Google made the link a valuable commodity, so hackers are compromising sites and then getting paid to inject links.

Ben Kothe / BuzzFeed News

This August, Molly Stillman logged on to her lifestyle blog to update a few popular old posts, freshening them up so they would continue to attract traffic from Pinterest and search engines. She was horrified at what she discovered. “There were [links] for, you know, anal bleaching, which is apparently a thing. I mean, just truly, incredibly inappropriate things. And there was even some links to Russian pornography sites. I mean, we're talking about horrible, horrible things. And it was written into my content.” Stillman, who lives in North Carolina, has been blogging about family, faith, and fashion since 2007. Her site is an important source of income, and someone hacking into her blog to add text and links left her reeling. All the more so given the subject matter.

Stillman hired a security company to clean up the posts and identify the source of the intrusion. It determined someone hacked her site, which runs on the open source version of WordPress, by finding a way in through the administrator login. The culprit inserted content and links into 500 of the roughly 2,000 posts Stillman published over the past 12 years. “I'll be honest. It's been a nightmare,” she said. “It's been an absolute nightmare.” What happened to Stillman was not an isolated incident. Websites of all types and sizes, and especially those that use the open-source version of WordPress, are hacked to inject links to manipulate search engine results. A BuzzFeed News investigation reveals how injected links are sold by global networks of online marketplaces and black hat SEO consultants who offer customers the ability to have links placed on compromised websites. Among those affected are journalists, celebrities, churches, charities, veterans organizations, and the managing director of Peter Thiel’s venture capital firm. Injected backlinks on these compromised sites quickly improve the search engine rankings of customers’ web properties by exploiting Google's preference for sites that receive a high quantity of links from authoritative sites. That in turn helps the customer sites attract more traffic, and in some cases, increase sales. BuzzFeed News obtained lists of more than 20,000 websites where backlinks can allegedly be added for a fee, and confirmed multiple cases where links were added to these and other sites without the owner’s knowledge. The award-winning Canadian urban magazine Spacing is one site affected by injected links. After being contacted by BuzzFeed News, it identified several articles where unauthorized links had been added long after publication. One post was even hacked during the course of the magazine’s email conversations with BuzzFeed News. In one example, an article about drug policy from 2009 had links and text injected for rehab centers and a cannabis vaporizer product. And in the few days between the site discovering the compromised post and cleaning it up, someone added text and a link to an online gun store. “I can see the allure of going after well-trafficked media sites — there are usually so many points of entry from contributors that all it takes is one good account to give wide access to the editorial content of a media outlet,” Matthew Blackett, the publisher of Spacing, told BuzzFeed News. It's yet another example of how search engines like Google are being manipulated at scale by a global industry of shady digital marketers and hackers who take over expired domains, acquire once-credible websites and fill them with junk content, hijack dead links on major news sites, place undisclosed sponsored content, and launch extensive manipulation campaigns using fake online personas to make their content appear higher in search results. Google’s quality guidelines forbid “link schemes” and cite “exchanging money for links, or posts that contain links” as one example of banned behavior. But that doesn’t deter the global trade in links.

BuzzFeed News / Via Spacing.ca An injected link and text promoting a gun store appeared recently in an old story on Spacing.ca.

