Inside the Machine: How Crypto Scammers
Hijack Bing & DuckDuckGo

The Two Attack Vectors

Our investigation uncovered two completely different, parallel operations running simultaneously to push phishing sites to the top of Bing and DuckDuckGo results.

Vector A: The Yahoo SERP Injection Attack

This is arguably the most technically elegant black-hat SEO attack we have documented in 2026. It exploits a fundamental flaw in how Bing evaluates link authority — specifically, its inability to distinguish between genuine editorial links and dynamically generated search result pages from trusted domains.

Yahoo’s inherited Authority Score (AS 24) flows through mobile search pages to phishing domains — Bing accepts the signal as legitimate

The Mechanism — Step by Step

Step 1 — Generating the trusted carrier URL. Attackers craft URLs on Yahoo’s mobile search endpoints across multiple international subdomains: no.search.yahoo.com (Norway), fr.search.yahoo.com (France), mx.search.yahoo.com (Mexico), pl.search.yahoo.com (Poland), gr.search.yahoo.com (Greece), qc.search.yahoo.com (Quebec), chfr.search.yahoo.com (Swiss French), co.search.yahoo.com (Colombia). These pages carry Yahoo’s inherited Authority Score: 23–24.

Step 2 — Embedding the phishing anchor. Each URL contains a completely random, innocent search query — “pele+fifa”, “Jean-Paul+Sartre”, “Radio+Stars”, “jucheck.exe” — but the anchor text reads: curvefi.co Curve Finance. The randomized queries ensure no pattern-matching by spam filters.

Step 3 — Forced crawl & indexation. Attackers push Bingbot to crawl these URLs using mass ping services, forum/blog comment injections, and automated crawl triggering tools.

Raw SEMrush Evidence — curvefi.co

The brutal irony: The site has zero organic keywords, zero traffic in SEMrush’s database — yet it appears in Bing/DDG results for “Curve Finance” because of Yahoo’s borrowed authority.

Vector B: The Coordinated PBN Network

This is where the investigation gets truly alarming. Five separate phishing sites — rabbys.at, dexscreener.at, monero-wallet.at, trezorsuite.at, and keplr.me — all share an identical set of backlink sources. This is not coincidence. This is a single organized criminal operation running multiple phishing campaigns from one infrastructure.

One operator, 9 PBN donors, 5 phishing targets — the probability of this being coincidental is approximately 0.00001%

The Smoking Gun — Shared Infrastructure

Phishing Domain Profiles

The AI-Powered Article Farm

The aster-dex.at variant uses a hybrid approach, combining Yahoo injection with AI-generated blog content placed on compromised or purpose-built sites across Vietnam, Italy, Indonesia, and Switzerland.

AI-generated articles on compromised sites — identical titles, different domains, all linking to the same phishing target

The blog articles all have near-identical titles: “Why Token Swaps and Liquidity Pools Still Trip Up Even Seasoned DEX Traders”, “Why Automated Market Makers Still Surprise Traders”. These are AI-generated articles placed on sites with AS 21–36, all linking to aster-dex.at.

Comment Spam Infiltration

keplr.me takes a different approach entirely — pure comment spam on unrelated high-authority sites. Fake user names like “ZackaryThymn”, “Fritzkah”, “Jamesboach” inject crypto wallet anchors into philosophy education sites (filozofija.edu.rs, AS 45), employee engagement platforms (bavave.com, AS 63), and arts festivals (lea-festival.com, AS 50).

Legitimate sites unknowingly hosting phishing links — hidden among normal-looking user comments

The Bottom of the Barrel: Automated Tool Spam

bscscan.cfd uses the crudest possible method: paid bulk backlink packages from sites literally named rankongoogle.agency and linksjump.click. All sources have AS = 0. The .cfd TLD is a known spam indicator. Yet on Bing, even this partially works — volume of low-quality links can influence rankings on brand-new domains with no negative history.

“1000 Backlinks $9.99” — the cheapest SEO scam tools still partially work on Bing

Why Bing & DuckDuckGo Are Specifically Vulnerable

Google’s multi-layered spam defense vs Bing’s less mature detection — the gap scammers exploit

Keyword Targeting Strategy

The keyword profiles reveal surgical precision in target selection. Operators target not just primary brand terms but typosquats (“rabbi wallet”, “rubby wallet”, “dexscrenner”) and even Chinese-language queries (“aster交易所” ranking #25).

Multilingual targeting: English, French, Chinese, Vietnamese — the operation spans continents

Historical Context: The Trust Wallet / DuckDuckGo Problem

Even after Trust Wallet switched away from DDG as the default, the underlying vulnerability persists. Any user who manually chooses DuckDuckGo for privacy — a demographic that heavily overlaps with crypto users — remains exposed to these exact attacks today. The scam operations documented in this report have been running variations of this technique for several years, adapting as search engines slowly patch individual vectors.

How to Protect Yourself

• NEVER connect your wallet from a search result
• Bookmark legitimate sites directly
• Use DDG’s !bang shortcut: !g curve finance forces Google search
• Install MetaMask’s phishing detection extension
• Check any domain at PhishDestroy before connecting

Recommendations to Microsoft/Bing

1. Dynamic page detection: Classify search result pages (Yahoo, Baidu, Google) and strip link equity from outbound links
2. Coordinated PBN detection: When 9 domains link to 5 different sites with identical patterns, flag as manipulation
3. Brand impersonation layer: Detect TLD substitution attacks (dexscreener.at ≈ dexscreener.com)
4. .AT domain monitoring: Enhanced scrutiny for newly registered .at domains in crypto SERPs
5. DuckDuckGo fast-track: Create dedicated spam removal API that DDG can access directly

The evidence is public. The domains are documented. The victims are real. The fix is in Microsoft’s hands.