TikTok. The ad claims that a recognizable brand has launched “[Brand] Slots” or a similar gambling product. Upon interacting with the ad, the user is taken to a fake landing page designed to look like an official app store listing or branded game page. Instead of installing a real app, the user is prompted to add a Progressive Web App to their device, which opens an unrelated online casino through affiliate tracking links.
How the Campaign Works
Regardless of which brand is being impersonated or which platform the ad appears on, these campaigns follow the same sequence, with three key components:
Figure 1: A Meta ad for “Tesco Slots”.
1. The paid ad: A consumer scrolling social media is served a paid ad. The ad purports to come from a recognisable brand - a bank, a retailer, or a streaming service - and claims the brand has launched an online slots product, or shows a convincing testimonial from someone who won big playing “[Brand] Slots”.
Figure 2: Fake Play Store page for “Amazon Slots." This is the landing page that the above “Tesco Slots” ad leads to.
2. The landing page: The consumer taps the ad and lands on a fake landing page built around the impersonated brand’s logo and name - for example, a fake Google Play Store listing offering “[Brand] Slots."
When the consumer taps “Install” on the fake Google Play Store listing, no Android app is downloaded. Instead, the page prompts the user to install a Progressive Web App (PWA) - a browser shortcut added to their home screen, labelled with the impersonated brand’s name, that looks and behaves like a native app.

Figure 3: PWA launched after consumer clicks “Install”. PWA is titled with “Amazon Slots”, however it is a wrapper around the gambling site 345rodeoslot[.]com.
The online casino: The PWA carries an affiliate tracking through to a gambling site. The advertiser is likely then paid through this affiliate link — this could be when the PWA is first opened, or when the consumer registers and makes a deposit.
We cannot independently verify the exact payment terms or amounts earned through these affiliate links, however Affnook (an affiliate tracking platform used by iGaming operators) indicates that typical cost-per-acquisition payouts range from $50 to $350 per depositing player.
The Ads
Netcraft has identified dozens of ads impersonating brands across several sectors, including:
UK financial institutions, such as Monzo, Revolut, and Barclays
Household names, such as Tesco and the Irish National Lottery
Global brands, such as Amazon, Netflix, and Facebook/Meta
These examples reflect brands encountered during our investigation - the true scale of the campaign is likely broader. While many ads identified target UK consumers, we have also observed variants in German and Spanish, and one example offering a bonus in Canadian dollars.
These ads have been observed on social platforms including Facebook, Instagram, Threads, and TikTok. Three broad approaches have been observed, representing an escalating degree of brand impersonation.
Simple brand name association
These are video and text ads that use the brand name as a label - '[Brand] Slots' - without building large amounts of the creative around the brand specifically. The same ad would work for any brand with a simple find-and-replace. These typically depict ordinary people in relatable everyday situations — at the checkout, ordering dinner — who discover that '[Brand] Slots' is an easy route to large winnings.

Figure 4: Example of text-based ad mentioning Amazon Slots.
Official launch announcement
Going further than name use alone, these ads use the brand's own logo, colours, and visual assets to construct fabricated promotional material designed to look like an official communication from the brand itself.
In the most detailed examples, the creative includes forgeries of the brand's own product interfaces - one series targeting Monzo customers showed apparent Monzo app screenshots with a fabricated balance, alongside copy reading "MONZO OFFICIALLY LAUNCHES ONLINE SLOTS."

Figure 5: Image-based scam ad claiming “Monzo officially launches online slots”, as well as a Monzo balance. This ad features the real Monzo sort code (04-00-04).

Figure 6: Image-based scam ad for “Tesco Casino."
AI-generated Promotional Videos
These are the most recent development in these ads. They are AI-generated video ads built specifically around the impersonated brand - generated from scratch to place the brand's real locations, employees, and visual identity at the centre of the creative. For a consumer who recognises these brands, these are the most convincing of the three formats, and the hardest to dismiss as fabricated.
Examples observed include a Tesco cashier recommending Tesco slots to a customer who can’t afford their groceries; two women outside a Monzo branch with branded props announcing the official launch of Monzo slots; and a Tesco-branded slot machine in a Tesco store.


Figures 7 and 8: Examples of AI-generated promotional videos, appearing to be filmed outside Monzo and Revolut branches.
Additionally, several common characteristics have emerged across the ad campaigns Netcraft has identified:
The advertiser running these ads take different forms. Some use the impersonated brand's name and logo directly ("Tesco Gaming," "Monzo Games"); while others use generic casino-themed names ("Lucky Realm," "Lucky Station") that may suggest pages previously used for standard iGaming affiliate activity.


Figures 9 and 10: Examples of advertisers using the impersonated brand’s name and logo.

Figure 11: Examples of generic ads.
In a number of cases, the URL displayed in the ad does not match the actual destination. Display URLs observed include play.google.com, facebook.com, and in at least one case a direct impersonation of the brand's own domain (play.monzo.com).
It’s possible the same threat actor is behind campaigns for different brands. In at least two cases, a page set up with one brand's identity was observed running ads impersonating a different brand entirely.

