A children’s cancer charity called the Charlie Gard Foundation had a website. Now it advertises offshore casinos. The author listed on the gambling content is called Breno Costa. His profile photo is, according to Identifai, 100% AI-generated. The casinos being promoted are specifically non-Gamstop — meaning they exist to let problem gamblers bypass the self-exclusion system designed to protect them.

Another charity, Road to Peace — set up by the road safety charity Brake — now redirects to online casinos.

I’ll let that sit for a moment.

Press Gazette published an investigation last week into Clickout Media, a UK-registered company trading as Finixio, with £40m in annual turnover, a declared loss of £3m (and thus no tax paid), and an estimated portfolio of up to 300 websites. The business model is straightforward: buy a website with an established reputation, gut the editorial operation, fill it with AI-generated casino content, extract revenue until Google penalises the domain, abandon it, buy the next one. The revenue comes from gambling operators — up to 35% of the money lost by gamblers, according to Kristoffer Holten, a Danish affiliate marketer linked to the business, speaking on a podcast in 2023 (wayback machine link — live URL is now a 404). That revenue gets ploughed straight into acquiring more domains.

The sites they’ve bought and strip-mined include Esports Insider (a decade-old esports journalism outlet), VideoGamer (founded in 2004 by two university friends), The Escapist, GamesHub, Techopedia, Sportslens, She Kicks, Football Blog, Gambling Insider (reportedly purchased for at least £12m), and dozens more. The pattern is identical every time. Acquire the site. Keep some human writers on for a while to preserve the appearance of legitimacy. Gradually introduce casino content. Replace the humans with AI-generated articles written by AI-generated authors with AI-generated profile photos. Wait for the domain’s accumulated trust to do its job in Google’s rankings. Cash out. When Google eventually notices, move on.

Esports Insider was deindexed in early March 2026. Staff were immediately made redundant. VideoGamer was removed after it published an AI-generated review of Resident Evil: Requiem at embargo time — a review so obviously machine-generated that Metacritic committed to blacklisting outlets that submit AI reviews. Tom Orry, VideoGamer’s co-founder, wrote that he remembered building the site in a tiny bedroom in a university house share in Brighton. “I hope people remember it for what it meant to people and not the abomination it is today.”

The investigative journalism here belongs to Press Gazette, Aftermath, The Esports Radar, and others who’ve done the work of documenting this. I’m not going to repackage their reporting. What I want to talk about is why this works at all.

But first: can we stop calling this SEO?

The press — and, embarrassingly, parts of the search industry — have settled on the term “parasite SEO” to describe what Clickout does. This is like calling a burglary “aggressive property viewing.” SEO is the practice of making legitimate content discoverable, efficient, and relevant to the systems that serve it. What Clickout does is spam. It’s ranking manipulation through domain trust exploitation, executed at scale, with the explicit intent of deceiving both users and search engines. Attaching “SEO” to it doesn’t describe the tactic — it launders it. It implies this is a variant of a legitimate discipline, a grey area, a technique that got a bit aggressive. It isn’t. It’s fraud dressed in a domain name someone else earned.

Even Google doesn’t call it SEO. Their policy term is “site reputation abuse.” The industry term should be at least that honest. For the rest of this piece, I’ll call it what it is.

The trick that won’t die

Buying domains for their accumulated trust signals and repurposing them is not a new tactic. It’s not even a slightly new tactic. People were doing this with expired domains and pharmaceutical spam in the mid-2000s. The commodity being pushed changes — it was Viagra, then payday loans, now offshore gambling and crypto — but the underlying exploit is identical. A domain’s reputation in Google’s systems persists long after the entity that earned it ceases to exist.

The variations get more creative, but the principle never changes. I’ve seen spammers buy expired domains, pull the old content out of the Wayback Machine, republish it more or less intact to reactivate the domain’s trust profile, and then quietly inject new links into the resurrected pages. The content looks untouched. The site looks alive. Google’s systems see a domain with historical authority serving what appears to be its original content. The only thing that’s actually new is the payload buried inside it. It’s necromancy with a business model.

Twenty years. The tools have changed. The payload has changed. The exploit hasn’t.

I spent nearly six years at Google on the Search Quality team. I’m not going to pretend the people I worked with didn’t understand this problem. They understood it extremely well. The patterns were documented. The enforcement mechanisms existed. The institutional knowledge was there; built by people who cared about getting this right, who spent careers learning to recognise exactly these patterns.

Pedro Dias@pedrodias

The amount and frequency of "Head of SEO" job ads for this Finixio company on LinkedIn makes me very suspicious of them.

2:58 PM · Nov 14, 2023 · 3.58K Views

---

6 Replies · 16 Likes

And yet here we are. A company described its own parasitic strategy on a podcast in 2023 — openly, on the record, with details — operated at industrial scale across hundreds of domains, and faced consequences only after journalists did Google’s job for them in 2026. Three years. Three hundred domains. A children’s charity turned into a gambling portal. And the enforcement arrived when the newspapers arrived. Not before.

