A few months ago, someone decided to point thousands of spam backlinks at our website.
Not just a few toxic backlinks, but a coordinated flood of them – from the kind of junk domains Google warns you about: scraped directories, link farms, and throwaway sites stuffed with keyword-rich anchors. This is called a negative SEO attack, and it’s still very much a thing in 2026.
Needless to say, when you work in marketing and your goal is to grow a brand, reading CSV files with hundreds or thousands of domains is not what you want to be investing your time in.
At Zynap, we automate the security work that teams are still doing by hand. Our cybersecurity automation platform takes security teams from reactive to preemptive, orchestrating the stack they already run into one coordinated layer that turns intelligence into action before a threat lands.
So when an attack landed on our own doorstep, we didn’t treat it solely as just another marketing mess to clean up by hand. We looped in Zynia Labs, our in-house threat intelligence and malware analysis team, and also treated it as a security incident: detect, investigate, contextualize, and automate the defense. This is that story, and the playbook you can copy.
But let’s start with the basics:
What Is a Negative SEO Attack?
Negative SEO is the practice of trying to harm another site’s search rankings through tactics the target never asked for. Instead of improving your own site, the attacker tries to drag a competitor down.
The one used against us was malicious link building, the most common form: pointing a large volume of spammy, low-quality backlinks at your domain in the hope of triggering a search-engine penalty or eroding trust in your link profile, by trying to fool the search engine’s algorithm into believing that you are trying to manipulate it.
This is a common attack because backlinks are still a very important part of how search engines discover new content and a trust signal that both traditional search engines and Generative AI engines take into consideration. By linking to other sites, webmasters are endorsing them, thus making the link target receive trust and / or authority signals for the search algorithms.
Does this type of attack still work? Google said it ignores obvious spam links automatically multiple times, just to share some examples here’s a John Mueller quote, Google Search Advocate at Google Switzeland, and this stance goes back as far as 2016 with the Penguin 4.0 algorithm update.
But “mostly” is not “always,” and a high-volume, targeted campaign is the kind of situation where you do not want to simply trust that the algorithm will sort it out. Anyone who has watched the panicked threads in the Google Search Console help forums or Reddit knows the uncertainty is real. Plus, Google isn’t the only search engine out there, even if it has a 90% market share as of May 2026 and it’s still unclear what the impact would be in emerging search behaviors such as Generative AI Search which represented between 1% and 1.6% of searches for different regions in Q1 2026, according to Datos State of Search Q1 2026 (gated report).
Common Negative SEO Attack Types
Negative SEO comes in several flavors. It helps to know the landscape, because the defense is different for each one:
- Malicious link building: Flooding your site with toxic backlinks. The most common.
- Content scraping: Copying your content and republishing it to dilute or outrank the original, in the AI era it also includes AI content spinners that automatically scrape rephrase and republish.
- Hacking and malware injection: Compromising the site directly.
- Fake link-removal requests: Impersonating you to strip out your legitimate backlinks.
- Smear and review-bombing campaigns: Attacking reputation rather than rankings.
Our incident was a textbook malicious link-building campaign: a steady stream of spam backlinks from domains we’d never seen, with anchor text engineered to look manipulative to a search engine, a very high volume and persistent overtime.
What the Attack Looked Like on Our Site
I first caught it in a routine Ahrefs check. Mid-February our referring domains count spiked and started to show sizeable daily growth.

A wave of new referring domains had appeared, none of them from sources we’d ever want a link from. The toxic-score signals were unmistakable: PBN (Private Blog Network) patterns, spun content, irrelevant niches, and anchor text that no legitimate site would use to link to us. Here’s an example of what you could see:

