Affiliate marketing is a powerful driver of traffic and conversions, particularly in highly competitive industries like iGaming, where affiliates play a crucial role in attracting users through content marketing, SEO, and strategic promotions. However, the profitability of this model has also led to aggressive and unethical tactics, with some actors manipulating rankings and visibility through Black Hat SEO techniques.
Our investigation uncovered a large-scale affiliate campaign using AI-generated content, automation, fake social media accounts, and Black Hat SEO to manipulate search rankings and drive traffic to iGaming and VPN promotions while avoiding detection. Motivated by financial gains, fraudsters abused trusted platforms and impersonated legitimate brands to deceive users.
Key Findings:
- Large-Scale Subdomain Generation and Redirection Chains: The campaign systematically generates thousands of subdomains, each containing redirection chains that make detection and takedown efforts more challenging. At the time of writing, we identified seven primary domains and over 1,000 subdomains directing users to affiliate offers.
- SEO Manipulation and Fake Social Media Accounts: To further enhance visibility, fraudsters employ different Black Hat SEO techniques and create hundreds of fake social media accounts.
- Cross-Promotion for Maximum Reach: By simultaneously promoting VPN services and iGaming offers, the operators extend their reach across different industries to maximize profits.
- Event-Driven Strategy: The campaign aligns its activities with high-traffic events, such as major sporting events and affiliate competitions like 7StarPartners’ Affiliate Races. Additionally, it shifts focus based on seasonal promotions, moving from iGaming promotions to NordVPN marketing campaigns to optimize earnings.
- Undermining Market Integrity and Consumer Trust: Fraudsters manipulate search rankings, impersonate legitimate brands, and distort traffic metrics, misleading users and diminishing trust in reputable operators. These tactics not only push legitimate businesses out of visibility but also compromise the reliability of affiliate programs, ultimately damaging brand credibility and the broader industry’s integrity.
Campaign Timeline and Execution
Pre-Launch Activities
Before the campaign’s official launch, the operators registered multiple domains and generated numerous subdomains. These subdomains function as redirection points, embedding affiliate tracking numbers to guide users toward various websites. Our investigation reveals that many of these links ultimately direct users to Casinia, an online casino operating under the 7StarPartners Affiliate Program, which rewards affiliates based on conversions. Further analysis indicates that additional redirections lead to NordVPN, a widely recognized virtual private network (VPN) service, which also runs an affiliate program that compensates partners for attracting new subscribers.
Early Implementation: From February To April 2024
The campaign initially focused on iGaming promotions via LinkedIn, targeting gambling activities such as casino games, sports betting, and lotteries. To assess its full scope, we searched for iGaming-related keywords in multiple languages. This approach revealed numerous fraudulent accounts following the same operational patterns.
As we delved deeper into the investigation, we discovered that the campaign actively published content in multiple languages, including English, Spanish, Italian, Greek, German, Portuguese, Polish, and Lithuanian. This widespread linguistic presence indicated a deliberate strategy to target an international audience, maximizing engagement across different regions.
On LinkedIn, we discovered multiple affiliate company pages, which are specific LinkedIn pages linked to a parent company profile. Businesses often create these pages to focus on specific industries, regions, or product lines, enabling them to customize content and engagement for distinct audiences while remaining linked to the main corporate brand. Some of the affiliate company accounts we identified were impersonating well-known iGaming brands, while others strategically incorporated industry-specific keywords to enhance their visibility. Early in the campaign, the operators created different parent company profiles on LinkedIn with names consisting of random alphanumeric sequences followed by the string “company” (e.g., yz4p0u1company) and categorized them under “internet news“. Initial activities likely involved testing keyword strategies and optimizing redirection chains to enhance effectiveness.
Over time, the operators refined their approach, shifting from posting directly on parent company pages to creating separate affiliate pages to distribute content. This shift indicates a deliberate effort to avoid primary accounts from being flagged and/or removed while diversifying promotional efforts.
By March and April 2024, the campaign significantly expanded. The operators deployed hundreds of fake LinkedIn accounts to distribute content, leading to the creation of over 400 subdomains. Additionally, we have observed an extended presence beyond LinkedIn, with fraudulent activity spreading to Medium, Tumblr, and WordPress, further broadening their reach.
Expansion and Diversification: From April To September 2024
In April and May 2024, the operators expanded their campaign by introducing NordVPN promotions alongside iGaming content. They repurposed existing LinkedIn accounts to promote VPN services while also creating new accounts dedicated solely to VPN-related content. This shift allowed them to reach a broader audience across multiple sectors.
Between July and September, activity slowed, with most content posted on Medium. However, in October, the campaign expanded to Facebook, launching new accounts designed to attract engagement by leveraging common user search queries.
Return to LinkedIn: Renewed VPN Promotions and a New Naming Pattern
From October to December 2024, the operators intensified LinkedIn account creation, signaling a renewed push for VPN promotions. This expansion introduced a new naming pattern, where accounts followed a structured format consisting of two capitalized words followed by a three-digit number. These names referenced technology-related terms, such as NextGenix832, BrightForge637, TurboSphere637, and FusionCore658.
Seasonal Trends and Major Events Fueling Affiliate Marketing Fraud
Affiliate marketing campaigns often align their activities with high-traffic periods to maximize conversions, and this campaign was no exception. Its timeline reveals a clear correlation between its peak activity and major events in the iGaming and VPN sectors, demonstrating a strategic approach to exploiting seasonal promotions and industry-specific opportunities.
