Methodology & Confidence
This report follows intelligence-assessment conventions: findings are stated as confidence levels, not certainties. Attribution here identifies an operation, a brand and its infrastructure; the natural-person identity behind it is not established and would require legal process. “Suspected laundering indicators” refers to on-chain patterns and is not a legal finding of money laundering. The work is published in good faith for defensive, security-research purposes.
From 723 spam backlinks to $1.2 million in on-chain throughput mapped. Modern defense begins before impact.
(This figure represents documented USDT throughput through the master wallet — funds observed moving in and out — not confirmed operator revenue or profit.)
What we found was a commercially operated Black Hat SEO service – operational infrastructure since 2018, commercial storefront documented since 2020, and a registered domain footprint reaching back to 2015. The operation runs a published price list, 1,126 hosting slots, 2,252 attributable domains, and $1,237,584 in documented cryptocurrency throughput. It is assessed with high confidence as the work of a single operator (or a tightly-knit group) traced to Guangdong province, China.
The immediate technical response (a disavow list of 1,037 domains), handled the symptom for the affected target. But disavow only removes bad links from Google’s index. It does nothing about the actor, their infrastructure, their presumed clients, or the fact that they can generate 723 new domains in 22 days and do it again next week. So, we kept going: we mapped the operator’s full infrastructure, traced the money on-chain, and outlined the evidentiary routes that could support real-world identity attribution through appropriate legal process.
This post is a walkthrough. The numbers, the methodology, the actor profile, the IOCs – all published so the next target on this operator’s list has the intelligence before the first spam domain hits their report. Intel is only valuable if someone can act on it. We publish the actor profile and IOCs so the next target can act (disavow, abuse report, registrar complaint, or law-enforcement referral). How you frame this (as a marketing problem or as a threat intelligence case) is less a technical question than an organizational one.
Why this is a Security problem, not an SEO problem
The standard response to a negative SEO campaign goes like this: detect the bad links, submit a disavow file to Google Search Console, and monitor to see if rankings recover. It is a reasonable response to a marketing problem.
The premise is wrong.
Negative SEO campaigns are not rogue marketing tactics. They are a commercially offered service with a published price list, a client onboarding process, recurring revenue, and infrastructure that has been running continuously for years. The actor running the campaign against your domain is the same actor running campaigns against other brands this week; and will be running campaigns against new ones next month.
In many cases, these operators are not limited to reputation attacks. The same infrastructure and tactics frequently overlap with broader influence and disinformation ecosystems. Black-hat SEO techniques such as link scheming, blog pinging, and forum spam are routinely used to manipulate search visibility, whether the goal is to damage a target’s reputation or amplify misleading content. As a result, identifying these suspicious linking patterns is often the first step in uncovering emerging disinformation networks.
Disavow treats the symptom. It removes bad links from Google’s index. It does nothing about the actor, their infrastructure, their presumed other clients, or the fact that they can generate hundreds of domains in a short timelapse and do it again as soon as the disavow clears.
Attribution treats the cause. It maps who the actor is, how their infrastructure works, who their buyers are, and what the path to a real-world consequence looks like (whether that is a Cloudflare abuse report, a law enforcement referral, or publishing the IOCs so that every other organization on that actor’s target list knows what to look for before their campaign starts).
This is what preemptive cybersecurity looks like: identifying signals of attacker intent and disrupt the attack before it is executed.
Part I: The Business of Black Hat SEO
A Published Price List and a Telegram Channel
The commercial front for this operation is straightforward. The operator (operating under the account @seo7878 and the channel @seo8989 on Telegram) runs what amounts to a managed link-building service for the black-hat market. The storefront is to66.link. The sales channel is Telegram. Payment is USDT TRC20 only.
The catalog, captured firsthand:
Service Monthly Price
| SEO Service | Description |
|---|---|
| Reputation / SEO | Low heat $1,000 (no gambling, adult, or illicit keywords) |
| Reputation / SEO | High heat $3,000 (gambling, adult keywords included) |
| Black SEO / negative SEO | $5,000 (targeting a competitor’s domain) |
The published prices are negotiating anchors, not floors. As part of intelligence-gathering (to learn the operator’s real pricing and whether they entertained offers), our analysts engaged the seller and pushed hard on price; no service was commissioned and no payment was made. Under pressure, the operator was willing to drop the negative SEO service to roughly $600 (a fraction of the listed $5,000), indicating the real margin is significantly wider than the catalog suggests.
