DEV Community

Cover image for Someone Paid around $2K to Destroy Our SEO. So We Built This.
Claudio González
Claudio González

Posted on

Someone Paid around $2K to Destroy Our SEO. So We Built This.

#seo #cybersecurity #opensource #webdev

January 2026. I'm checking Google Search Console over a morning coffee at the university office when I notice something strange. Our backlink count is... Exploding? This past week we had around 400/500 backlinks.

At first I think "cool, maybe we went viral somewhere." Then I actually look at the links.

http://51.20.3.75/some-spam-page
http://aphidiusenhamperruffed.com/junk
http://seo-anomaly-beijing.online/attack
Enter fullscreen mode Exit fullscreen mode

Oh. Oh no.

Someone's trying to destroy our SEO. And they brought friends.

The WTF Moment

We run HomeDock OS, think of it as a self-hosted cloud platform, competing with stuff like Umbrel and CasaOS, but multiplatform and with a window manager, it looks good, it works good too tho. We'd been quietly growing, ranking well for competitive keywords, surpassing 1M monthly impressions. We did a great job in SEO terms. Astro, silo blog, breadcrumbs, schema everywhere, universities & press natural links and so.

Apparently someone noticed somewhere.

When I finished the analysis, here's what we found:

  • 1,956 malicious backlinks pointing at us
  • 1,372 from raw IP addresses (mostly AWS servers)
  • 584 from sketchy domains with names like "bagwiggambadepostlimini.com"
  • Zero legitimate links in the bunch

...and still counting since it's been a while since then, don't want to overlook at the numbers now almost a month since then but it's a 70KB disavow file madness. This wasn't some bot scraper accidentally picking us up. This was coordinated. This was expensive. We're pretty sure that someone paid good money for this.

Down the Rabbit Hole

We started digging. And holy shit, the patterns.

They Literally Used AWS to Attack Us

70% of the attack came from Amazon EC2 instances. They spun up servers across 15+ AWS regions:

  • Tokyo (ap-northeast-1)
  • Singapore (ap-southeast-1)
  • London (eu-west-2)
  • Mumbai (ap-south-1)
  • São Paulo (sa-east-1)

Just... Temporary cloud servers generating garbage links, then disappearing. It's like using AWS as a distributed spam cannon.

The kicker? We also use AWS for some stuff. They're using the same infrastructure we rely on to attack us. That's some poetic irony right there.

The Domain Names Were... Creative?

Whoever built this attack has a domain generator with a weird sense of humor:

aphidiusenhamperruffed.com
bagwiggambadepostlimini.com  
barcarolleyoginsreaphook.com
Enter fullscreen mode Exit fullscreen mode

These are actual domains they registered. Just random dictionary words mashed together. Thousands of them. I mean... Why not use Python to create better names on auto mode?

Then there's the Blogspot spam network:

aaabrainhohm.blogspot.com
aabrainbttp.blogspot.com
Enter fullscreen mode Exit fullscreen mode

Google's own blogging platform, weaponized against Google's search algorithm lmao beautiful in its audacity, horrible in execution.

The Smoking Gun: "seo-anomaly"

But the best part? They left their calling card. 99 domains, all following the same pattern:

seo-anomaly-beijing.online
seo-anomaly-tokyo.site
seo-anomaly-moscow.space
seo-anomaly-mumbai.website
Enter fullscreen mode Exit fullscreen mode

Every major city, multiple TLDs (.online, .site, .space, .website)... This is a business. Someone's running a "Negative SEO as a Service" operation, and they're not even hiding it. The domain names advertise regular SEO packages but I'm sure they have plenty of them. If you want to check them out you better browse carefully, at least isolate the browser.

The Cheap TLD Goldmine

Check out what they registered:

TLD Count
.forum 89
.live 47
.wtf 23
.garden 12
.tattoo 11

.tattoo domains. They registered 11 .tattoo domains to spam us. I can't even be mad, that's commitment.

OK But What Do You Actually Do?

Google's disavow tool exists for this exact scenario. You upload a file saying "hey Google, ignore these links, they're spam." Easy peasy, lemon squeezy. But the problem is that you have to manually build that file. And when you have 2,000 malicious links, that's... Not fun.

And a week later hundreds of new IPs, links and spammy domains appear again because these kind of attacks last for weeks or even months.

