
First harassed by a deepfake then by porn links dominating search results
Imagine someone Googled your name and the first results they found were offering your “18+” videos. How shocking would that be? That’s what happened to a woman from Assam, India. Already a survivor of a deepfake attack, she is being re-victimized by tech-giant Google’s search engine algorithm that determines what you see when you search on a topic.
A simple search for her name consistently returned “18+/XXX” clickbait links at the top of the results, many of them hosted on the websites of major universities, a US state government and private corporations. When clicked, these links direct to unrelated pornographic or gambling sites.
Dismislab searched Google for “Archita Phukan” and found that, in a single search, 54% of the results were pornographic clickbaits. These links in the search results were hosted on various trusted domains, including cornell.edu, ny.gov and dell.com. Dismislab also found other instances where name-specific searches for survivors of online harassment return derogatory content hosted on similarly trusted domains.
Experts say this is an example of SEO manipulation where Google’s most trusted domains are shown first and and it also exposes vulnerabilities in the web-security infrastructure of the universities, governments, and big companies, and search platforms we are supposed to trust.
Survivors of online harassment, re-victimized by search engine algorithm manipulation, have been a major issue rights activists have been fighting. Activists also urged platforms to remove non-consensual explicit content from search results, in past cases.
Inside the search results
Archita Phukan, widely known online as “Babydoll Archie”, had gained more than a million followers on Instagram through an account that investigators now say used AI-generated images to impersonate her. Police in Assam arrested her former partner in mid July, alleging he had earned roughly 10 lakh rupees, or $12,000, from fabricated explicit content. Within a week, her case became material for spam campaigns designed to monetize traffic.
On July 21, researchers from Dismislab searched Google for “Archita Phukan” and found that more than half of the results 59 of 109 were spam pages designed to drive traffic to pornographic and gambling websites.

Many of the pornographic clickbait links with Phukan’s name ranked top in the results. On July 21, a search for Phukan’s name appeared five times on the first page associating her name with pornographic material, including top two that promised “viral MMS and XXX videos.” Only in the third position did a credible news article from the prominent outlet India Today appear. It was a video explainer titled “How Archita Phukan Was Framed by Her Ex,” which explained the whole story of how she was abused.

In just that one search result, spam links hidden within Cornell University domain, appeared 21 times for Phukan’s name, while the official domain of New York State, ny.gov, appeared 20 times. All featured pornographic clickbaits and thumbnails.
Most of the Cornell links were on weill.cornell.edu, a subdomain of cornell.edu and the medical school’s site. For New York State, most appeared on an unav-check.ny.gov subdomain, which was not publicly valid when checked.
Over the next four weeks, Dismislab repeated the search using three separate Google accounts with cleared histories and virtual private networks routed through Singapore, Tokyo and Amsterdam. The results were consistent across locations and devices: spam pages appeared on search results for her name, often outranking verified reporting.
At least 29 domains hosted links targeting Phukan with pornographic clickbait during the observation period. They included universities such as Cornell, Columbia, MIT, UC Berkeley, and the University of Barcelona; state portals including NY.gov, Idaho’s Department of Commerce and Maharashtra.gov.in; and high-profile organizations such as Dell.com, Microsoft.com, Chess.com, and the Coalition of Black Trade Unionists. Other than that, attempts to seed similar material on IMDb, Reddit, SoundCloud, and LinkedIn through fabricated posts and uploads. These links replicated those placed on the injected web pages.

How the Spam Works
Most of the “18+/XXX” links do not host content themselves; instead, they redirect users to external pornographic or betting sites. For example, clicking a page under the mit.edu domain that claimed to feature “Archita Phukan’s viral Telegram sex footage” led through multiple redirects and ultimately landed on 1xBet, a betting site. Among the links documented, Dismislab traced similar redirect chains showing how the abuse monetizes traffic.
Most “18+/XXX” links don’t host content, they funnel users through redirect chains to porn or betting sites. Example: a “mit.edu” page ended at 1xBet (left), and an amazonaws.com PDF routed via leakvideos.online to another page (right), showing how traffic is monetized.
Spammers also uploaded malicious PDFs to high-authority sites by exploiting public upload tools or outdated server paths. In one case, a file linked from amazonaws.com (note: amazonaws.com ≠ amazon.com) first directed users to a pornographic signup page (leakvideos.online) and then to the registration page of another site.
“These are doorway pages,” said Ashraful Haque, a cybersecurity expert who reviewed the links. “Attackers insert spam pages on reputable sites by abusing weak upload portals, misconfigured content management systems (like WordPress, Drupal, Joomla, or custom portals often have outdated plugins or weak admin protections), open directories, or misconfigured cloud storage buckets.”