The content of the negative SEO campaign observed used low heat anchor text exclusively: “Black Hat SEO… Google SEO fast ranking… Telegram: @seo7878”, with no gambling or adult keywords. That pattern is consistent with the $1,000/month package, meaning whoever commissioned this campaign paid roughly the cost of a mid-tier SaaS subscription to target an enterprise domain.
1,126 Slots and a Panel from 2018
The infrastructure behind the service is not improvised. Five servers at a US-based hosting provider (AS33387, IP range 63.141.242.34 to .38) run a BT Panel installation that has been operational since 2018. This is confirmed by the ETag timestamp on the static HTML served from suspended hosting slots.
The architecture is layered:
- Ports 80 and 443: nginx serving the commercial storefront (to66.link) proxied through Cloudflare.
- Port 789: Pure-FTPd – the client upload endpoint. After payment, clients receive FTP credentials and upload their backlink payload as a plain TXT file.
- Port 8888: BT Panel admin interface, access controlled.
- Ports 10000-11125: 1,126 individual hosting slots, one per client. Each is a separate nginx server block. Active slots serve WordPress content; suspended slots return a static HTML placeholder of exactly 3,460 bytes.
BT Panel (in Chinese: 宝塔面板) is the dominant Chinese hosting management panel, and its port-per-site architecture is what makes the slot pool immediately identifiable. When a client pays and uploads their content, a new server block is created and assigned a port in the 10,000+ range. Content is then propagated to Google’s crawlers via a redirect chain running through compromised third-party sites.
The crawler chain works as follows: a compromised site contains a JavaScript redirect to google-N.black-hat-seo.site. Cloudflare proxies that request to the origin server with the correct Host header, which serves the client’s link payload. Google crawls the chain, indexes the content, and the backlinks register in the target’s backlink profile.
Cloudflare is not being used here for performance. It is being used as a content delivery shield (the real server IPs are hidden behind it, and the hosting pool ports are not accessible without the correct Host header).
Following the Money
The entry point into the financial investigation was the payment wallet made available by the operator. That wallet address: TUnoTeYXRKyjHBmg9GE1DLGWP92beAPPUX is the secondary, client-facing collection address. Looking it up on the TRON blockchain reveals its transaction history: 12,049 USDT received across 8 transactions over 15 days in March 2026, with a consistent rhythm of approximately $800/day. At that pace, this wallet alone was processing around $24,000/month.
But the secondary wallet is not where the money lives; it is a collection point. Shortly after receiving funds, they are forwarded to a different address: the master wallet (TX7mxv8RzCUb1dvJ9uxHD9LrWkzUDeQP9J).
The master wallet was not shared by the operator. It was discovered by identifying a repeat client: one address had sent two separate payments to the secondary wallet, and that same address had also sent funds directly to the master wallet (a trail only visible because the blockchain records everything). Following that connection led to the full picture: $1,237,584 in total documented throughput through the master wallet alone.
Where the Money Comes From
When you look at who sent money to the master wallet, the sources are revealing: the payments arrive from hot wallets (exchanges’ own outgoing addresses) of major KYC-regulated exchanges. The blockchain shows the funds moving from these exchanges to the operator; a legal request would reveal who sent them.
How the Money Gets Out: Three-Layer Cash-Out Chain
Getting cryptocurrency funds into usable cash without leaving a clear trail to the operator’s identity requires moving the money through multiple layers.
This operation uses three exit routes simultaneously:
Layer 1: Intermediate wallets to Chinese gambling platforms. The largest share of outgoing funds flows through intermediate addresses into wallets tied to several Chinese online gambling platforms. Gambling platforms are a commonly cited cash-out / funds-obfuscation vehicle.