A major source of injected links is Sape.ru, an online marketplace once partly owned by Mail.ru, a leading Russian technology company. On Sape, black hat marketers and webmasters post search-ranking data for websites they control or have access to. Over 8,000 English-language websites are listed on Sape, covering everything from American political organizations to international children's charities. BuzzFeed News confirmed multiple instances where sites advertised on Sape contained injected links. “We do not welcome the addition of hacked sites, nor the hackers themselves. If such cases are identified, we stop working with the webmaster,” a Sape spokesperson told BuzzFeed News. The company said it blocks the accounts of any confirmed hackers or anyone who is not able to verify their ownership of a site listed in the marketplace when requested. In a statement to BuzzFeed News after this article was published, Sape CEO Sergey Pankov emphasized that the company works to prevent bad actors from using its system. "Sape is continuously vigilant and expends a considerable amount of effort and expense on monitoring and addressing the problem of injected links and constantly working on improving anti-hacking algorithms. Each time a hack is identified, Sape has no choice but to immediately assign a team to remedy the situation, providing support to hacked websites and refunding significant amounts to customers, who purchased links on sites, which turn out to be compromised by hackers," he said. One site affected by injected links sold on Sape is DaveWinfieldHof.com, the official site of National Baseball Hall of Famer Dave Winfield. In 2016, the site was hacked and injected with links to sites promoting flea tablets for dogs, “MILF porn videos,” an Italian escort service, and JT Foxx, a motivational speaker and self-proclaimed “World’s #1 wealth coach.” (Foxx’s attorney denied that his client had knowingly or intentionally used Sape links and said he would work to have the links removed from the offending sites.) Reached by email, Winfield’s attorney and agent, Randy M. Grossman, said that Winfield “had no knowledge of the hacking.” The links were subsequently removed.

BuzzFeed News / Via DaveWinfieldHof.com Injected links on DaveWinfieldHof.com.

Sape is one of the largest players in injected links. An Ouroboros-like serpent of sites point back to other companies that specialize in selling paid backlink services, which are sometimes referred to as “niche edits.” The practice of placing injected links is not new, but it was brought into the open when an SEO consultant based in the Philippines posted a series of messages on BlackHatWorld, an online forum where people buy and sell black hat SEO services and discuss the latest techniques. The consultant, who did not use their real name on the forum and declined to comment to BuzzFeed News, largely focused on one person and their company, and posted a cache of documents, including emails and a spreadsheet of allegedly compromised websites. BuzzFeed News emailed a sample of the most-linked sites listed in the spreadsheet, and more than 20% of those contacted said they had been hacked. The thread focused on Vadim Kevin Zyabkin, who runs the SEO company SERPninja from Vancouver, Canada. On its website, the company boasts it can secure links on thousands of websites and that “the sites in our inventory are ethically obtained using our decade long experience in outreach and guest posting.” But links to SERPninja have been placed on multiple websites without the knowledge or permission of the owners of those sites. BuzzFeed News found a link to SERPninja was recently added to a 2010 blog post on the site of Chris Brogan, a New York Times bestselling author and marketing consultant. “Well, that’s kind of nuts,” Brogan told BuzzFeed News, adding that he had not updated his blog since September. Among the documents posted on BlackHatWorld are images of Skype chats where Zyabkin discussed hacking into websites and placing links for SEO. Zyabkin told BuzzFeed News that he was just trying to impress someone he wanted to do business with. “Sales is [about telling a] good story, and I'd tell them I was a serial killer if that point sold the vendor to try the product,” Zyabkin said via Facebook Messenger. After being sent a list of sites with injected links pointing to his company’s site, Zyabkin blamed it on employees buying links through online marketplaces. Zyabkin said his company uses Sape and two other marketplaces like it to fulfill some of its link orders, and the rest are executed by a team of people in India. These staffers reach out to websites to see if they will add links in return for payment, he said. Zyabkin said that hacked links are a consequence of doing business on Sape. “I assume the same as everyone else in the community, that many of these links are somehow hacked,” he said. “We're a volume business that a lot of marketers use — so if the network has bad inventory, it'll occasionally get through in the process. We don't claim to be perfect or have a perfect process — since it's not really our responsibility.”

“I'd tell them I was a serial killer if that point sold the vendor to try the product.”