Try explaining that to a client with a straight face. Try telling a business that spent years building its domain’s reputation through legitimate work that the system rewards patience and quality — while someone else bought a dead domain last month, stapled its old content back on from the Wayback Machine, and is already outranking them with casino links. I’ve been in search for twenty years. I might as well wear a clown nose to those meetings.

So either there’s a good reason this hasn’t been fixed, or there isn’t. Both possibilities are worth examining, and there’s a third that’s worse than either.

Explanation one: it’s an architectural trade-off

This is the charitable reading…

Domain trust signals need to be stable. That’s not a design flaw — it’s a design requirement. If Google made authority scores volatile, reacting rapidly to ownership changes or editorial pivots, you’d destabilise legitimate businesses constantly. Companies get acquired. Editorial directions shift. Redesigns happen. CMS migrations happen. None of these mean a site has become untrustworthy, and a system that treated every significant change as a trust event would generate an unacceptable false positive rate.

The stability that lets a legitimate acquisition inherit a domain’s ranking history is the same stability that lets Clickout inherit it. The system can’t easily distinguish between “new owners who will maintain quality” and “new owners who will gut the operation and fill it with gambling content” — at least not at the point of acquisition. By the time the content profile has shifted enough to trigger algorithmic detection, the damage is done and the revenue has been extracted.

I buy this as an explanation for a delay. I don’t buy it as an explanation for a twenty-year-old exploit that still operates at industrial scale with the subtlety of a car alarm. Architectural constraints explain why the response isn’t instant. They don’t explain why the response takes months or years, arrives only after press coverage, and fails to prevent the same actors from simply doing it again with the next domain in their portfolio.

If your security system explains why it takes ten minutes to respond to a break-in, fine. That’s architecture. If it explains why the same burglar has been robbing houses on your street for two decades, with the same crowbar, on the same night of the week, that’s not a trade-off. That’s a system that doesn’t work.

Explanation two: institutional knowledge has been lost

Here’s where it gets uncomfortable. Or rather, here’s where it should get uncomfortable — if anyone at Google is still paying attention.

Google’s Search Quality and webspam teams built institutional knowledge about these patterns over years. People understood the tactics, the economics, the actors, and the countermeasures. That knowledge lived in people, not just in algorithms. People I know. People who would be appalled to see a children’s charity website selling offshore gambling to problem gamblers while Google’s systems nod along approvingly.

Teams get reorganised. People leave. Priorities shift; specifically toward AI products that generate press releases and stock price movement, rather than the unglamorous grind of fighting web spam that generates neither. I don’t know that the webspam teams have been hollowed out. I left years ago. I've now been gone longer than I was ever there. But the observable behaviour is consistent with a system running on institutional memory that nobody’s bothered to refresh.

Look at the enforcement pattern. Esports Insider was hit with what appear to be at least two manual penalties at the subfolder level before the domain-level action in March 2026. Each time, the operators tweaked the URL structure, renamed subfolders, and bounced back. As one analyst documented, the same content at the same URLs simply reappeared after each penalty. This is not sophisticated evasion. This is spray-painting the getaway car and leaving the number plates on. And it worked. Repeatedly.

If this had been inspected by a human with any familiarity with the tactic, it would have been caught the first time — and the next three domains in the portfolio would have been flagged before they got started. The fact that it wasn't suggests that either the people doing the inspecting lack the historical context to recognise what they're looking at, there aren't enough of them to look in the first place, or they've been told to look somewhere else.

Google’s spokesperson told Press Gazette:

“Our policies prohibit publishing content at scale for the primary purpose of manipulating search rankings.”

Wonderful. Print it on a plaque. Hang it in the lobby. It’s a policy statement, not an enforcement capability, and the gap between the two is wide enough to drive 300 spam domains through.

Policies are easy. Catching a company that operates through anonymous buyers, shell corporate structures, hundreds of domain names, and constant subfolder rotations requires sustained, resourced, institutional effort. The kind of effort that gets quietly deprioritised when the company’s strategic attention — and engineering talent, and budget — is chasing the next AI product launch.

Explanation three: there’s no commercial urgency

This is the one nobody at Google wants to hear. Which is precisely why it needs saying.

While Clickout’s casino content is ranking, it’s generating impressions. Those impressions serve Google’s ad ecosystem just fine. The content is answering queries — badly, deceptively, funnelling problem gamblers toward unregulated offshore casinos — but it’s generating pageviews, and pageviews generate ad revenue. Google doesn’t lose money when a spam site ranks. Google loses money when a spam site gets caught ranking and that becomes a story about search quality. The financial incentive to remove this content rapidly doesn’t exist until it becomes a reputational problem. Which is to say: until journalists write about it.