Layer 2: Cold storage. A portion of funds is parked in an offline wallet (TJm576kRs2QBs4WeXbMmPMGbFo7Xm7QDj1). This is not laundering itself; it is simply funds parked where law enforcement cannot easily seize or freeze them remotely.
Layer 3: OTC conversion to cash (the critical layer). 51,464 USDT was sent directly to a wallet tied to @kaitangshou1, an OTC (Over-the-Counter) broker. OTC brokers operate outside regulated exchanges: they find a buyer for the USDT and pay the operator in CNY via Alipay, WeChat Pay, or bank transfer. No exchange is formally involved.
OTC brokers operating in this manner (converting USDT to CNY), are typically required to maintain payment records in order to complete the transaction. The wallet address associated with this broker shows 32,131 incoming transactions, consistent with an active service handling many clients. Because the cash payment must be sent to the operator’s account, the records held by whoever operated this wallet likely include payment identifiers (bank account or Alipay) tied to the operator’s financial identity. A law enforcement request directed at the broker behind this wallet could materially assist attribution.
The operator may not be beyond identification: a defined legal process (crossing from the blockchain into Chinese financial infrastructure), could plausibly lead to attribution.
The full cash-out chain in plain terms:
Clients pay in USDT from regulated exchanges (where their identity is on file) → money lands in the operator’s collection wallet → forwarded to master wallet → split three ways: into gambling platforms (a documented cash-out / funds-obfuscation channel), into cold storage (long-term savings), and to an OTC broker (to convert to cash). Each hop adds a layer of complexity, but every hop is permanently recorded on the public blockchain.
The following figure shows the cash-out / funds-obfuscation flow diagram. Three-column layout showing inbound payments from KYC-regulated exchanges, movement through the secondary and master wallets, and three exit routes: OTC broker route with potential identity-linked payment records, intermediate wallets to gambling platforms, and cold storage. Every step is recorded on the public TRON blockchain; natural-person attribution would require legal process.
Part II: The Attribution Methodology
Seven Signals. One Attribution.
The attribution did not come from a single breakthrough. It came from stitching together seven signals drawn from separate sources, each adding a discriminator that narrowed the universe of actors until a single operational profile remained.
This is how preemptive attribution works in practice: not a single clever insight, but systematic signal chaining across infrastructure, behavioral, and financial layers.
Signal 1: Anchor Text Signature
The anchor text on spam domains was not random. It followed a consistent template: “Black Hat SEO… Google SEO fast ranking… Telegram: @seo7878” followed by random tokens such as ZYHIn, Rdmc0, or H2JpP. Those tokens confirmed automated generation – a script appending random strings to avoid exact-match detection. More importantly, the @seo7878 handle embedded in the spam content is the actor signing their own work. It is simultaneously an attack on one domain and an advertisement to potential new clients: spam is the marketing channel.
Signal 2: Cloudflare NS Pair as Structural Discriminator
Every domain in the disavow list shared the same Cloudflare nameserver pair: ridge.ns.cloudflare.com and monroe.ns.cloudflare.com. Cloudflare assigns a unique NS pair to each customer account – all domains using that pair belong to the same account. Cross-referencing against daily zone files for .info, .asia, and .xyz TLDs revealed 2,252 domains sharing the same NS pair. The disavow had captured only the subset that had been used against a single target; the full infrastructure was nearly 2.2 times larger.
Signal 3: SSL Certificate and Install Defaults
The FTP server on port 789 uses a self-signed certificate issued by BT Panel with organizational details that were never changed from installation defaults: O=BT-PANEL, L=Dongguan, ST=Guangdong, [email protected]. This was not an intentional disclosure and is not a geolocation, either: those fields (including L=Dongguan), are stock BT Panel install defaults (we confirmed the same locality on unrelated BT Panel hosts via Censys), so the certificate identifies the software, not the operator’s location. We do not attribute a city; the only province-level signal comes independently from the 2015 WHOIS (below).
Signal 4: JS Redirect and Cross-Validation
All domains in the identified universe redirect via JavaScript to google-XX.black-hat-seo.site. Sampling against the NS pair discriminator showed over 99% consistency, making the redirect behavior a reliable second discriminator for cross-validation. The pivot also revealed a contingency: black-hat-seo.store had been registered as a backup domain in case the .site domain faced a takedown. The actor had planned for detection.