Another SEO company that has benefitted from injected links is DFY Links. It’s run by Charles Floate, who as a 19-year-old pleaded guilty in 2015 to hacking the UK Home Office websites and temporarily shutting down the FBI’s Internet Crime Complaint Center’s website, as well as to two counts of “possessing prohibited images of children.” (He said they were photos of his then–teenage girlfriend.) Floate, now a 23-year-old who lives in Thailand, has referred to himself as “the God of SEO.” In addition to running DFY Links, he makes YouTube videos where he talks about black hat SEO techniques. A backlink to DFY Links was present in a post on Stillman’s lifestyle blog as of roughly May of this year, according to data from SEMrush. It was removed in September, around the time she was engaged in a cleanup effort to rid her site of injected links. In an interview with BuzzFeed News, Floate was adamant he’d never hacked into websites to add links, nor ever knowingly bought or sold hacked links. He said the injected links pointing to his site must have been placed by consultants he hired to fulfill link orders for his business and help his company rise in search results. Floate said Zyabkin was one of the people he hired to provide backlinks for him. Floate provided BuzzFeed News with chat and financial records that showed he paid Zyabkin for backlinks. Floate said he ended the relationship earlier this year when he learned about the accusations made against Zyabkin on BlackHatWorld. “We've been trying over 50 different suppliers for various different links and stuff. I just don't have the time and neither does my team to do the research that you did [to identify hacked/injected links],” Floate told BuzzFeed News. “But anyone that seemed to be supplying hacked links, anyone that I confirmed was, and anyone that I was suspicious of, we just immediately removed. It's just unfortunate that some have genuinely slipped through the cracks.” Zyabkin denied he sold links to Floate and declined to comment on the screenshots that appear to show otherwise. Floate said the conditions of his sentence enable UK authorities to inspect his computer devices at any time. “They would have probably arrested me like two years ago,” he said, if he had been hacking into sites to inject links or selling these kinds of links. Google declined to comment on the selling of injected links, or how it combats the practice.

One post was even hacked during the course of the magazine’s email conversations with BuzzFeed News.

“We don't have anything to share on this. We don't share specific details of our spam fighting tactics and actions as to not empower bad actors to work around our guidelines,” a company spokesperson told BuzzFeed News. Brendon McAlpine, business development manager at Australian takedown service Internet Removals, told BuzzFeed News that people who pay for links are “looking for a shortcut, no matter the cost to others (or themselves) in the long term.” WordPress — which powers more than 30% of all sites on the web — is a common denominator across many of the hacked sites, which use it for their content management system. WordPress plug-ins are a frequent target of hackers because they can provide backdoor access into websites. In other instances, attackers target outdated WordPress installations or find new exploits. In multiple cases identified by BuzzFeed News, the hackers gained access by compromising individual user accounts. Dan Walmsley, development lead for Jetpack, a security and backup service for WordPress, told BuzzFeed News that the popularity of the platform combined with its built-in search optimization make it an attractive target for black hat SEO schemes.

"WordPress has world-class SEO built in to the platform and [is] extensible via plugins, which of course is one reason that it's so successful, but also makes it an attractive target for link farming and other forms of SEO arbitrage," he said.



Sape.ru was founded in 2007 by Russian entrepreneurs Grigory Firsov, Evgeny Poshibalov, and Alexey Zemlyanoy. Boasting a cheap and easy-to-use SEO service, the site quickly became popular in its home country, attracting sizable investments from Mail.ru and other big companies. (A Sape spokesperson originally said Kirill Belov was also a co-founder, but after this article published, Belov and Sape's CEO contacted BuzzFeed News to say he is not a founder of Sape.)

