- Select Prime members can get Kindle Unlimited for 3 months at no cost - here's how
- Modernization means putting developers in the driver’s seat
- Get a free iPhone 16 Pro for free from T-Mobile, no trade in required - here's how
- The LG C4 OLED for $800 off is one of the best Prime Day TV deals right now
- Prime members can save $10 on any $20 or more Grubhub+ order for a limited time - here's how
Hacklink Marketplace Fuels Surge in Covert SEO Poisoning Attacks
A growing wave of SEO poisoning attacks has been driven by a black market platform known as Hacklink, which enables cybercriminals to hijack search engine rankings by injecting malicious links into thousands of compromised websites.
The tactic, uncovered by researchers at Netcraft, is increasingly targeting sectors like online gambling, with attackers leveraging automation tools to elevate scam content in Google search results.
A New Kind of Exploitation
The Hacklink platform allows threat actors to browse and purchase access to already-compromised websites.
From there, they can inject hidden JavaScript code that includes tailored keywords and anchor text. While invisible to the human eye, this code is designed to influence search engine crawlers. As a result, scam or phishing domains appear higher in search results, often above trusted brands.
What also sets this campaign apart is its technical subtlety. Unlike traditional website defacements, which are easy to spot, these injected links are buried in source code and chosen specifically for their reputational value. Domains ending in .gov, .edu and various country code TLDs are prized for the ranking boost they provide.
Organized Groups Behind Attacks
Two groups, Neon SEO Academy and SEOLink (also known as SkylinkSEO), are actively offering these services.
Neon SEO Academy reportedly has access to over 15,000 compromised domains and targets Turkey’s online gambling market with phishing and fraud campaigns.
Operatives like “Helen Wood” and “David Kaya” are believed to coordinate these services via platforms such as Telegram, WhatsApp and WeChat.
SEOLink promotes similar offerings, including tools for bulk link injection and Private Blog Network (PBN) exploitation, further blurring the line between aggressive marketing and criminal activity.
These SEO poisoning campaigns typically involve:
-
Gaining access to a vulnerable or poorly secured website
-
Injecting JavaScript or HTML with keyword-optimized links
-
Elevating scam content in search results through association with reputable domains
-
Redirecting unsuspecting users to phishing or malware pages
-
Remotely altering how legitimate sites appear in Google search snippets
Widespread Security Implications
This SEO poisoning method often begins with an unnoticed website compromise. The injected code manipulates Google’s ranking signals while staying hidden from users.
More troubling still, the actors can alter the search appearance of legitimate websites without needing direct control, impacting brand integrity and user trust.
According to Netcraft, this campaign highlights a broader shift in cybercrime toward a blend of technical compromise and marketing manipulation.
“For industries like online gambling, where trust and brand integrity are paramount, the consequences can be severe. This is applicable to other industries that may rely on search engines to discover their site, such as banking, fundraising, and cryptocurrency trading,” the security firm warned.
“With cyber-criminals now using this technical capability now, any industry could and will likely be targeted by these sophisticated criminal lures.”
To defend against these threats, organizations are encouraged to routinely audit backlinks, patch vulnerabilities and monitor changes in their search presence through Google Search Console.
