As search engines strive to deliver the most relevant, trustworthy results to users, threat actors are exploiting these tools to deliver scams more efficiently. Netcraft’s recent investigations have uncovered a growing campaign of SEO poisoning, where compromised websites are manipulated to boost malicious URLs in search engine rankings. At the heart of this operation is a black market service designed specifically to help adversaries automate their exploitation efforts, often with devastating results for targeted industries such as online gambling.

In this post, we examine how these tactics work, who’s behind them, and what organizations need to know to defend against them.

Key Data

Netcraft’s research has uncovered an organized SEO poisoning operation using a platform known as Hacklink, a marketplace that enables cybercriminals to purchase access to thousands of compromised websites and inject malicious code designed to manipulate search engine algorithms. Scammers use Hacklink control panels to insert links to phishing or illicit websites into the source code of legitimate but compromised domains. These links are tailored with anchor text to specific keywords so that when users search for relevant terms—such as gambling-related phrases—they are served search results that include, and sometimes prioritize, the attacker-controlled websites.

The injected content is subtle, often invisible to site owners or casual visitors, but highly effective at influencing Google’s PageRank system. Sites are chosen by threat actors based on their reputational value, with links from .gov, .edu, and Country Code TLDs used to boost the credibility of their malicious content. These ccTLDs are desirable in SEO as Google assumes that the content of such a domain is more relevant than one without and prioritizes it for delivery in a search from that specific country. Therefore, the malicious site is effectively inheriting some of that favorable ranking just by linking to it. While legitimate SEO is a cornerstone of digital marketing, the techniques used here cross into fraud, with fake pharmacies, adult content, and phishing pages all benefiting from artificially elevated visibility. Particularly concerning is the targeting of online casinos, with organized groups like “Neon SEO Academy” and “SEOLink” offering services to manipulate SEO rankings for phishing and fraud.

What Is SEO Poisoning?

SEO poisoning is a form of search engine manipulation that promotes malicious or fraudulent websites by exploiting the ranking systems of platforms like Google. By compromising legitimate websites and injecting specially crafted content, attackers can redirect search traffic to harmful destinations—all while maintaining the appearance of legitimacy. Unlike traditional defacement attacks, which make the intrusion obvious, SEO poisoning operates covertly; the compromised sites often look entirely normal to the human eye.

The hidden content is typically code containing links to malicious domains with anchor text tailored towards the desired target. Search engine crawlers read this content, see and follow the links, and interpret the compromised site as having an endorsed relationship with the linked malicious domains due to the specified anchor text. This artificially improves the search ranking of the attacker’s sites, allowing them to appear near—or above—legitimate results when targeted keywords are searched for.

Hacklink: The Marketplace Behind the Campaign

Hacklink allows bad actors to browse and purchase access to already-compromised websites. Buyers can select keywords and URLs to be injected, with pricing often starting at just $1 per listing—though domains with stronger reputations (like those ending in .gov) may cost more. Once selected, Hacklink automatically injects the necessary JavaScript into the compromised site. The injected code typically contains links to multiple external pages, some of which may appear legitimate, while others lead to phishing, malware, or scam operations.

From a user’s perspective, the compromised website looks fine. But when crawled by search engines, the hidden links and associated anchor text keyword pairings alter how the site—and the linked content—is treated in search results. This leads to attacker-controlled domains appearing prominently in search results, even above trusted brands or legitimate services.

Targeting the Gambling Sector: A Case Study

One particularly active tactic for this campaign is used against the online gambling companies operating in the Turkish market. Groups like Neon SEO Academy have emerged offering services that specialize in “SEO for Gambling in Turkey,” using compromised sites to promote malicious or phishing content. Key figures associated with this group operate under aliases such as “Helen Wood” and “David Kaya”, and have been traced via Telegram, WhatsApp, and WeChat. They claim to have access to over 15,000 compromised sites for use in these campaigns. It is likely significantly higher.

A second group, SEOLink / SkylinkSEO, promotes similar services. They offer tools that allow buyers to access admin panels of vulnerable websites and insert links en masse. These actors also promote the use of Private Blog Networks (PBNs)—a controversial SEO tactic that further muddies the line between aggressive marketing and outright fraud.

How the Attack Works

The attack begins with the compromise of a legitimate website, often through exposed admin panels or unpatched vulnerabilities. Once inside, the attacker injects JavaScript or HTML that contains a network of outbound links, each associated with specific keywords. This injected JavaScript is designed to be invisible to users viewing the rendered HTML but highly visible to search engine crawlers as it visible in the source code. As the web of compromised sites may often be linked to others that Google considers trustworthy and authoritative – such as sites that use .edu or .gov TLDs — the fraudulent site being promoted inherits that trust artificially. Examples included in the Figures below.

When a user searches for terms related to gambling, pharmaceuticals, or other targeted topics, the SERP (Search Engine Results Page) will show both legitimate and manipulated sites ranked highly in the results. Users who may not know which is legitimate and which is fraudulent click through to a highly ranked site, unaware that they have landed on a malicious page. These malicious sites are often designed as exact copies of legitimate domains. This is an effective, scalable, and dangerous strategy for phishing.

Figure 1a.

Figure 1b.

Figure 1a. and 1b.  An example of a site on the Taiwanese ccTLD and containing an .edu second level TLD that is compromised and appears in the Search Engine Results Page for Turkish Gambling and for hacklink related queries.

With the above method, it is also possible to remotely change the text that appears in the search result of a target site, to other text that the malicious actors desire even without being in control of a site. If the fraudster is in control of a site they can place a phishing attack or redirect to a phishing attack. If they are not in control of a site, they may use hacklinks for SEO boosting of other sites that they do control only. This is done for the purposes of manipulating Google Search and the result is that harmful sites are pushed up significantly in the desired search results.

Figure 2a.

Figure 2b.

Figure 2a. and 2b. In the example here we can see a site before hacklinks are made to reference it on other sites. There are indications that it may be compromised by such malicious actions already with the mixed languages and topics in the anchor text.

After the links are changed on other sites which can be done at scale with a control panel, their links were set to include this site with the relevant title and anchor text. This action alters the previous text that Google displays to text that the actors desire, without the consent of the site owner. In this case, the site owner would need to disavow these incoming links with their Google Search Console to rectify this abuse.

Implications for Security and Brand Protection

This campaign highlights the growing sophistication of cybercriminals who are not just attacking networks but manipulating ecosystems. SEO poisoning blends web compromise with psychological manipulation and search engine exploitation, creating a multifaceted threat. Brands face reputational risk when their domains are hijacked to boost criminal operations. Users face exposure to scams, phishing, and malware. Defenders must now consider this SEO manipulation and SERP-based attack vector as part of the broader threat landscape.

For industries like online gambling, where trust and brand integrity are paramount, the consequences can be severe. This is applicable to other industries which may rely on search engines for their site to be discovered, such as banking, fundraising, and cryptocurrency trading. With cybercriminals now using this technical capability now, any industry could and will likely be targeted by these sophisticated criminal lures.

How Netcraft Helps

Netcraft monitors domains that exhibit indicators of abuse. We can discern legitimate domains within the SERP and take down fraudulent domains that appear due to SEO poisoning. While remediation and website takedown depend on the site and nature of the threat, Netcraft continues to investigate and document these campaigns, working with affected brands and platforms to share intelligence and reduce harm.

Our threat intelligence services can help organizations identify when their domains have been compromised and used in link manipulation schemes. We also assist in mapping malicious SEO networks and flagging fraudulent domains that pose a risk to users.