CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

HaxorSEO Marketplace Facilitates SEO Poisoning Campaigns

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Security researchers have uncovered an expansive backlink marketplace called HaxorSEO (HxSEO) on Telegram and WhatsApp. This marketplace offers over 1000 backlinks to pre-compromised but legitimate domains, enabling threat actors to boost the search rankings of malicious web pages. The service uses compromised websites with webshells to inject malicious backlinks, often targeting vulnerable php components and WordPress plugins. The low cost and high effectiveness of these backlinks make it an attractive option for threat actors, leading to large-scale attacks. The compromised websites are typically 15-20 years old and are marketed with 'trust' scores to indicate their effectiveness. The operation has been successful in ranking fraudulent banking login pages higher than legitimate ones, posing a significant risk to unsuspecting users.

Timeline

  1. 26.01.2026 17:00 1 articles · 23h ago

    HaxorSEO Marketplace Discovered Facilitating SEO Poisoning Campaigns

    Security researchers have uncovered an expansive backlink marketplace called HaxorSEO (HxSEO) on Telegram and WhatsApp. This marketplace offers over 1000 backlinks to pre-compromised but legitimate domains, enabling threat actors to boost the search rankings of malicious web pages. The service uses compromised websites with webshells to inject malicious backlinks, often targeting vulnerable php components and WordPress plugins. The low cost and high effectiveness of these backlinks make it an attractive option for threat actors, leading to large-scale attacks.

    Show sources
    Open in new tab

Information Snippets

  • HaxorSEO operates on Telegram and WhatsApp, offering a Google Sheet of over 1000 backlinks to pre-compromised domains.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • The compromised domains are typically 15-20 years old and are marketed with 'trust' scores.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • Threat actors use webshells to inject malicious backlinks into legitimate websites, boosting the search rankings of phishing pages.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • The service targets vulnerable php components and WordPress plugins, using file upload and remote code execution exploits.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • Backlinks are sold for $6 per listing, making the service highly attractive to threat actors.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • The marketplace lists backlinks alongside common SEO metrics such as Page Authority (PA), Domain Authority (DA), and Domain Rating (DR).

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • The operation has successfully ranked fraudulent banking login pages higher than legitimate ones.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources

  • Users are advised to bookmark sensitive login pages and verify the legitimacy of URLs to avoid falling victim to phishing schemes.

    First reported: 26.01.2026 17:00
    1 source, 1 article
    Show sources