Signal 5: RDAP Date Clustering and Client Separation
Registration dates from RDAP records allowed reconstruction of the actor’s operational cadence. Domains are registered in daily batches – one batch per client order. Days where all registered domains appeared in the investigation’s disavow were flagged as same-client batches. Days with zero overlap were attributed to other clients. Mixed days indicated parallel processing of multiple orders. From this analysis, a minimum of two additional client batches were identified, indicating at least two other organizations were being targeted in parallel during the investigation window.
This yields a minimum estimate of concurrent client activity; days with partial domain overlap could alternatively reflect a single client running parallel campaigns rather than independent orders.
Signal 6: Behavioral Fingerprinting
In direct engagement, a canary link was included in the conversation as part of passive signal collection. The actor accessed it. The resulting trace: IP 154.53.75.142, spoofed Safari/iPhone user agent, locale zh-CN, timezone Asia/Shanghai, no referrer header, minor parameter rotation between requests. The traffic pattern – headless or automated Chromium running over a VPN – is consistent with an operator using Xray-core on a self-hosted VPS (around $20–50/year), a setup well-documented in Chinese technical communities for circumventing local network restrictions. The VPN IP is not the operator’s real IP, but the locale, timezone, and behavioral fingerprint are consistent with every other signal in the attribution chain.
During the same conversation, the operator stated they were based in the Philippines. That claim is inconsistent with the behavioral trace (zh-CN locale, Asia/Shanghai timezone), the CNY-denominated cash-out infrastructure, the OTC broker operating in Chinese financial rails, and the 2015 WHOIS registrant address in Zhuhai, Guangdong. It is assessed as a deliberate misdirection attempt rather than an accurate self-disclosure.
Signal 7: Blockchain Intelligence
The operator’s USDT payment wallet was the entry point into their full financial network. Tracing funds inward identified payments from hot wallets on several major KYC-regulated exchanges (regulated exchanges with verified identity records), and outward to a master wallet linked to gambling platforms, cold storage, and an OTC broker. A repeat client address exposed the master wallet the operator had never disclosed, revealing $1,237,584 in total throughput. The result is documented financial throughput, indicators of funds-obfuscation activity, and a cash-out chain with identity-linkable endpoints at both ends.
The path to real-world identity attribution runs through two independent evidentiary routes. Either route, if pursued through appropriate legal process, could materially contribute to identifying the operator behind the infrastructure. Neither route alone establishes natural-person identity, but together they increase attribution confidence.
The following figure presents a seven-signal attribution assessment. Horizontal flow diagram with seven nodes: anchor text, NS pair, SSL certificate, JS redirect, RDAP clustering, behavioral fingerprinting and blockchain intelligence. Each node shows the discriminator it contributes and whether it supports infrastructure, behavioral or financial attribution. The final state is an operational profile assessment, not natural-person identification.
The two-channel Telegram structure and outsourced redirect chain are consistent with a small team; the evidence for a single principal rests on the single administrative backbone (one QQ email and one recurring phone number connecting all five registrant identities across three provinces) and the 2015 cross-TLD same-day registration of an identical brand under three separate accounts, a coordination pattern most simply explained by one person constructing the appearance of multiple actors rather than multiple actors independently converging.
Part III: The Actor
Superman SEO: A Decade-Long Operation
The commercial identity behind this operation is 超人seo (“Superman SEO” in Chinese).
\u8d85\u4ebaseo
\u8d85 = 超
\u4eba = 人
超人seo (Superman SEO)
The operation has a layered timeline; the front history traces its evolution:
seoNNN.com series (2015–2016) → 199cr.com (2020) → ggseo7.com (2022) → to66.link (2025)
Each domain represents the same operation, rebranded to a new surface as the previous one accumulated reputational exposure or technical risk. The current storefront, to66.link, was registered in May 2025 and is the active commercial face of the operation.
The operation is Chinese-language first: the interface defaults to Chinese locale and the payment and cash-out infrastructure is built around Chinese financial services. Assessed region: Guangdong province (from 2015 WHOIS registrant data). We do not attribute a specific city: the origin server’s BT Panel certificate is a stock-default install and is not used for geolocation.