In March 2013, search industry websites reported that Google penalized Sape after the head of Google’s webspam team at the time, Matt Cutts, tweeted that he was investigating “naughty Russian link selling software." (Cutts, now with the US Digital Service, declined to comment.) Word quickly spread on black hat forums, where users of the network said they had experienced a “huge drop in rankings.” “Sape penalties and sanctions are just speculations and unconfirmed information, including that of Google,” a Sape spokesperson told BuzzFeed News. Months after those reports, Russian media reported that Mail.ru sold its 30% share in the company to Millhouse Capital, a British investment firm founded by the Russian billionaire Roman Abramovich. "We are pleased with this investment," a Millhouse spokesperson was quoted as saying at the time. "The company brings stable dividends." A Sape spokesperson initially confirmed that investment, but Pankov, Sape's CEO, subsequently said was Millhouse was never a shareholder, and that Mail.ru maintains an ownership stake in the company. Since the reports of being penalized by Google first circulated, Sape has grown and expanded, recently adding a new roster of SEO services, including an option to buy links from popular Instagram, Twitter, and YouTube accounts. The site also offers free plug-ins that allegedly facilitate the placement of links on hacked sites and "make them look as natural as possible to fool search engines,” according to internet security company Sucuri, which is owned by GoDaddy. On programming forums like Switch-case.ru, some webmasters have reported finding Sape code on their sites after getting hacked. Sape said its plug-ins are designed to make “link exchanges” more convenient and are not built to enable hackers. In some instances, inserted links and associated code contained direct references to Sape. In 2015, for example, someone hacked into JeffConnaughton.com, the site of the former White House lawyer and author of The Payoff: Why Wall Street Always Wins, a memoir about working as an adviser to former US senator and vice president Joe Biden. Before long, the site was riddled with malicious links to sites promoting Spanish fitness classes, a New Jersey Little League academy, a DIY chlamydia test, and Yousef Al Otaiba, the United Arab Emirates ambassador to Washington. (Otaiba, whose name also popped up on the Winfield site, did not return a request for comment.) Connaughton told BuzzFeed News his site “was a sitting duck because I’ve never done the [software] updates.” He eventually took the site offline. BuzzFeed News uncovered at least 12 references to “sape” and “sape.ru” embedded within the site, including images and GIFs. A search for the site in Sape’s database confirmed that an unknown black hat marketer had been offering to sell backlinks on the site.

Sape / Via sape.ru The listing for Jeff Connaughton's site on Sape.ru.

Julian Young, director of WordPress support and maintenance company Jellyhound, said sites with outdated WordPress installations, like Connaughton’s, are especially vulnerable to hackers.

“It's very easy to check what version of Wordpress a site is using as well as detect a particular outdated plugin,” Young told BuzzFeed News in an email. “[There] are scripts hackers can run that simply trawl the internet looking for particular vulnerabilities in every Wordpress website they can find. [Some are] so advanced now that they have user interfaces and full automation, you can just set them off and even automate the hacking process itself." People looking to purchase backlinks on Sape are able to select sites according to criteria such as topic, country, language, and domain rank. Clients pay for the service on a weekly or monthly basis, with prices ranging from less than 1 cent to approximately $17.70, depending on the search ranking of the site. Elsewhere, on freelancer sites like SEOClerks, third-party services charge as much as $329 to navigate the Sape network for anyone who wants to avoid getting directly involved. This is similar to what Zyabkin of SERPninja said he does for clients. Ads for these services boast “crazy metrics we can source for you from the SAPE network" and dubiously claim that Sape links are “totally safe from Google penalties.” Sape link marketers unethically manipulate Google's search rankings, according to Charles Leveillee, a digital marketing consultant at SEO company NewApps Agency, based in Colorado.

“We don't hack websites or have employees do it — we're an SEO company that sells SEO.”

"[Sape] links are almost always placed on the homepage (header, footer or sidebar), where the placement value is the most effective in the ranking," Leveillee told BuzzFeed News. "Because of these link placements, it allows users to achieve rankings very quickly, more quickly than white hat SEO where it happens organically, with time." The unobtrusive placement of the links within a website’s header code or images also helps ensure site owners remain unaware that their site has been hacked, allowing the hacker to quietly leech the site over the course of several years. Notable sites found on the Sape network include AlysonStoner.com — the since-deleted blog of the actor, singer, dancer, and viral sensation of the same name — and Eric-Weinstein.net, the personal site of the managing director of Thiel Capital, a major venture capital firm founded by Peter Thiel. Weinstein is a leading member of the intellectual dark web, a term he coined on Joe Rogan’s podcast to describe a loosely connected group of public figures who reject identity politics and political correctness. A review of Stoner’s site found at least 19 links to sites including a Vietnamese diploma mill, a Swiss plastic surgery clinic, and a Forbes article about a newly marketed drug for female sexual dysfunction. Stoner did not return requests for comment.

BuzzFeed News / Via eric-weinstein.net Injected links on Eric-Weinstein.net.