The first wave, in Mid-February, was 723 spam backlinks, every one of them from cheap throwaway TLDs .asia, .xyz, and .info domains, every single one carrying the same damning anchor text:
↑↑↑Black Hat SEO backlinks, focusing on Black Hat SEO, Google SEO fast ranking ↑↑↑ Telegram: @seo7878
There was nothing subtle about it. The attacker was not even trying to disguise the links as legitimate, they were openly advertising a black-hat SEO service, Telegram handle and all. And it kept coming: tens of new spam domains were still surfacing daily weeks after we first noticed, which told us this was an active, ongoing campaign rather than a one-off dump
How Did We Defend Against It:
Triage: Classifying the Backlink Profile
The first job in any incident is figuring out what actually matters. The same is true here. Not every odd-looking backlink is part of an attack, and over-reacting by disavowing legitimate links by mistake can do its own damage.
So, I scored and clustered the suspicious domains: grouping by toxicity signals, TLDs, registration patterns, anchor texts and the referring domains. Here’s some examples:
- TLDs: .asia .xyz and .info were very common in the spam campaign. .shop domains were also common but a WHOIS lookup revealed they came from a different and smaller operator.
- Gibberish domain names: 1dnd5j.asia 3bozrj.asia or cbm3dm.asia are some examples.
- Common spam domain names: Usually include SEO, backlink / link, XXX, mimicking search engine manipulation or porn.
Doing this by hand is hugely time-consuming, and it was clear this was an ongoing attack we’d need to monitor over time. So I created a custom spam-check.py command to recognize these patterns and ran it with Claude Code, though any other LLM would work just as well.
With an Ahrefs (or other SEO tool) CSV export or MCP connection, the command looked for these patterns and ranked them with varying degrees of confidence. This is an example of the reports that it produced during its early days:

You can see it separated the genuine domains and backlinks from the spam, while also surfacing suspicious domains that were sometimes false positives. It gave us a clean, defensible list to act on.
It also became clear very quickly that the LLM would run out of context, so I created a whitelist file and referenced it in the command. This file listed all legit backlinks and saved me the hassle of rechecking them every time the LLM forgot about them.
I checked the suspicious domains that might be legit, because I didn’t want to throw away good backlinks that were actually helping the site. For this step I’d recommend using a Sandbox or a virtual machine, to avoid exposing your own machine to potential malware or malicious scripts. One example of a false positive was this repository of threat-intelligence blogs, which Ahrefs had flagged as spam:

A couple of considerations if you plan to create a similar command:
- This proccess is tool agnostic, both for SEO tools and LLMs. Though I started with Ahrefs I later incorporated more data sources like SEMrush, Google Search Console and Bing Webmaster Tools. You could use Claude or any other LLM.
- I did find that CSV exports were more accurate than lookups via MCP, since some of the tools did rate limit Claude’s requests, as a bonus, it’s also more token efficient and doesn’t consume MCP credits. Ideally you can automate these exports with a workflow tool or a LLM routine.
- If you have Google Search Console API connected to BigQuery, running SQL against it is better than exporting CSV files.
Disavowing At Scale
For the domains we were confident about, the tool is Google’s Disavow Links tool in Google Search Console. A disavow file is simply a list of domains or URLs that you tell Google to ignore when it assesses your backlink profile. As per Google’s disavow documentation, only use this tool if you’re confident you know what you’re doing.
We submitted our first disavow file in Mid-February, covering that opening wave of 723 spam backlinks. By the end of the month the list had grown to 1,037 domains, and it’s now sitting at just below 2,400.
That handled what had already hit us. But cleaning up after the damge is done is reactive, and handling each new wave of spam by hand is exactly the losing game we tell our customers to get out of. If the attacker had real infrastructure behind this, we wanted to get ahead of it.
This is when Zynia Labs entered the loop and started their investigation, which you can read in Anatomy of an Industrial-Scale Black Hat SEO Operation.
How Our Labs Team Uncovered the Attacker: “Superman SEO”
This is where the story stops being a marketing clean-up and becomes an eight-week security investigation. Instead of just clearing links, our Labs team pulled on the thread.
What we found wasn’t a lone troll. It was a commercial Black Hat SEO operation, branded “Superman SEO” (超人seo), sold openly on Telegram under the handle @seo7878, the very handle signing every spam link pointed at us, run through a storefront at to66.link and paid in cryptocurrency. It has infrastructure that has been running since 2018, a footprint traceable back to 2015, a published price list, 1,126 hosting slots, and 2,252 attributable domains.
One detail stood out. Whoever commissioned the campaign against us appears to have paid around $5,000 a month to point an industrial spam machine at a single domain.
The breakthrough was a single shared fingerprint. Every spam domain aimed at us used the same Cloudflare nameserver pair. Cloudflare assigns a unique pair per account, so cross-referencing it against public TLD zone files exposed the operator’s wider network, 2,252 domains, far more than the subset that had been aimed at us. Once you can see the machinery, you’re no longer guessing domain by domain, and you can see the parts of the network that haven’t been pointed at you yet.
Labs even followed the money on-chain, documenting roughly $1.2M in cryptocurrency flowing through the operation’s wallets. That’s the total observed moving through the system, not the operator’s profit.
The operation is assessed with high confidence to be based in Guangdong, China. Following intelligence-assessment convention, the report stops at infrastructure and operational profile: it does not name a person, and natural-person attribution would require legal process.
We published the full technical investigation as a separate Zynia Labs report, covering the actor profile, the seven-signal attribution method, and a public set of indicators of compromise (IOCs). You can read the full Zynia Labs investigation for the complete breakdown.
Going One Step Ahead: A Preemptive Defense
Disavow treats the symptom. It tells Google to ignore the domains and URLs you flag as spam in your disavow file, but does nothing about the actor, their infrastructure, or the next campaign.
And this is where we get our leverage. Because this operator runs the same infrastructure for every client, that infrastructure leaves a consistent, detectable fingerprint, one we can identify before a single spam link reaches your domain. So as soon as we could see part of the attacker’s infrastructure, we could add those domains to our disavow file. When we checked them against the domains we’d already disavowed, 59% were on the list.