Telegram presence is split deliberately: @seo7878 handles inbound sales inquiries, while @seo8989 (279 subscribers as of May 2026, active since May 2025) is the client feedback and support channel. This two-channel structure separates the public acquisition surface from the operational layer, a common pattern in commercial underground services.
The operation runs at least three Cloudflare accounts (ridge+monroe, annabel+carter, edward+fay), 2,252 attributable domains across multiple TLDs, and a hosting pool that has been continuously operational since 2018.
An Older Footprint: Historical WHOIS Pivoting Pushes the Timeline to 2015
The commercial front history establishes 2020 as the earliest documented date for this operation. Historical WHOIS pivoting on the actor’s current handles extends that timeline by five years.
The pivot begins with the handle itself. The Telegram account @seo7878 is not arbitrary branding: it shares its name with a domain. seo7878.com was registered on 14 December 2015 through GuangDong NaiSiNiKe Information Technology Co Ltd, under the registrant email 9536****@qq.com, with the registrant address listed as Zhuhai, Guangdong, China. That is the same province where the operator’s origin server resides today, identified independently from the BT Panel SSL certificate in the attribution chain. Two unrelated evidence layers – a self-signed certificate from 2025 and a WHOIS record from 2015 – point to the same provincial geography.
seo7878.com does not sit alone. Pivoting on the registrant email surfaces a coherent cluster of 62 domains registered between 20 November 2015 and 5 April 2016, all sharing the same email and the same operational pattern of batch registration. Eight of those domains form a sequential series:
| Domain | Registered |
|---|---|
| seo304.com | 2015-12-04 |
| seo348.com | 2015-12-04 |
| seo475.com | 2015-12-04 |
| seo767.com | 2015-12-04 |
| seo775.com | 2015-12-04 |
| seo780.com | 2015-12-14 |
| seo883.com | 2015-12-14 |
| seo7878.com | 2015-12-14 |
The seoNNN naming pattern is the early-form template of the same brand the actor has been refining ever since: from a series of throwaway SEO-numbered .com domains in 2015, to ggseo7.com in 2022, to the @seo7878 handle that signs every spam payload in 2026. The brand has been continuous for a decade.
Five Identities, One Operator
The 62-domain cluster is registered under five different registrant identities across three Chinese provinces: two distinct names tied to Zhuhai (Guangdong), two tied to Jinjiang (Fujian), one tied to Hefei (Anhui), and one tied to Chang Ning. The names rotate. The province changes. The registrar shifts between BIZCN, GuangDong NaiSiNiKe, MAFF Inc., BEIJING INNOVATIVE LINKAGE (DNS.COM.CN), and Shanghai Meicheng. What does not change is the administrative email (a single qq.com address, masked here as 9536****@qq.com) and a recurring Chinese mobile number (86 400 999 ****) that connects four of the five identities. The intent was clearly compartmentalization. The execution leaked the connection on two independent fields.
The same operational pattern that defines the 2025–2026 infrastructure – synthetic separation across surfaces, one shared backbone – was already in place ten years ago, in a much rougher form. The actor’s OPSEC has matured, but the underlying habit has not.
The decisive evidence: on 5 December 2015, three domains under the prefix zhuqiubifen (“soccer score” – betting terminology) were registered on the same day across three different TLDs (.com, .net, .wang), three different registrar accounts, and three different registrant names. Independent buyers do not coordinate cross-TLD acquisitions of an identical brand on the same day. This is one operator deliberately splitting a single product across synthetic identities. It is the same playbook as the three Cloudflare accounts (ridge+monroe, annabel+carter, edward+fay) documented in Part II – a decade earlier and on a different surface.