Weinstein's site was also badly hit, with at least 15 links to sites advertising shapewear garments, vaping paraphernalia, and "free massage porn," among others. Domain records indicate that Weinstein's site was acquired by a Russian online marketer in 2015 after the domain was dropped. It’s unclear who owns it today, though the site looks exactly the same as it did when Weinstein was listed in ownership records. Weinstein declined to answer questions about the site. One egregious aspect of the Sape network is the rife exploitation of websites belonging to nonprofit organizations and historically marginalized groups. BuzzFeed News identified Sape link offerings for the websites of churches, charities, veterans organizations, Native American tribes, as well as a rape crisis center, a hospice, and Outrage.org.uk, the website for what was once one of Britain’s most prominent LGBTQ rights organizations. Around 2014, Outrage.org.uk was hacked and quietly injected with links to sites for Norwegian credit cards and online product reviews. The hack went unnoticed until last month, when BuzzFeed News contacted the organization. “[The] OutRage! Website has been a constant target for attacks, moreso in previous years when we were more active,” said Brett Houston-Lock, an LGBTQ rights campaigner who currently maintains the site. “In those days the cyberattacks were politically motivated, but these days the enemy is spammers and scammers.” Pankov, the Sape CEO, emphasized that his company offers an online marketplace and that it's primarily focused on the Russian market.

"A majority of our users are bona fide owners of the sites and domains utilizing our services. We do everything within our power to block accounts of any confirmed hackers or any sites and domains, whose ownership cannot be verified," he said.



In fall 2017, an SEO consultant in the Philippines with the username OnniChan decided to call out injected link sellers on BlackHatWorld. They said they had made a deal with someone who they later discovered was selling hacked links that originated with Vadim Kevin Zyabkin. OnniChan provided screenshots of Skype chats with Zyabkin in which he talked about compromising sites to inject links. In one exchange, Zyabkin shared a link to a 2012 news report about WordPress sites being hacked and said, “this is the kind of stuff I’m good at. SEO is not my forte.” When asked if he was the one who hacked those sites in 2012, he replied with a blushing emoji and said, “its how all this started.” Zyabkin said he claimed to hack into sites because he was “trying to impress” OnniChan and get them to be a reseller of his links service.

“Exclusivity such as ‘hacked’ links was an easy way to get people to resell since they thought they had a unique angle in the marketplaces on the forums,” he said. “I guess it was silly to try to relate to them in that sense, but that was ages ago and as I've said, we were convincing people to resell the product where we could back then.” He said the Skype chat released by OnniChan “looks bad out of context.” “I can't really help how people take things though — the context is what it is, and the vendor [OnniChan] was plenty happy to sell the links after we convinced her — until she felt wronged and posted selectively edited Skype logs,” he said. The Dropbox folder OnniChan shared contained screenshots of emails that show the links she allegedly bought via Zyabkin’s network of niche edits sites were added without knowledge of the site owners. This aligns with BuzzFeed News’ recent finding that SERPninja, Zyabkin’s company, is benefitting from injected links on sites, including the blog of bestselling author Chris Brogan, real estate blog GreekEstate, and travel blog Dangerous Business. The hacked post on Brogan’s blog was even changed to make it seem as though he had a personal connection to SERPninja. “Oh, do you need to worry about your search engine optimization? I’m not especially versed in that, so I just use the Scribe SEO plugin (affiliate link) recommended to me by my friends at Serpninja.io,” reads the recent version of a post he first published in 2010. An archived version of that same post from August 2017 shows the shoutout to SERPninja wasn’t in the original. Similarly, at some point since fall 2018, someone hacked into the personal website of journalism professor and author Dan Kennedy and inserted a reference and link to DFY Links, Floate’s company. Kennedy’s original post, a book review, included the sentence “Everything looks the same in your news feed.” But when BuzzFeed News recently accessed the page, the text was changed to “As my friend from DFY Links says, everything looks the same in your news feed.”



BuzzFeed News / Via chrisbrogan.com The injected link and text of Chris Brogan's website.