From Nigeria with freebies: How elections were hijacked for affiliate traffic

Dismislab has uncovered a set of fraudulent webpages using the images of political leaders, celebrities and public institutions from at least 13 countries to direct users into promotional redirect chains that generate affiliate commissions.  

The operation frequently leverages election seasons, to entice users with “cash gifts” or “free mobile data”. While the individuals behind the network have not been independently verified, primary evidence suggests a part of the infrastructure is operated from Nigeria.

The scheme recently appeared in Bangladesh following the Bangladesh Nationalist Party’s (BNP) victory in the 13th National Parliamentary Election. On February 16, 2026, Facebook posts circulated featuring an image of Prime Minister Tarique Rahman and the claim: “Victory Celebration Gift: BDT 20,000 for everyone.”

The links attached to these posts led to webpages hosted via GitHub Pages, a legitimate static web hosting service. The pages displayed Tarique Rahman’s image alongside messages stating that 30 GB of internet data or cash rewards were being distributed to mark the election victory.

When Dismislab researchers followed the steps presented on the site, they were redirected through multiple intermediary tracking pages before landing on external platforms, including gambling websites, trading platforms and software download pages. The redirection occurred regardless of whether valid information was entered into the site’s forms.

Technical analysis shows that these webpages share common structural elements, including identical scripts and a recurring redirect URL. It routes users to different destinations depending on device type and geography.

Further investigation of the associated GitHub account reveals 42 similar HTML pages referencing political figures, public officials or institutions across at least 13 countries. The pages promote comparable offers – cash assistance, free internet data, recruitment notices, or subsidy schemes – often timed around elections or widely covered public events.

Affiliate marketing – that allows people earn a commission by promoting a product or service through a unique link and receiving a payout for every sale, click, or lead generated – itself is a legitimate commercial model. However, in these cases users are drawn into affiliate redirect chains through false offers of benefits.

The gift that never came

On the morning of February 16, Dismislab’s monitoring team detected a sponsored Facebook post circulating across several public groups. The post featured a photograph of newly elected Prime Minister Tarique Rahman and a bold headline: “Victory Celebration Gift: BDT 20,000 for everyone.” The framing suggested an official post-election announcement. Given the timing — just days after the national vote, the team decided to examine where the link led.

Clicking on the sponsored post redirected to an external webpage. The landing page displayed a large image of Rahman and a message that read: “Election victory celebration: 30 GB free internet data for all. Bangladesh Election 2026. To celebrate the victory, BNP chairman Mr Tarique Rahman is giving 30 GB free internet data to everyone! This service allows you to activate 30GB free data and receive recharge vouchers.”

The page appeared designed to simulate legitimacy. Below the message were the logos of Grameenphone, Robi, Banglalink, Teletalk and Airtel. Several comments embedded on the webpage claimed that users had already received the promised data. At the time it was monitored, the visible counter showed nearly 100,000 comments and shares, with the numbers increasing by the thousands within seconds.

To assess whether the offer had any functional basis, Dismislab researchers followed the instructions. They were asked to enter a mobile number and select a network provider. The list included Grameenphone, Robi, Banglalink, Teletalk, and Airtel. It also lists Telecel, a company that actually operates in Ghana, and has no presence in Bangladesh.

After submitting a number and selecting a network, the site displayed a message indicating that the mobile details were being verified. The team deliberately entered an incomplete phone number and selected a non-functioning network. Nevertheless, the page proceeded to the next stage without error or rejection.

The next instruction required users to share the offer. Visitors were prompted to click a share icon and send the link to six WhatsApp groups or to 15 friends. With each click, a progress bar advanced incrementally, creating the impression that the activation process was nearing completion.

After several rounds of sharing, a new message appeared: “Congratulations, your 30GB gift is ready! Final verification step: you must confirm that you are not a robot. Verification method: we may ask you to send an SMS, download something, enter a phone number, participate in a survey or complete another task to verify your phone number. Remember that this step is very important. Do not skip any step.”

Five buttons were displayed beneath the message: “Activate Now”, “Get It”, “Report Issues”, “Get Free Data” and “Continue”. The team tested each option. Every button redirected to the same destination — a webpage promoting the office software WPS Office, prominently displaying a free installation option.