A Shared DNS Backbone
The 2015 cluster used juming.dnsdun.com and juming.dnsdun.net as nameservers for four of the five identities. juming.dnsdun is a low-cost Chinese DNS reseller of the type favored by gray-market operators. Tracing its passive DNS history forward reveals a continuous use pattern: 186 additional .cc domains appearing under those nameservers between 2019 and 2023, with naming conventions characteristic of Chinese gambling brands (xpj212.cc, ag1001.cc, the yibo00/11/22/33/44.cc series), lottery operations (ssctzld972.cc – SSC referring to shíshícǎi, a Chinese state lottery format), and health verticals (zhongyi120.cc). The hosting concentration is equally consistent: 79 percent of the resolutions during that window terminate at two US-based hosting providers (AS46844 and AS53667).
None of the 2015 cluster domains appear in the 2019–2023 passive DNS window. They had already expired before the indexer began capturing the nameserver. What the continuity proves is not that this is the same operator across the entire decade – juming.dnsdun is a shared service – but that the operator has consistently chosen the same ecosystem at every stage: same DNS reseller class, same hosting class, same TLD evolution (.com → .cc), same vertical mix (gambling, lottery, SEO).
Thematic Continuity: Then and Now
The 2015–2016 cluster is also where the gambling thread that surfaces in the financial investigation finds its earliest expression. Several of the 62 domains follow numeric naming patterns (5656NNN, 1919NNN, 7676NNN, h88NNN) consistent with Chinese online casino branding. One (zgzucai.com) refers explicitly to a state lottery product (zúcǎi, the China Sports Lottery). One (1396cp.us) embeds the term cǎipiào (“lottery ticket”) in the domain string. The actor’s 2025–2026 cash-out chain runs funds through gambling platforms for suspected cash-out or funds-obfuscation purposes. The 2015 footprint suggests gambling was not merely a cash-out channel, but an original vertical.
What This Adds to Attribution
The historical pivot strengthens three existing signals: geographic anchoring (2025 SSL and 2015 WHOIS independently point to Guangdong), operational signature (the same compartmentalization-via-multiple-accounts pattern present in today’s Cloudflare setup was already in place in the 2015 registrar setup), and timeline (the earliest provable surface is November 2015, not 2020 – a documented brand evolution from seoNNN .com domains in 2015 to the @seo7878 handle in 2026).
For an organization receiving spam from this operator, the operational implication is straightforward. This is not an actor that will exhaust themselves and disappear if ignored. They have already survived ten years, three commercial fronts, the migration of an entire TLD ecosystem, and at least one full identity rotation. The infrastructure adapts and the actor persists.
Disavow treats the symptom. Attribution treats the cause
The industry’s default response to negative SEO is a Google Search Console procedure designed to mitigate link toxicity signals. It is, by design, reactive: the links must exist, be indexed, and be detected before any action is possible. That is a reasonable constraint when negative SEO is understood as an SEO problem.
The evidence here suggests a different categorization.
An operation running eight years of continuous infrastructure, 1,126 active hosting slots, three Cloudflare accounts, and $1.2M in documented throughput (with a funds-obfuscation chain reaching an OTC cash-out layer) is not an SEO problem. It is a financially motivated, commercially structured enterprise with persistent infrastructure, recurring clients, and evasion mechanisms designed to outlast standard detection and mitigation cycles.
Engaging at the disavow layer while this infrastructure continues to operate at full capacity is the equivalent of treating a fever with cold compresses while declining to diagnose the underlying infection.
For organizations potentially targeted by this operator, the answer is already available. The NS pairs are documented. The hosting IPs are known. The wallet addresses are on chain. The commercial front history is traced back five years. The path to identity attribution is identified.
For those organizations, the infrastructure documented here is already attributable. The only question is whether their security posture is configured to act on that intelligence before the first spam domain appears in their backlink report.
Modern defense begins before impact. That is preemptive cybersecurity.
Attribution Scope and Limitations
This investigation is based exclusively on observable technical, behavioral and financial indicators available through open-source intelligence (OSINT), passive infrastructure analysis, blockchain analytics and direct interaction with the service operator.
The investigation did not include access to Cloudflare customer records, hosting-provider subscriber records, cryptocurrency exchange KYC information, OTC broker customer records, banking / Alipay / WeChat payment records, or law-enforcement and judicial data.
As a result, attribution within this report is limited to operational infrastructure, commercial branding, behavioral patterns and associated financial activity. Natural-person attribution remains outside the scope of this research and would require appropriate legal process.