The 7StarPartners’ Affiliate Races 2024 (15 February – 15 May) coincided with a surge in fraudulent activity, during which the operators mass-generated subdomains to redirect traffic toward affiliate offers, expanded their social media presence, and intensified promotional efforts to exploit the competitive nature of the event.
Following this, the campaign shifted to NordVPN promotions, aligning with NordVPN’s seasonal marketing calendar to sustain engagement and revenue. The operators strategically timed their activity around major promotions, such as Easter sales, Black Friday and Cyber Monday deals, and Christmas discounts, ensuring maximum exposure. They also leveraged localized offers like regional holiday discounts and year-round promotions for students, non-profits, and activists. This approach kept their affiliate links relevant and appealing to users actively searching for discounts and deals.
Campaign Infrastructure
To sustain its scale, resilience, and evasiveness, the campaign operates a multi-layered infrastructure that integrates domains, subdomains, social media manipulation, and AI-generated content. The following sections break down the key components that enable the campaign’s sustained activity and expansion.
Domain and Subdomain
The campaign utilizes over 1,000 subdomains across at least seven primary domains, ensuring uninterrupted operations despite takedown attempts. If a subdomain is flagged or blocked, traffic is seamlessly redirected through alternate subdomains, making the system cost-effective and difficult to disrupt.
| Domain | Subdomain |
| argentimmediat.com | clo6.argentimmediat.com |
| bestvpnprice.com | deoods.bestvpnprice.com |
| conseguirdineroahora.com | jaf1r.conseguirdineroahora.com |
| deinecasinobonus.de | 9e76.deinecasinobonus.de |
| gagnedelargentmaintenant.fr | irkad.gagnedelargentmaintenant.fr |
| getbonus25.com | plhja.getbonus25.com |
| grandmother27.pl | frii7q.grandmother27.pl |
Social Media Exploitation
The campaign relies on an extensive network of over 500 fake social media accounts, actively posting across LinkedIn, Medium, Tumblr, WordPress, and Facebook. A key aspect involves impersonation, particularly on LinkedIn, where the operators create fake company pages mimicking legitimate gambling brands. This deceptive approach could potentially increase engagement, as users may perceive the content as originating from a reputable source.
AI-Generated Content and SEO Manipulation
The campaign heavily relies on AI-generated content to manipulate search rankings and drive traffic, prioritizing quantity over relevance with repetitive, low-quality posts and clickbait titles targeting gambling, sports, VPNs, and unrelated topics. Furthermore, the high volume of multilingual content highlights the campaign’s heavy reliance on automation to scale its operations.
To maximize visibility, the operators employ different Black Hat SEO techniques, including keyword stuffing, parasite hosting, and link manipulation, exploiting search algorithms and high-authority platforms to push their content to the top. These techniques highlight the evolving sophistication of affiliate marketing fraud, making it increasingly challenging for search engines and social media platforms to detect and mitigate deceptive schemes.
During our investigation, we identified several Medium pages featuring posts that appeared to be AI-generated responses to prompts about SEO strategies for the gambling industry. Further analysis revealed posts responding to a prompt that requested the integration of adult content with SEO-optimized material for gambling promotions. This reflects an attempt to manipulate search engine rankings by leveraging adult-themed queries to increase visibility and attract traffic. Notably, these posts contained links to the same subdomains.
Figure 10: Medium posts responding to a prompt integrating adult content with SEO-optimized gambling material. Source: QuoIntelligence
Figure 11: Medium posts responding to a prompt integrating adult content with SEO-optimized gambling material and in Polish. Source: QuoIntelligence
Attribution
Attribution remains inconclusive due to the scale, automation, and shared infrastructure involved. While common technical patterns, affiliate IDs, and redirection mechanisms indicate a coordinated effort from a single entity, multiple actors could be leveraging the same infrastructure. The activity appears financially motivated, driven solely by affiliate marketing commissions.
However, key indicators provide insight into potential actors:
- All Casinia redirection links embed affiliate ID 82813, while NordVPN promotions consistently use affiliate ID 103411 in redirection links and final URLs, indicating a structured tracking system.
- Technical Consistency: Subdomains follow a structured alphanumeric pattern, and hosting provider similarities indicate centralized infrastructure control.
- Possible Link to a Polish SEO Specialist: We have identified a Facebook page managed by an allegedly Polish SEO specialist, linked to fake profiles promoting VPN and casino content using the same subdomains. While he appears involved, the campaign likely includes other collaborators or automated systems.
Conclusions
By impersonating legitimate brands on platforms like LinkedIn, fraudsters mislead users and falsely associate reputable operators with unlicensed or deceptive offers, ultimately eroding trust. Meanwhile, Black Hat SEO techniques artificially boost fraudulent content in search results, reducing legitimate operators’ visibility and creating confusion among potential customers. These techniques also generate distorted traffic metrics, making it difficult to distinguish trustworthy affiliates from malicious actors and undermining the credibility of affiliate programs over the long term.
Beyond iGaming, this campaign demonstrates the broader risks of large-scale affiliate fraud, where AI, automation, and Black Hat SEO techniques are strategically used to exploit trusted platforms, search engines, and affiliate programs at scale. High-authority sites flooded with spam posts degrades content quality and user trust in search results, while subdomains and redirection chains make detection and takedown efforts more challenging, as blacklisting or removing a single link rarely disrupts the broader scheme. By aligning these illicit activities with major industry events and promotional cycles, the fraudsters capitalize on increased user interest and heightened traffic to maximize both reach and revenue.