Look at the timeline. Clickout has been operating this playbook for years. The Chiang Mai SEO Conference talk where Holten described the strategy openly was in November 2023. The first significant enforcement actions against Clickout domains didn’t arrive until early 2026 — and they coincided with press coverage from Aftermath, Kotaku, The Esports Radar, and Press Gazette.

This may be coincidental. And I may be the Queen of Denmark. Google may have been building a case quietly. But from outside the building, the pattern looks exactly like what it looks like: enforcement that’s reactive to publicity rather than proactive against harm. The spam runs until the story breaks. Then Google acts. Then the spokesperson issues a statement about policies that already existed and manifestly weren’t being enforced.

The charitable version is that Google’s spam team operates on its own timeline and press coverage occasionally coincides. The less charitable version is that a children’s cancer charity website can advertise offshore gambling to problem gamblers for months, and the system designed to prevent this doesn’t have a strong enough reason to act until a journalist asks Google for a comment.

The real problem isn’t Clickout

Clickout is a symptom. A brazen, industrially-scaled, morally bankrupt symptom that turns children’s charities into gambling portals and fires journalists to replace them with software that can’t write a coherent game review — but a symptom. The disease is that Google’s trust model treats domain reputation as a transferable asset that outlasts the thing that earned it.

Every domain Clickout buys comes with years of accumulated trust signals: links from other reputable sites, citation patterns, topical associations, user engagement history. Those signals were earned by the journalists, editors, and writers who built those publications. The signals remain after those people are fired and replaced with AI-generated content from AI-generated authors. The lag between the real reputation dying and Google’s systems catching up is the entire business model.

And the lag isn’t getting shorter. The Esports Radar documented that Esports Insider’s traffic showed the classic pattern: fall, recover, fall, recover. Subfolder penalties that the operators simply routed around. Google played whack-a-mole with a company that had already bought the next mole hole.

Holten said it himself:

“We buy new sites. That’s really lucrative for us... transforming those into casino sites and crypto sites. We’re really successful at that.”

He also said the quiet part:

“Every single gambling firm out there does this, but we’re just quicker at doing the transaction.”

And, to his credit, he didn’t pretend it was anything other than what it is:

“Obviously there is a parasite part of it. We have the money to invest in parasites.”

This isn’t a rogue operator. This is an industry. And the enabling condition is that domain trust, in Google’s systems, is functionally a bearer instrument. Whoever holds the domain holds the trust, regardless of whether they’ve done anything to deserve it.

What this means for everyone else

If you’re a site owner who’s ever been approached by an anonymous buyer with “little digital footprint” offering a frictionless deal paid in full — now you know. That’s not someone who wants to run your publication. That’s someone who wants to wear it as a skin until it falls apart, then toss what’s left in a skip and buy the next one.

Here's what the pitch actually sounds like: After I posted about the Press Gazette investigation on LinkedIn, one site owner in the games and tech space shared their experience. Clickout recently approached them about a legacy site still pulling 150K monthly sessions. The offer was around $65K — based solely on display revenue, deliberately ignoring every other revenue stream to suppress the valuation. The plan? “You will have to do 3 casino posts, and after 45 days, if they rank for keywords, we will do the bid.” A safe experiment, they called it. The site owner said no. Most people who get that email don’t know what they’re looking at. Now you do.

If you’re an SEO practitioner, here’s a fun exercise in futility. Explain to your client that they need to invest in quality content, earn authoritative links, build topical relevance, demonstrate E-E-A-T — all the things Google says matter — while a company with a £40m turnover is buying dead domains, stuffing them with AI-generated casino content from AI-generated journalists, and outranking your client until a newspaper notices. Every link your client earns, every topical signal you build, every engagement metric you nurture — it’s all transferable to whoever buys the domain next. You’re building equity for the next parasite. Google’s enforcement framework does nothing to prevent it.

If you’re at Google, the architectural trade-off argument buys you understanding, not absolution. The question isn’t whether domain trust needs to be stable. It’s whether you’ve built any mechanism — any mechanism at all — that can distinguish between a legitimate acquisition and a strip-mining operation before the damage is done. Ownership change data exists. WHOIS records exist. Content velocity signals exist. Editorial team turnover is observable. A domain that published esports journalism for a decade and suddenly starts publishing offshore casino reviews isn’t a subtle signal. It’s a fire alarm. The signals are there. Either nobody’s looking, or nobody’s been told to care.

Twenty years I’ve been in this industry. Six of those inside Google, working on the very team that was supposed to stop this. And the best I can offer my clients in 2026 is: “Yes, this is spam. No, it shouldn’t work. Yes, it still does. No, I can’t tell you when Google will fix it, because they’ve had two decades and haven’t yet.”

If anyone needs me, I’ll be the one in the clown nose explaining to a boardroom why their ten-year content investment just got outranked by a dead website with a gambling addiction.