A Pattern
Pukan’s case is not isolated. In July, two coaching-class teachers in Dhaka went viral after obscene behavior during a YouTube Live class. The clip spread quickly. A Google search for the female teacher’s name surfaced a keyword-stuffed “XXX” result hosted on the University of Maryland’s School of Public Policy domain (umd.edu) on the first page of results.
Dismislab replicated this pattern with her name, using structured queries such as “Name” site:.edu OR site:.gov, and found similar abuse across multiple high-authority sites. The links found in results were clickbait, and disinformation about supposed “leaked” content.

Google indexes public web pages and ranks results using signals such as relevance, quality, usability, context, and links. Attackers exploit vulnerabilities in websites’ upload tools and file directories, and leverage a long standing perception that links from .edu, and .gov domains carry additional weight in Google’s ranking system.
Attackers exploit legitimate domains by injecting hidden or spam-filled URLs into site structures. For example, numerous WordPress sites have been compromised via “spam link injection”, where hackers create hidden directories and pages that funnel users to explicit or phishing content, often going unnoticed by administrators. And a recent study tracking nearly 700,000 fake e‑commerce scam sites found organized groups using black-hat SEO and redirector networks to maintain visibility in search engine results, even over years.
Google’s Policies and Lingering Harm
During the month of observation, researchers repeatedly revisited the documented links. By the end of the month, many of these links no longer led to active content. However, their headlines continued to appear prominently in search results. It remains unclear whether the spam pages were removed or altered by site administrators or the attackers. Meanwhile, new trusted domains with spam pages continued appearing in the results.
Four Universities, one company and a US state government agency named in the investigation did not respond to Dismislab’s request for comments.
“In most cases the site owners or maintainers are unaware of these spam contents,” said Haque. “Remediation often involves tightening web infrastructure, auditing directory permissions, and blocking automated bots that create pages in bulk.”
Google formally introduced its Site Reputation Abuse policy in March 2024 and said enforcement would begin in May. The policy defines abuse as publishing third-party content mainly to exploit a host site’s ranking signals.
A further clarification in November 2024 said site-reputation abuse is a violation “regardless of whether there is first-party involvement or oversight.” It says Google would act against “sections of a site if they are starkly different from the main content” and use automated systems to demote or remove such pages.
However, Google’s crawl and cache update cycles can be slow, sometimes taking several days to a few weeks for a removed or altered page to disappear from search listings – even after the live content is no longer accessible.
Survivors of non-consensual explicit content, such as in the GirlsDoPorn scandal, continue to fight to remove the material from search results long after it appears. Despite discussions with Google, permanent solutions have not yet been implemented.
Phukan’s alleged culprit was arrested and the account is now gone, but explicit headlines tying her name to pornography still appear in search results, showing how abuse persists despite account removals and legal action.
Manisha Biswas, Senior Research Officer at the Bangladesh Legal Aid and Services Trust (BLAST), noted that, It shows how biased and insensitive technology can be in revictimizing women survivors. It also encourages cybercrimes such as doxxing, sextortion, and the publication of non-consensual intimate images. Such concerns make women even more helpless and stigmatized when seeking justice against TFGBV.
Methodology
Dismislab conducted this month-long investigation, repeatedly searching for “Archita Phukan” on Google using three accounts with cleared histories, incognito sessions and VPNs routed through Singapore, Tokyo and Amsterdam to minimize personalization and verify consistency. Each search was documented with full-page screenshots, URL logs, redirect indexing, and a record of spam-hosting domains, repeated over four weeks to track changes in visibility and persistence of harmful links.