Inside the Machine: How Crypto Scammers
Hijack Bing & DuckDuckGo

The Two Attack Vectors

Our investigation uncovered two completely different, parallel operations running simultaneously to push phishing sites to the top of Bing and DuckDuckGo results.

Vector A: The Yahoo SERP Injection Attack

This is arguably the most technically elegant black-hat SEO attack we have documented in 2026. It exploits a fundamental flaw in how Bing evaluates link authority — specifically, its inability to distinguish between genuine editorial links and dynamically generated search result pages from trusted domains.

Yahoo’s inherited Authority Score (AS 24) flows through mobile search pages to phishing domains — Bing accepts the signal as legitimate

The Mechanism — Step by Step

Step 1 — Generating the trusted carrier URL. Attackers craft URLs on Yahoo’s mobile search endpoints across multiple international subdomains: no.search.yahoo.com (Norway), fr.search.yahoo.com (France), mx.search.yahoo.com (Mexico), pl.search.yahoo.com (Poland), gr.search.yahoo.com (Greece), qc.search.yahoo.com (Quebec), chfr.search.yahoo.com (Swiss French), co.search.yahoo.com (Colombia). These pages carry Yahoo’s inherited Authority Score: 23–24.

Step 2 — Embedding the phishing anchor. Each URL contains a completely random, innocent search query — “pele+fifa”, “Jean-Paul+Sartre”, “Radio+Stars”, “jucheck.exe” — but the anchor text reads: curvefi.co Curve Finance. The randomized queries ensure no pattern-matching by spam filters.

Step 3 — Forced crawl & indexation. Attackers push Bingbot to crawl these URLs using mass ping services, forum/blog comment injections, and automated crawl triggering tools.

Raw SEMrush Evidence — curvefi.co

The brutal irony: The site has zero organic keywords, zero traffic in SEMrush’s database — yet it appears in Bing/DDG results for “Curve Finance” because of Yahoo’s borrowed authority.

Vector B: The Coordinated PBN Network

This is where the investigation gets truly alarming. Five separate phishing sites — rabbys.at, dexscreener.at, monero-wallet.at, trezorsuite.at, and keplr.me — all share an identical set of backlink sources. This is not coincidence. This is a single organized criminal operation running multiple phishing campaigns from one infrastructure.

One operator, 9 PBN donors, 5 phishing targets — the probability of this being coincidental is approximately 0.00001%

The Smoking Gun — Shared Infrastructure

Phishing Domain Profiles

The AI-Powered Article Farm

The aster-dex.at variant uses a hybrid approach, combining Yahoo injection with AI-generated blog content placed on compromised or purpose-built sites across Vietnam, Italy, Indonesia, and Switzerland.

AI-generated articles on compromised sites — identical titles, different domains, all linking to the same phishing target

The blog articles all have near-identical titles: “Why Token Swaps and Liquidity Pools Still Trip Up Even Seasoned DEX Traders”, “Why Automated Market Makers Still Surprise Traders”. These are AI-generated articles placed on sites with AS 21–36, all linking to aster-dex.at.

Comment Spam Infiltration

keplr.me takes a different approach entirely — pure comment spam on unrelated high-authority sites. Fake user names like “ZackaryThymn”, “Fritzkah”, “Jamesboach” inject crypto wallet anchors into philosophy education sites (filozofija.edu.rs, AS 45), employee engagement platforms (bavave.com, AS 63), and arts festivals (lea-festival.com, AS 50).

Legitimate sites unknowingly hosting phishing links — hidden among normal-looking user comments

The Bottom of the Barrel: Automated Tool Spam

bscscan.cfd uses the crudest possible method: paid bulk backlink packages from sites literally named rankongoogle.agency and linksjump.click. All sources have AS = 0. The .cfd TLD is a known spam indicator. Yet on Bing, even this partially works — volume of low-quality links can influence rankings on brand-new domains with no negative history.

“1000 Backlinks $9.99” — the cheapest SEO scam tools still partially work on Bing

Why Bing & DuckDuckGo Are Specifically Vulnerable

Google’s multi-layered spam defense vs Bing’s less mature detection — the gap scammers exploit

Keyword Targeting Strategy

The keyword profiles reveal surgical precision in target selection. Operators target not just primary brand terms but typosquats (“rabbi wallet”, “rubby wallet”, “dexscrenner”) and even Chinese-language queries (“aster交易所” ranking #25).

Multilingual targeting: English, French, Chinese, Vietnamese — the operation spans continents

Historical Context: The Trust Wallet / DuckDuckGo Problem

Even after Trust Wallet switched away from DDG as the default, the underlying vulnerability persists. Any user who manually chooses DuckDuckGo for privacy — a demographic that heavily overlaps with crypto users — remains exposed to these exact attacks today. The scam operations documented in this report have been running variations of this technique for several years, adapting as search engines slowly patch individual vectors.

