What Timothy Malmros Taught Me About the $10 Loop Ranking Spam in Every Market on Earth

Leave a Comment / Uncategorized / By
Table of Contents

I’ve been doing SEO for nearly two decades, and I still have conversations that genuinely shift something in how I see the search landscape. My recent episode with Timothy Malmros on the Unscripted SEO Podcast was one of them.

Timothy spent close to twenty years in gambling affiliate SEO — a vertical where the money is enormous, the competition is ruthless, and every black hat technique gets field-tested before it shows up anywhere else. He’s since retired from active affiliation and now does something unusual: he investigates how black hat methods actually work and posts his findings publicly on LinkedIn. No course to sell. No consulting angle. Just forensic curiosity and radical transparency.

What follows is the conversation in his own words, with the context I think every legitimate SEO needs to understand what’s actually happening beneath the surface of Google’s rankings right now.

How Black Hat Got Nefarious

When I asked Timothy how black hat had evolved since the early days, he didn’t mince words.

“When I started, black hat was just hacking websites and putting links — using the old site counter and injecting it into the Java code. That was really effective back then. No user could see it, but Google could, and that’s what mattered.”

He was honest about his own role in that era:

“I built a site counter with links for gambling sites. It was a short experiment — I’m not proud of it — but might as well be honest. And it worked magically, until I stopped it because it seemed just unethical. But that was black hat back then. Today is way different. Way worse.”

That phrase — way worse — is what opened the door to the main topic of our conversation.

The Canonical Trick: An Infinite $10 Loop

The technique Timothy has been tracking most closely right now is what he calls the canonical trick. It’s worth understanding in full, because it’s operating in every major market he’s checked — and it’s working.

“Okay, so what I’m digging into now is basically expired domains — drop domains, I call them. High authority, old domain, somebody didn’t renew it, then repurposed for gambling sites. Now, this shouldn’t work, right? But there’s a trick to it.”

He explained the full mechanics:

“Basically, you take any old high authority domain. I found Carolina Partners — an old mental health clinic. The domain still has the old mental health PDFs there to build trust. And what they do is take this domain, then bombard it with spam links that look like something out of 2002. Just related anchors — sweepstakes casinos, best sweepstakes casinos — all those keywords. To build, I think, topical relevance through links.”

His theory on why links remain the decisive signal:

“How many times can you write about sweepstakes? How do you know which one is the best? It’s the same content. What determines the rankings are the links.

And then the canonical redirect move that makes it all work:

“What they then do is canonical it to a fresh domain — something like top online sweeps.us.com or some subdomain. This lasts for about a week. Then the domain dies. But then you just canonical it again. And a domain name costs 10 bucks. So it’s infinite. An infinite loop. And it’s in every market I’ve seen so far.”

The geographic reach floored me:

“Sweden, Germany, the Netherlands, Italy — every market. It’s worldwide. And it’s so effective. I mean, it’s absolute spam that’s ranking. And since it’s everywhere, there’s no solution in place, I guess.”

One thing that still confuses him — and that I found genuinely fascinating from a research standpoint — is why some drop domains work and others don’t:

“Some domains work, some do not. I’ve seen a hundred examples that do not work, and then one will. For whatever reason. I’m not entirely sure why. Either it’s roulette, or there’s something I’m missing.

“I even saw Tori Spelling’s old site turned into a crypto casino portal. That doesn’t rank. And it has a monster backlink profile, if you’ve ever checked it.”

Trust Rank, Distance from Seed & the Medic Update

The drop domain mystery gave me an opening to share a theory I’d been developing with Darth Knoth on Twitter about the Medic update — specifically, what Google could have flipped overnight to completely reshuffle health and wellness rankings.

I put it to Timothy directly:

“The answer that came to both of our minds was distance from seed. No matter how good the article — I consulted with Dr. Josh Axe in 2014 and told him to hire Gannett writers and deep-link to medical journals to overcome the perception that he’s just a chiropractor. Healthline had maybe three sentences on the same topic versus 2,000 words written by a literal scholar referencing four different medical journals. Before Medic, Josh Axe was ranking — and then overnight it flipped.

Timothy’s response was sharp and immediate:

“What you’re describing is they had better links. More trustworthy links. Stronger links.”

Exactly. I expanded on the Trust Rank framing:

“You can map in a cosine relationship those sites that were truly trusted — one, two, three hops at most to secondary sites if they’re legitimate entities. It’s not just link quantity — it’s link quality, based on a specific subset of sites already determined as an authority.”

This is something I explore in more depth in my work on brand and SEO integration — the idea that proximity to authoritative, verified entities in your niche is what really determines durable trust signals.

