Cybercriminals are using a black-market SEO platform called Hacklink to manipulate search engine rankings and promote malicious content through compromised websites. Hacklink serves as a marketplace where attackers can purchase access to thousands of compromised sites, often targeting high-reputation domains such as .gov, .edu, or country-code TLDs. These domains are highly valued for their trustworthiness in search algorithms.
Once access is obtained, Hacklink automates the injection of hidden JavaScript or HTML links into these compromised sites. These links redirect search engine crawlers to malicious pages (such as phishing sites, fake pharmacies, or gambling platforms) while remaining invisible to human visitors. Groups like “Neon SEO Academy” claim to have access to over 15,000 compromised sites using this method.
Keyword Targeting and Anchor Text Manipulation
Attackers tailor injected links with specific anchor text (e.g., “online gambling in Turkey”) to exploit search queries. When users search for these terms, search engines like Google prioritize the malicious pages due to the perceived endorsement from high-authority domains. The trick isn’t necessarily about getting people to click those injected links directly, but about boosting the visibility of scam sites.
Hacklink’s service simplifies the process for users. They can choose keywords and harmful URLs through a control panel, with prices starting as low as $1 per listing. High-value domains, such as .gov, are priced higher. Compromised websites create a network that cross-links to these malicious domains, giving a misleading impression of legitimacy. Additionally, Private Blog Networks (PBNs) enhance this effect further.
How do you battle against something you can’t see?
Compromised websites may appear normal to users, making it challenging for owners to detect issues. Search engines find it difficult to differentiate between legitimate links and malicious ones, allowing harmful sites to achieve high rankings until Google intervenes manually.
J Stephen Kowski, Field CTO at SlashNext Email Security, said:
“This research shows cybercriminals are getting smarter by hijacking trusted sites to push bad links right to the top of search results, tricking users into clicking. Organizations need to watch for weird changes in their search rankings and check their backlinks for anything fishy that could point to a bigger problem.”
Individuals operating under aliases such as “Helen Wood” and “David Kaya” have been identified as central figures, coordinating activity via encrypted messaging apps like Telegram and WhatsApp.