It was clear that the other 41% would hit us eventually, I incorporated a reference to this premptive domain list into the spam-check.py command so it flags them separately, so we could easily verify the effectiveness, and these are the results:



That’s what turned a one-off cleanup into a defense we can repeat. Labs built a signature for this operator from its anchor-text patterns, its Cloudflare NS-pair, its registrar clustering and its redirect-chain fingerprint, and that signature can be matched continuously. So the moment the operation registers a new domain, we can catch it and disavow it before Google ever crawls it. The difference is simple. Instead of reacting to around 1,000 domains after they’re indexed, you’re alerted as the first batch is registered.
This is how it looks, once fully automated inside a workflow in Zynap’s platform:

That’s also why we widened our own disavow file well beyond the links that had already hit us, and why monitoring now runs continuously rather than in occasional manual bursts. We call this preemptive, getting ahead of the infrastructure.
Why This Matters Now: The Time-Compression Problem
It would be easy to file this under “SEO housekeeping.” We see it as the same shift reshaping all of security on a smaller scale, the widening gap between how fast an attacker can act and how fast a defender can respond.
This operator can register hundreds of domains in a matter of days and launch a campaign at industrial scale almost instantly. Most organizations only start looking once the effects are visible. And when the offense moves at machine speed, a defense that waits for the next manual audit is structurally behind.
Information used to be the scarcest asset. Now it’s time, and our new metric MTRER (Mean Time to Reduce Exploitable Risk) puts a number on it. It tracks how quickly we reduce the risk an attacker’s infrastructure poses, from the moment we spot it. For a known operator, that collapses from weeks of manual research to the runtime of an automated workflow.
The Playbook, If It Happens to You
- Monitor your backlink profile on a schedule, you cannot defend what you are not watching.
- Triage before you act, score and cluster suspicious domains so you disavow the campaign, not your legitimate links.
- Disavow what has already hit you using Google’s Disavow Links tool in Search Console.
- Investigate the infrastructure, understanding the attacker’s network lets you get ahead of it instead of chasing each wave.
- Disavow preemptively and automate the loop, catch the next wave before it lands, on a schedule.
The Takeaway
A negative SEO attack is still an attack on your brand, just a less glamorous one than most. The response that worked for us is the same one we believe in for security in general. Don’t fight every wave by hand. Investigate the source, get ahead of the infrastructure, and let automation hold the line so your team can focus on the threats that really need a human.
Negative SEO operations aren’t always isolated incidents. As the Zynia Labs investigation shows, they can be industrialized services with client lists, pricing tiers, and recurring revenue.
If your organization manages a brand or a digital presence, the odds that your domain is already on an operator’s targeting list aren’t zero. That’s the work we do at Zynap. We apply preemptive intelligence to shrink the window of exposure before impact, not after.
A big thank you to my colleagues at Zynia Labs who were involved in this investigation.