But Timothy pushed back thoughtfully, and his counterexample is worth sitting with:

“I don’t assume to know Google’s algorithm in detail. But it would seem like an AIDS site with links from everywhere, that was a legitimate AIDS site, would shoot straight to the top — but it doesn’t. Just the other day I found in Sweden an old UV armband detector store that absolutely dominated Sweden with the new gambling canonical. But the links weren’t that impressive. So I don’t understand what I’m missing. Because links should be it, right? The trustworthy links. But then I see so many examples where the exact same method — spam it up, canonical — just doesn’t work. I’m getting so many mixed signals.

The honest answer is that we don’t fully know. Anyone claiming otherwise probably has something to sell.

Two Thousand Domains & the Referee That Disappeared

When I mentioned that I’ve seen legitimate SEOs acquire expired domains and turn them into genuine topical hubs — real content, real vertical relevance, sustainable internal linking — Timothy nodded but put it in historical context immediately:

“That’s very old school SEO. I used to do that too — snapped everything, restored the sites, just building, right? I must have snapped 2,000 domains, easy. But then it stopped working, because there was a referee. And this is the big problem here. There’s no referee now.”

“Google used to have a huge anti-spam team, so they would stop this very quickly. Now it takes years and years — they’re trying to automate it, I think.”

His theory on why the referee vanished is one of the most provocative things he said in the whole conversation:

“I think actually ChatGPT is who ruined it for everyone with this black hat stuff. Because as soon as ChatGPT launched, Google had a massive competitor taking market share. They flipped out about it and had to really get their AI going. This is when everything collapsed, in my opinion. This is when parasite SEO starts, because now they’re automating it. The entire anti-spam team is just gone — relocated, all resources going to AI stuff.”

Think about what that means structurally: the external competitive pressure to win an AI race caused Google to gut the internal team whose entire job was keeping search results clean. And we’re all living in the aftermath.

Google Created the Monster, Killed It — and Is Doing It Again

One of the themes I keep returning to in my work as an SEO consultant is the way Google creates incentive structures, extracts value from them, and then removes the incentives. The HCU conversation with Timothy is the clearest example I’ve had on record.

I put it plainly:

“Google created the market by only ranking those recipe articles that added their life story. I had a friend in 2010 with a recipe site — she said, ‘I can’t just put up a good recipe anymore.’ She had to do all these extra steps. And then with HCU, Google is flipping it around and punishing those creators who were basically incentivised by Google itself. Google created the monster and then killed it.

Timothy’s take on HCU was measured — he wasn’t personally hit by it, given the nature of gambling content — but his broader read matched mine:

“I think it’s algorithmic now. They’re trying, at least. But failing miserably, in my opinion, when it comes to combating spam.”

Then we got into where this pattern is headed with AI overviews — and that’s where the conversation got genuinely dark. I framed the stakes:

“The positive upside culture of ‘I can be a creative person, write about this stuff, travel the world and visit all these locations — and if I write about it thoroughly, I’ll be rewarded with traffic, which funds that lifestyle’ — do you think that cycle is dying?”

His answer was blunt:

“If you have no incentive, you’re not going to do it, right? If the AI just steals your content and regurgitates a copy — originality will die, too. There’s no incentive to write. Why would you produce good content if you can’t even rank, because then an AI steals it and gives the user the answer and you don’t get any credit? It’s like they’re killing the internet without realising it, isn’t it?

I don’t think he’s wrong. And I don’t have a clean answer. I explored similar territory in my piece on what a decade-long SEO freelancer taught me about AI search and sustainable positioning — the conclusion is roughly the same: build audience ownership you control, because the Google channel alone is no longer a reliable foundation.

The AI Content Collapse Is Already Happening

When I mentioned that Indeed had transitioned away from human writers — foreign markets first, then American — and that I’d watched programmatic-SEO-heavy sites start crashing, Timothy asked the right question:

“Were those algorithmic hits or manual?”

I told him they appear to be algorithmic, though Google’s FUD game makes it hard to be certain:

“Google’s really good at FUD — stomping around and making a big noise about something they don’t like to scare the more reasonable citizens out of particular behaviours.”

Timothy agreed, but with historical grounding:

“They said that about parasites back in 2020 and drop domains, and we still see it. I’m actually seeing now that parasites are slowly dying — they’re not getting the strength they used to, so maybe something happened there.”

His analogy for the scale of the enforcement problem is the clearest framing I’ve heard:

“Assume you’re in a prison and you have to supervise the entire web and manage it. What a monumental task. So either you automate it successfully, or you hire 10,000 people to manually check it. Which is maybe why it took six years to finally crack down on Parasite SEO.”

And his prediction for the canonical trick’s lifespan:

“This canonical trick — I’m fully expecting it to disappear in five to six years. Probably. Hopefully sooner. I mean, it is just bad.”

Bot Farms, Click Metrics & Faking Brand at Scale

One of the more alarming corners of our conversation was click metric manipulation — confirmed by the Google leak, and now apparently available for rent.