No confirmation SMS was received. No data package was activated. Despite completing the steps and sharing the link with 15 WhatsApp contacts, the promised 30 gigabytes of internet data did not arrive.  

The operational infrastructure

To understand what was happening, the team opened the browser’s developer tools and inspected the page source. Embedded in the JavaScript was a redirect instruction pointing to the same intermediary address every time: https://obqj2.com/4/9437824.

Each time a button was clicked, the browser was routed through that link before landing elsewhere. In one instance, it ended at the official Opera browser download page, complete with the familiar “Download Opera” interface. In another test, the redirect led to a WPS Office installation page indistinguishable from the software’s legitimate distribution portal.

A search of the intermediary domain (obqj2.com) revealed that it had been flagged by cybersecurity firms. Malwarebytes classifies domains of this type as potentially associated with riskware, warning that they may route users to unwanted programs or adware-driven traffic systems. GridinSoft describes similar redirect infrastructure as implementing browser-hijacker-style distribution mechanisms designed to monetize user traffic.

When the team examined the full URL of the GitHub-hosted page, they noticed a username embedded in the address. A search for that username led to a public GitHub account created on January 23, 2026. Inside were three repositories titled “Mblow” and “mblowadsme.” By the time this story was being written, the user opened another repository, titled “tareq”.

The first two repositories contained 42 HTML files. Dismislab tested every url and found that the layout of the Bangladesh page was replicated almost exactly in other files. The same button structure. The same JavaScript. The same redirect call to obqj2.com/4/9437824. Only the names, images, currencies, and occasion-specific text had been modified.

These pages collect basic data, such as location, device type, and browsing environment, before sending users to the final site. This pattern appears consistently across various campaigns, including promotions for WPS affiliate marketing, Alibaba’s AI agent “Axio”, Opera browser downloads, Yahoo.com, and the gambling platform Stake.  

These pages include browser-history manipulation. The script registers a hash-change event, meaning that when a user attempts to press the back button, the page can trigger another redirect. In practice, this makes exiting the page more difficult and can push the user into additional routing.

The embedded share message includes prewritten text for WhatsApp forwarding and links to another external domain hosting a similarly branded page. Together, these elements show a system built to maximise clicks, shares and tracked traffic.

Politicians and election-linked targeting across countries

The 42 webpages identified in the GitHub repositories did not focus on Bangladesh alone. They referenced political figures, parties and public institutions across at least 13 countries. Across all identified pages, about 93 percent used the name or image of political figures or parties. Sitting presidents accounted for 12 cases, prime ministers for 11, while opposition leaders, provincial chief ministers and vice presidents made up most of the remainder.

Pakistan appeared most frequently, with 10 pages built around figures such as Maryam Nawaz Sharif, Chief Minister of Punjab, and Prime Minister Shehbaz Sharif. Bangladesh and Thailand each had six pages. In Thailand, pages featured both Prime Minister Anutin Charnvirakul and opposition leader Natthaphong Ruengpanyawut. In Bangladesh, pages used the images of Prime Minister Tarique Rahman and opposition leader and Jamaat-e-Islami Ameer Dr. Shafiqur Rahman.

Other pages referenced sitting presidents across Africa, including William Ruto of Kenya, Samia Suluhu Hassan of Tanzania, Emmerson Mnangagwa of Zimbabwe, Mamady Doumbouya of Guinea, Denis Sassou Nguesso of the Republic of Congo, and João Lourenço of Angola. In South Africa, pages referenced both the African National Congress and the singer Tyla Seethal. A separate page referenced the American Association for Justice in the United States.

Sixteen of the 42 pages were directly tied to election events, including campaign periods, party primaries or victory announcements. In Bangladesh and Thailand, multiple pages appeared around recent general elections. 

In Thailand’s general election on February 8, Prime MinisterAnutin Charnvirakul secured victory despite pre‑election polls favoring the progressive People’s Party and its leader Natthaphong Ruengpanyawut. Two fraudulent webpages used Natthaphong’s image, claiming to offer 50 GB of free data. Twice as many fake-offer webpages were created in the name of Prime Minister Anutin, supposedly celebrating his victory by offering cash or free internet packages.

In Ghana, for instance, after former Vice PresidentMahamudu Bawumia won the New Patriotic Party (NPP) presidential primary on January 31 ahead of the 2028 general election, a webpage appeared using his image to promote fake internet offers.