So we did what any dev would do, automate the whole thing.

Built a quick CLI Python script to:

  • Parse backlink exports from Ahrefs/SEMrush/Google
  • Categorize IPs vs domains vs URLs
  • Generate the disavow file
  • Track history so I don't re-review the same crap
  • And the most important thing, THE WHITELIST

Worked great. Uploaded to Google. Crisis averted.

Then I Had a Thought

What if this happens to someone else? What if it's happening right now to some solo dev who doesn't know what negative SEO even is? Been there, done... Nothing.

So we took the weekend and built a proper UI around it, containerized it with Docker, slapped an AGPLv3 license on it just in case and threw it on GitHub.

Introducing: Disavow Generator

Here's the repo if you want to just grab it and go. The name is quite original, yes.

What it does:

  • Upload your backlink export (Excel/CSV from Ahrefs, SEMrush, Majestic, whatever, it eats glob glob)
  • Automatically categorize everything (IPs and domains)
  • Whitelist your legit domain backlinks so they never get flagged
  • Track history across multiple uploads
  • Highlight NEW threats when attacks continue (they usually do)
  • Download a Google-ready disavow.txt file

How to run it:

Easiest way is through our (cough) app store (yeah, we have an app store, it's a whole thing). But I'm sure most of you just want to Docker it:

git clone https://github.com/BansheeTech/Disavow-Generator
cd Disavow-Generator
docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

Default login is user / passwd. You better change it or I will personally come to your house and judge you, I'm a Level 99 Paladin on Diablo II so you better take that in mind if changing default credentials are not your thing.

The OG tool

What We Learned

1. Cloud Platforms Are Double-Edged Swords

AWS/GCP/Azure are amazing for building things quickly. They're also amazing for breaking things quickly. Spin up 100 servers, generate spam, ping the thing out of it, destroy them. No trace.

Makes you think about infrastructure in a different way.

2. SEO Has a Seriously Dark Side

I knew black-hat SEO existed. I mean, I've been a BHW member for over a decade, but I didn't realize there are commercial services selling attacks that people ACTUALLY PURCHASE. Like, actual people paying actual businesses for that. With domain names that advertise what they do. Mindblown.

3. Your Competitors Might Be Desperate

We're just a small self-funded startup from Spain, not exactly a threat to any billion-dollar empire, yet someone still paid what we think around $2K to try to tank our SEO... Are you ok, Annie? Either we're more of a threat than we thought, or someone's really, really desperate.

4. Documentation Saves Lives

When this hit, I had months of previous Search Console exports, backlink reports, ranking data. That history was crucial for:

  • Identifying when the attack started
  • Proving it was malicious
  • Building the disavow file correctly
  • Having evidence if we needed to file a reconsideration request (and that's important, because sometimes Google think you're dumb enough to purchase spammy links).

Export your data. Archive it. Future you will thank present you, period.

The Irony

The attacker wanted to destroy our search rankings. Instead we built an open-source tool that helps other victims, we got content for our blog (and this post, heh), we have another use case for our platform, we learned a ton about how these attacks work... And we're probably more visible now than before. Thanks for the free marketing, Annie. It worked specially well on LinkedIn.

Should You Worry About This?

Probably not, unless:

  • You're ranking well for competitive keywords and your domian is your enough
  • You have actual competitors who see you as a threat (heh)
  • You operate in industries with... Let's say "aggressive" SEO practices

But if you do get hit, just breath, first don't panic, export all your spamlinks, whitelist your legit ones, run them through something like this tool (or this tool), upload the disavow file to Google and... You better keep monitoring on a weekly basis.

Negative SEO is annoying but it's survivable. Google's algorithm is (cough, usually) smart enough to ignore obvious spam. The disavow file is just... Insurance to name it somehow.

... The trenches:

Annie is not ok today

Open Source FTW

The tool's on GitHub under AGPLv3. That means:

  • Use it for free, forever
  • Fork it and modify it
  • Contribute improvements back (YES)
  • Build it into your own tools

We can't stop negative SEO attacks from happening. But we can make it easier to defend against them. If this helps even one person avoid the headache we went through, it's worth it.

... The result (:

Annie is mad now

Links:

Drop a ⭐ on the repo if this helped you!

Have you dealt with negative SEO before? Drop a comment, I'd love to hear other war stories from the trenches.

Top comments (0)