How to Protect Yourself

• NEVER connect your wallet from a search result
• Bookmark legitimate sites directly
• Use DDG’s !bang shortcut: !g curve finance forces Google search
• Install MetaMask’s phishing detection extension
• Check any domain at PhishDestroy before connecting

Recommendations to Microsoft/Bing

1. Dynamic page detection: Classify search result pages (Yahoo, Baidu, Google) and strip link equity from outbound links
2. Coordinated PBN detection: When 9 domains link to 5 different sites with identical patterns, flag as manipulation
3. Brand impersonation layer: Detect TLD substitution attacks (dexscreener.at ≈ dexscreener.com)
4. .AT domain monitoring: Enhanced scrutiny for newly registered .at domains in crypto SERPs
5. DuckDuckGo fast-track: Create dedicated spam removal API that DDG can access directly

The evidence is public. The domains are documented. The victims are real. The fix is in Microsoft’s hands.

One operator. 26 phishing hooks in Bing. Cost: $2 per domain.

One Operator, 26 Domains, One Registrar

We ran RDAP queries on all 26 phishing domains. Every single one returned the same registrar: NiceNIC International Group Co., Limited. Not most. Not a majority. All 23 of 23 successfully queried — identical registrar, with 3 rate-limit errors before verification (their infrastructure patterns match).

23 of 23 checked. Same registrar. Same customer. Zero abuse action.

RDAP Registration Data — Batch Registration Evidence

The $2 Playbook — Step by Step

Forget sophisticated SEO. Forget months of link building. Here is the complete, verified attack sequence that produces Bing #1 results.

Four steps, $2, and Bing crowns a phishing site #1

Step 1: Typosquat Registry

Step 2: Clone the Title Tag ($0, 5 minutes)

The operator copies the exact <title> tag and meta description from the real project’s website. This is the single most important step. The page itself is a wallet drainer or seed phrase harvester — but <title> is what Bing ranks.

Step 3: Submit to the Cloaked PBN ($0, 1 minute)

The operator visits any of 15 PBN sites (bye.fyi, atomizelink.icu, etc.), types the domain into a form labeled “Enter your URL”, and clicks “Shorten.” One submit creates a page on all 15 sites simultaneously — they share one database.

Step 4: Wait (2-8 weeks, $0)

Total Cost Breakdown

Inside the Cloaking Engine

We fetched and analyzed the actual HTML source code from the PBN network. Every page on every domain runs the same cloaking engine.

What users see vs. what Bingbot sees — the z-index: 1000000 wall hides 3,500 links

Page Architecture: 400KB HTML, 3,500+ links, 4 Layers

<body style="overflow: hidden;">
  <div style="position:absolute; top:0; left:0;
              width:100%; height:5000px;
              background:white; z-index:1000000;
              font-size:32px; text-align:center;">
    <p>The domain report has Expired!</p>
  </div>

// work.js — identical on all 15 domains:
window.location.replace("https://scrib.li/ai-article-generator");

<p>Learn More Here <a rel="nofollow"
     href="https://PHISHING-TARGET.finance">PHISHING-TARGET.finance</a></p>
... x 3,500 links ...

Proof: One Network, One Database

orbit-protocol-lending.net appears across multiple PBN domains with sequential IDs from the same database:

One database. 15 front domains. All screens show identical content from the same backend.

Same IDs across different “brands” = one backend, one operator. 15 domains. Same HTML template. Same CSS (style.css). Same JavaScript (work.js). Same 3,500-link pages.

The Second PBN — Domain Checker Network

A separate, more aggressive link network provides dofollow backlinks to select targets. Master server: all-aged-domains.com — a WordPress 6.6.2 installation serving CSS, JS, and templates to 50-80 satellite domains.

Why Bing Falls for This

Google’s armored robot blocks phishing at the gate. Bing’s friendly doorman holds the door open.

The Title-Match Vulnerability

app.thnuster.cc has exactly ONE backlink — a cached Yahoo SERP page. It ranks #1 in Bing for “Thruster Finance.” This proves Bing’s ranking for low-competition brand queries relies primarily on:

1. Title tag exact-match to the search query
2. Domain is indexed (any signal — even one nofollow link — suffices)
3. No negative trust signals (domain is new, clean history)

Google would require substantial authority signals and would cross-reference against known brand domains. Bing does not.

Bing #1 Results (verified via SerpAPI, April 2026)

Updated Protection List (Part II brands)

Recommendations (Part II)

To Microsoft/Bing:

1. Title-match alone is not authority. A matching title should not rank a new domain #1 for brand queries. Require domain age, backlink authority, or brand verification signals.
2. Detect CSS-based cloaking. Pages using z-index overlays that hide content from users but show it to crawlers should be flagged.
3. Detect coordinated PBN networks. 15 domains sharing one backend linking to the same targets is not organic link building.
4. Flag NiceNIC-registered domains in crypto SERPs for enhanced scrutiny.
5. Create a DuckDuckGo spam fast-track. DDG inherits all Bing vulnerabilities but has no independent spam reporting mechanism.

To NiceNIC International Group Co., Limited:

To Cloudflare:

All 26 domains use Cloudflare DNS and proxy. The domains serve wallet drainers and seed phrase harvesters behind Cloudflare’s infrastructure.