Similarly, in Congo, after the ruling Congolese Labour Party once again endorsed PresidentDenis Sassou Nguesso, paving the way for the 82‑year‑old leader to extend his decades-long rule in the 2026 election, another webpage was launched using his photograph to advertise fraudulent internet deals.

At least 13 public occasions in 13 countries were used to frame fake giveaways. Ramadan, Independence Day, New Year and politicians’ birthdays were repurposed as hooks. In Ghana, one page mimicked a justice campaign for a teenage footballer, while in South Africa two pages used images of singer Tyla Seethal’s Grammy win to promise free data. The template shifted with the headlines.

How the scheme generates revenue

The pages do not request money from users. Instead, their structure points to traffic monetisation.

Affiliate marketing is a performance-based system in which companies compensate third-party publishers when referred users complete specific actions – such as installing software, creating accounts or making initial deposits. It is a legitimate and widely used model designed to expand customer reach through trackable referrals.

In testing, a Bangladesh-themed page ultimately redirected to the official Opera browser download page. In other cases, users were routed to trading and betting platforms that commonly operate cost-per-install (CPI) or cost-per-acquisition (CPA) systems. Under such arrangements, even a small percentage of completed downloads or registrations can generate commission for the referring party.

Affiliate systems, however, depend on oversight. Guidance by the partnership-management platform Impact.com states that preventing fraud requires rigorous vetting of affiliates, scrutiny of traffic sources and real-time monitoring of abnormal click or conversion patterns. Sudden spikes in traffic without corresponding organic engagement are typically treated as warning signs.

It also notes that deceptive redirects, misuse of brand identities and artificial inflation of clicks, including through bots or spam distribution, are recognised abuse patterns within affiliate ecosystems. Effective prevention depends on clear contractual prohibitions, enforceable penalties and regular auditing of traffic behaviour.

On hosting platforms. GitHub’s Acceptable Use Policies explicitly warn against turning the platform into a “spam haven” and set restrictions on abusive promotional uses. GitHub also provides a formal abuse reporting channel for violations of Terms of Service or Community Guidelines. 

Meanwhile, third-party threat research has documented years of “living off the land” abuse where phishers host malicious kits on GitHub precisely because the domain is trusted and often whitelisted. 

In this case, the pages are not malwares but coercive, deceptive landing pages that route to a brokered redirect ecosystem. That is exactly the sort of gray-zone abuse that scales when enforcement is slow or under-resourced: each page can look like “just HTML,” while the harm occurs downstream.

The Nigeria link

The sponsored Facebook post featuring Tarique Rahman, seen on 16 February, was published by a page called “New Opportunities For You.” (now deleted). The same page also ran another advertisement showing Tarique Rahman alongside Dr Muhammad Yunus, the former chief adviser of the interim government. Meta classified it as a political advertisement, and it remains visible in Meta’s Ad Library archive. In that listing, the promotion appears as a “birthday celebration gift” offering a cash grant of 200,000 taka.

Meta’s Ad Library records show that the advertisement was paid for in Nigerian currency. The Page Transparency section of “New Opportunities For You” states that the page is managed from Nigeria.

Other details point in a similar direction. The Bangladesh-themed webpage includes a “REPORT ISSUES” button linking to www.kongashare.net,  a domain name that incorporates “konga,” a brand name widely associated with Nigeria’s e-commerce sector. There is no evidence of any connection to a legitimate company, but the naming pattern is notable.

The fake comment section on the page includes names such as “Chuks,” “Yahaya” and “Ochieng,” which are more commonly associated with West and East Africa than South Asia. While this does not prove origin, it suggests that the template may have been adapted from an Africa-focused version rather than created specifically for Bangladesh.

One of the “activate now” links also redirects to africa-day-mtn-celebration.blogspot.com, further indicating that an Africa-themed campaign format may have been reused and localised for the Bangladesh election.

Methodology

On February 16, 2026, Dismislab came across a Facebook post, accompanied by an image of Bangladesh Prime Minister Tarique Rahman. The post offered BDT 20,000 for every citizen to mark his party’s victory in the February 12 national election. Once clicked, the provided link led researchers to a webpage whose URL contains a GitHub account username. Simple search using this GitHub username returned results showing the scripts for the webpages created by this user and thereby uncovering the scam.