Timothy laid it out plainly:

“Through the Google leak, it became clear they use click metrics. I think that plays a huge part in why canonicals work. So — using spam bots with VPNs. I actually researched this a bit. You can rent a box of Android phones, just a motherboard, each connected to a VPN, managed from home. You can send bots to go through the search results, click on your site, and increase bounce rate. And it’s not that expensive.

The Ninja Casino story is the best illustration of what faking brand signals actually looks like in practice:

“I remember there was a casino site that was on every TV channel in Sweden — massive brand, called Ninja Casino. Their backlink profile was terrible, but because of all the branding they did, they got so many brand visits that it pushed them to position one or two for ‘Casino.’ Then they ran into legal trouble when Sweden regulated, and they dropped off a cliff. Completely gone.

“So I think this bot traffic — this is what it’s simulating. Real use, until you get caught.”

This connects directly to something I think about constantly when advising clients on sustainable SEO ROI: the signals Google ultimately trusts are the ones that reflect real-world brand behavior. Shortcuts that simulate those signals are on borrowed time. The Ninja Casino arc is a perfect case study — and a cautionary tale for anyone tempted to juice their click signals artificially.

IPOs, Private Equity & the Tools That Didn’t Survive Their Own Success

We ended up in a conversation about SEMrush’s valuation and the broader pattern of what happens to SEO tools when they go public or get swallowed by private equity. I’ve watched this up close — I worked at Raven Tools, which helped spin off Authority Labs — and Timothy’s question cut to the core of it:

“I haven’t really followed SEMrush, to be honest. It’s not going well, is it?”

My read:

“It’s come down a lot. I expected that. Anytime you go public, the expectations of shareholders are equally or more brutal than private equity. Moz got bought out by private equity mid-2018s and they drove it into the ground. They murdered one of the more successful SEO SaaS companies with a brilliant reputation. Rand had done so much hard work to build it up, and the equity partners just kept demanding more and more profitability — and that came at the cost of their entire business model.”

This is something I address directly when small businesses ask me about SEO tool investments — the tools that have stayed genuinely useful longest tend to be the ones that didn’t go public. I’ve spoken with Tim Soulo from Ahrefs at conferences and I believe he’s seen these lessons clearly.

Timothy’s summary of the Google arc was the most quotable moment of the whole conversation:

“Don’t be evil, right? Remember when they said just write great content? Wasn’t that fun?”

Then he answered his own joke:

“Just write great content so that we can steal it. There’s no other way to train an AI, is there? You go to the source of all human knowledge — the internet.”

Where AI Actually Helps — And the Right Way to Use It

I don’t want to leave the impression that Timothy is purely anti-AI, because he isn’t — and neither am I. His framing is exactly right:

“I don’t think AI is bad. I use it a lot for menial tasks. Summarise a huge document for me because I don’t want to spend four years reading a thousand pages.”

“When I used to order drop domains, you’d get a huge list of coming domains — ‘sort them by this, this, and that’ — that’s super helpful. For writing, I’ll have it grammar-check things, or ask it to check for inconsistencies in a post and show me where it corrected them — and then I usually just rewrite them anyway.”

I added my own caveat from hard experience:

“Using it as a strict editor is usually the best bet. And tell it what you’re going to change before you change it. I do a lot of cleanups of transcripts and if I’m not careful with how I prompt it, it invents things. I did one recap and it made up a whole section of stuff we never actually said. You have to be very mindful.”

The distinction between AI as tool versus AI as replacement is the one that will define which publishers survive the next five years. I’ve written about this in my work on authentic content that actually converts — the voice and judgment you bring to a conversation like this one is exactly what you cannot outsource.

The Line That Defines the Whole Conversation

Timothy’s closing thought is the one I keep coming back to:

“I could talk about black hat for years. Whatever works, you see it in gambling first, because that’s where the money is. Usually I’ll see the latest black hat pop up there first. The more lucrative it is, the shadier it gets.

And my response, which I meant:

“That’s the unfortunate side of humanity, right? Where the money is, the scoundrels go.”

Timothy’s final word:

“Yeah. I was part of that industry for many, many years. But I did more grey hat SEO.”

The honesty is what makes his research credible. He’s not reporting on a world he’s never touched — he’s reporting on one he came from. And that perspective is increasingly rare in an SEO discourse dominated by either cheerleaders or academics.

Listen to the Full Episode

🎙️ Unscripted SEO Podcast — Full episode at unscriptedseo.com

👤 Follow Timothy’s ongoing black hat research: linkedin.com/in/timothy-m-59a216b/

From SEO Arcade:

From jeremyriveraseo.com:

Jeremy Rivera is a 19-year SEO veteran, founder of SEO Arcade, and host of the Unscripted SEO Podcast. He offers freelance SEO consulting and keyword research services for businesses of all sizes.

Leave a Comment

Your email address will not be published. Required fields are marked *