Figure 12: Tesco-themed advertiser advertising “Amazon Slots."
We have observed several cases of the same advertiser running multiple ad variants simultaneously — the same copy across different video creatives, all launched on the same day. This is a standard tactic in affiliate marketing: running multiple variants at once to quickly identify which gets the most clicks.

Figure 13: A single advertiser running multiple ads simultaneously.
The Scammer-Controlled Landing Page
A consumer who taps through from a branded ad arrives at a scammer-controlled page designed to sustain the belief - established by the ad - that they are installing an official branded app. The most common format imitates a Google Play Store or Apple App Store listing, however we have also seen a small number which present the consumer with a fake game – such as a spin wheel that always produces a winning result - prompting them to install the app to claim their prize.
No app, only a PWA
When a consumer taps "Install" on a fake app store listing or "Claim" on a pre-lander, no app is downloaded from any official store. Instead, a Progressive Web App (PWA) is installed — a browser shortcut added directly to the consumer's home screen, labelled with the brand's name. Once accepted, the PWA is added to the consumer’s device with the impersonated brand’s name and icon, making it appear similar to a standalone branded app. When opened, the PWA loads the casino site using the launch URL configured by the attacker. Depending on the device, browser, and PWA display settings, the experience may open with the normal browser interface reduced or hidden, helping sustain the impression that the user is interacting with an app rather than a website.
In the campaign, affiliate tracking parameters were present in the PWA and casino URLs, indicating that the campaign is designed to attribute downstream activity, such as registration or deposit, back to the affiliate operator. Netcraft cannot independently verify the exact attribution model or payment trigger, but the presence of these parameters strongly indicates that the PWA is being used as part of an affiliate-driven casino acquisition flow.

Figure 14: Example of the PWA install prompt.

Figure 15: Revolut Slots login page.
Fake app store listings
The most common format imitates a Google Play Store or Apple App Store listing for a "[Brand] Slots" or "[Brand] Casino" app. The brand's logo is used as the app icon, and the developer is listed under a fabricated brand name - for example, "Tesco Entertainment UK Limited." Fake reviews, fabricated download counts, and star ratings complete the imitation.



Figures 16, 17 & 18: Examples of fake Play Store listing examples: Amazon Slots, Netflix Casino, and Barclays Slots.

Figure 19: Example of fake reviews on “Tesco Slots," including responses from the developer “Tesco."
Fake game pages
A second format presents the consumer with an interactive game - typically a spin wheel - branded in the impersonated brand's colours and logo. The game always produces a winning result, awarding a large cash prize and free spins. The consumer is then prompted to install the app to claim their winnings.


Figures 20 and 21: Example of a fake game pre-lander impersonating Monzo, showing how the user “wins” and is prompted to “claim”, which installs the PWA.
Domain patterns
The domains used for these landing pages are more often generic-looking than brand-specific - random-word combinations such as seekerlucid.shop and lemniscal.live that give no indication of their contents, which may be a deliberate tactic to make the site less likely to be picked up via standard fraud detection mechanisms. However, a smaller number do use brand-specific domains.
Some examples of branded and non-branded domains that we have seen:
revvo-online[.]website
tesscogames[.]com
monzoslots[.]life
rewardsmonzo[.]website
topstatus[.]site
optimismphantasm[.]shop
ridereuphoric[.]shop
seekerlucis[.]shop
The Casino endpoint in the PWA wrapper
When a consumer taps "Install" on the fake app store listing or similar, a PWA is installed. Once installed, the PWA may launch automatically - and continues to display the brand's name and logo in the title bar, maintaining the "[Brand] Slots" illusion even as it loads an entirely unfamiliar casino site. Although the casino's own URL is visible in the address bar, but the branded title bar may be sufficient to convince consumers they are playing “[Brand] Slots."


Figures 22 and 23: PWAs showing “Monzo Slots” and “Amazon Slots” in title bar, loading “Roulettino” and “Rodeo Slot."
The scammer's affiliate tracking is embedded in the URL from the moment of installation:

Figure 24: Casino sign-up URL revealing affiliate tracking parameters.
We have also observed the PWA sending push notifications to the consumer’s device, prompting them to complete their registration.


The casino sites connected to these PWAs present as functional online gambling platforms - real games, registration flows, and welcome bonuses.
Examples of some of the casino endpoints we have identified are:
blinbd[.]com
spinlynx36[.]com
345rodeoslot[.]com
87roulettino12[.]com
Unlike the ads and landing pages, which carry clear brand impersonation grounds for takedown, these casino sites do not directly impersonate any specific brand. Netcraft did not verify whether the linked online casinos are regulated or licenced appropriately for their target market.
Indicators of compromise (IOCs) associated with this campaign are published in Netcraft’s public GitHub repository.