All findings should therefore be interpreted as intelligence assessments with associated confidence levels rather than definitive legal conclusions.
Confidence Assessment Matrix
| Assesment | Confidence |
|---|---|
| Same infrastructure across attributed domains | High |
| Same operator behind the observed infrastructure | High |
| Attribution to the Superman SEO brand | High |
| Geographic association with Guangdong province | Moderate-High |
| Direct linkage between operator and OTC broker | Moderate |
| Gambling platforms used within cash-out chain | Moderate |
| Financial throughput exceeding $1.2M USDT | High |
| Operator’s self-reported Philippine origin | Inconsistent with technical, behavioral, and financial indicators. Assessed as likely misdirection. |
| Natural-person identity | Not established |
| Criminal liability | Not assessed |
| Money laundering as a legal determination | Not assessed |
From Research to Operationalization
The investigation described throughout this report was performed as a research exercise by Zynap Labs. However, the value of intelligence is not limited to producing reports.
Every attribution step documented here can be transformed into repeatable workflows capable of continuously monitoring infrastructure, identifying operator fingerprints, correlating indicators and generating actionable outputs at scale.
What required weeks of manual investigation during the initial research phase can subsequently become a continuously executed detection and attribution process.
This transition from research to operational execution is where intelligence becomes operationalized.
How Zynap helps: Preemptive Defense against Negative SEO
Most organizations discover they are being targeted by a negative SEO campaign after Google has already indexed hundreds of spam links. By then, the damage (even if temporary) has already occurred. The response is disavow, monitor, repeat.
This approach has a structural problem: it engages with the output of the campaign, not with the infrastructure behind it. An operator running 1,126 hosting slots does not rebuild that infrastructure for each new client. They reuse it. That reuse creates a consistent, detectable fingerprint: one that can be identified before a campaign ever reaches your domain.
Zynap’s preemptive approach to negative SEO operates in five stages:
- Continuous surface monitoring. Your backlink profile is tracked continuously against known indicators of hostile link-building activity: anchor text pattern libraries, Cloudflare NS pair signatures, registrar clustering, and redirect chain fingerprints associated with documented operators. Anomalies are flagged before volume builds.
- Infrastructure attribution. When anomalous backlink activity is detected, the platform pivots from disavow candidates to the actor’s broader infrastructure: identifying which other domains are attributed to the same Cloudflare account, which other organizations are being targeted in parallel, and what the operational and financial profile of the actor looks like.
- Preemptive IOC matching. Your domain is continuously checked against an updated database of infrastructure indicators from known negative SEO operators. If your domain appears in a registration batch alongside other targets (even before any spam link is indexed by Google) you are alerted.
- Preemptive Black SEO domains monitor. Knowing how the threat actor operates allows us to detect registered domains used for these purposes before they even get used to link to your organization. This allows us to disavow domains before they have been set up against a target.
- Actionable intelligence output. The output is not just a disavow list. It is a threat actor profile: infrastructure map, financial footprint where documented, attribution confidence level, and a recommended escalation path: Cloudflare abuse report, registrar report, or law enforcement referral where the evidence supports it.
The figure below illustrates a Zynap workflow designed to identify seo7878/algx3 domains that may be targeting your organization for Negative SEO attacks, as well as domains previously used in such campaigns. The workflow produces an executive summary (deliverable via email, Slack, Jira, or any integration your team requires), alongside a disavow.txt file ready for submission to Google Search Console.
Example of a generated executive report from the previous workflow:
The practical difference: instead of responding to 1,037 domains after they have been indexed, your team is alerted when the first batch of 126 domains is registered (potentially before Google has crawled any of them).
Published IOCs
The following indicators of compromise are released publicly. If any appear in your environment (backlink profile, DNS records, or network traffic) attribution to this operator is assessed with high confidence.
| Indicator | Value |
|---|---|
| Actor identity | 超人seo (@seo7878 / @seo8989) and @algx3 |
| Front history | seoNNN.com series (2015–2016) → 199cr.com (2020) → ggseo7.com (2022) → to66.link (2025) |
| Storefront | to66.link, black-hat-seo.site, black-hat-seo.store |
| Subdomains | google-N.black-hat-seo.site and .store (N = 1–100+) |
| Origin IPs | 63.141.242.34 / .35 / .36 / .37 / .38 (US-based host, AS33387) |
| Ftp endpoint | 63.141.242.34:789 (Pure-FTPd, TLS, BT Panel) |
| Ns pair – sources | ridge.ns.cloudflare.com + monroe.ns.cloudflare.com |
| Ns pair – front | annabel.ns.cloudflare.com + carter.ns.cloudflare.com |
| Registrar | Chengdu West Dimension (89% of source domains) |
| Wallet – secondary | TUnoTeYXRKyjHBmg9GE1DLGWP92beAPPUX |
| Wallet – master | TX7mxv8RzCUb1dvJ9uxHD9LrWkzUDeQP9J |
| Anchor signature | “Black Hat SEO… Google SEO fast ranking… Telegram: @seo7878/@algx3” |
| Historical registrant email (2015–2016) | 9536****@qq.com |
| Historical recurring phone | 86 400 999 **** |
| Historical DNS backbone | juming.dnsdun.com / juming.dnsdun.net |
Why This Matters Beyond SEO
While this investigation focused on a commercial negative SEO operation, the broader lesson is not about search-engine manipulation.
The methodology demonstrated here applies to a wide range of threat categories: phishing infrastructure, malware-delivery networks, fake mobile applications, brand impersonation campaigns, credential-harvesting operations, scam and fraud ecosystems, and underground service providers.
In each case, the objective is the same: identify reusable adversary infrastructure early enough to reduce exposure before impact occurs.
The infrastructure may change, domains may rotate, wallets may be replaced and services may rebrand, but operational patterns tend to persist. Detecting those patterns before they affect the next victim is the foundation of preemptive cybersecurity.
The real lesson of this investigation is therefore not about SEO. It is the value of turning isolated signals into actionable intelligence before damage occurs.
The Time Compression Problem
The most important observation from this investigation is not the existence of the operator itself. It is the asymmetry between attacker execution speed and defender response time.
The operator documented in this report can register hundreds of domains within days, deploy infrastructure almost instantly and launch campaigns at industrial scale. Meanwhile, most organizations only begin their investigation after the effects become visible.
This creates a growing gap between attacker execution and defender response.
Reducing that gap is increasingly becoming the central challenge of modern cybersecurity.
The objective is no longer simply detecting activity after it occurs. The objective is reducing exploitable exposure faster than adversaries can operationalize their infrastructure.
That challenge is ultimately a problem of time.
Measuring What Matters: MTRER
Detection is not the goal; reducing exploitable risk is. The eight-week investigation above was one-time research that produced a reusable signature for this operator. For the next target, the question is different: once that signature exists, how quickly can the exploitable risk posed by a campaign be reduced?
We track this as MTRER: Mean Time to Reduce Exploitable Risk: the elapsed time from first hostile signal to risk neutralization (anomaly detected → infrastructure attributed → IOCs generated → domains disavowed or blocked before indexing). For a known operator, MTRER collapses from weeks of manual research to the runtime of an automated workflow. Traditional CTEM identifies exposure; preemptive operations reduce the exploitable risk created by that exposure. The real measure of value in this case is the time delta between those two states.
About Zynap
Negative SEO operations are not isolated incidents. They are industrialized services with client lists, pricing tiers, and recurring revenue. If your organization manages digital presence or brand reputation, the probability that your domain has appeared in a targeting list is not zero.
At Zynap, we apply preemptive intelligence to reduce the window of exposure before impact – not after. If you want to know whether this operator, or others like them, already have your domain in their sights, contact us.
More Reading
There’s lots more from Zynia Labs.
- Unmasking the Real Identity Behind neo_net’s Smishing-as-a-Service Operation – One slip in the OSINT trail, and we had the person behind the operation.
- – A residential router, an exposed email, reused handles. The breadcrumbs from a dark web AI tool to its creator.
- Infrastructure of a Heist: How Credential Theft Operates at Scale – Credential theft, priced out. What it costs to launch and run one.