Note: Apparent Maxpay Clients

Using referral data and other indicators to create a list of online merchants who apparently use Maxpay to process credit card charges.

Published Oct 5, 2022

The Dataset

Snopes was able to identify apparent clients of Maxpay using a combination of tools.

Our primary dataset originated from analysis performed by the business intelligence and website analytics company SimilarWeb, which provided Snopes with a list of referral data to the website for the period of time spanning December 2020 to November 2021. The SimilarWeb data reveal 408,573 referrals from 144 domains. The majority of referral traffic comes from URLs whose websites do not ever mention or publicly link to Maxpay.

[Raw Data from Similar Web]

These data refer to times in which a user arrives at or connects to from an external website. A common way to think of a referral is a user who has clicked on a link on one website to arrive at another, but such data could also reveal times in which components of one website connect to to perform some function, service, or monitoring.  

Verifying a Connection to Maxpay

To test the hypothesis that this subset of referral traffic could come from processing payment information on external websites, Snopes analyzed each of these domains — either from their live versions or, in cases in which the websites had been removed, from archived data captured by either's Wayback Machine or The latter is a website that logs, categorizes, and archives myriad aspects of a URL, its function, and its communication with other websites at a given point in time.

As an example, is the second most significant source of referral traffic to An attempt to load this website, at the time of this reporting, displays only a blank screen with the text "ok." This is, at least in part, because content only appears at this web address if its url contains a specific page and contains tracking tags. These tags (the text that appears after a question mark in a URL) serve a few purposes. They tie the visit to a specific affiliate marketer for the purpose of compensation, and they also dictate what content appears on the page itself.

Finding archived copies of the full URLs is the best way to view the versions of the site that their potential customers would see. One place to hunt for these snapshots is's Wayback Machine. Entering the web address* (with a * appended to the end) creates search for all archives of that website that begin with that URL. In the case of and many others, such a search reveals functional URLs:

Text, Page, File

Another method uses the tool Similar to, this site also archives information from past versions of websites, but it does so with a focus on logging a website's behavior and identifiers helpful in linking related enterprises. At this website, a search for reveals several full Book Lounge URLs as well:

That website,, which is discussed in detail in part two of this series, purports to be an ebook subscription service. It is, however, a front for predatory sweepstakes contests purporting to enter registrants into a chance to win a variety of prizes after they provide a credit card number. These full addresses reveal landing pages where visitors enter such raffles without realizing they are also signing up for an expensive recurring monthly charge:

Person, Human, Mobile Phone as it appears to most visitors.

These .js files can be viewed in source form on a regular web browser. This code, Snopes found, is what betrays's connection to and provides what we interpret to be the cause of the referral to logged in the SimilarWeb data:

Text, Word, Letter

Booklounge URLs also record evidence of this same link to Maxpay when analyzed by

Text, Document, Page

Both of these landing pages were archived within the window of time covered by the SimilarWeb referral data. These combinations of factors — referral data from SimilarWeb and source code information independently collected by Snopes — led us to conclude that many of the URLs in our dataset are or were from websites apparently utilizing a Maxpay service in some way. The complete table with these added data can be found here:

[Maxpay Apparent Client Spreadsheets]

Snopes discovered 14 broad classifications of apparent clients. A brief discussion of each client type, as well as the verification process we used in each case, is described below. Here is their distribution:

Classification Referrals Percent
Dating* 97846 23.9%
E-books* 55491 13.6%
Regular Builder Portal* 73345 18.0%
Merchant Service 61812 15.1%
Account Trading 55853 13.7%
Fitness* 22008 5.4%
Unknown 15059 3.7%
Software/Service 13238 3.2%
Budgeting* 6555 1.6%
Referral/Media Link 2521 0.6%
Casino 2267 0.6%
Banking Institution 1476 0.4%
Games 896 0.2%
Internal Link 206 0.1%
*Items marked with an asterisk are subscription-trap scams.

Subscription trap scams are found in several of these categories and, as a unit, account for 61.6% of referral traffic to

Together Networks/Other Dating Websites (24%):

Nearly 24% of Maxpay's traffic comes from online dating websites associated with these URLs:

URL Referrals Percent 220 0.1% 620 0.2% 879 0.2% 1,104 0.3% 3,656 0.9% 26,681 6.5% 64,686 15.8%
SimilarWeb data

One Night Friend, Flirt, Uniform Dating, Tender Meets and BeNaughty are all associated with Max Polyakov or Together Networks. The most prevalent dating site was the flagship Be Naughty. Within the period of time covered by our SimilarWeb data, BeNaughty and other related websites ran identical .js files including the phrase that made reference to both Maxpay and Genome, a company connected to Maxpay, in a section of code related to payments:

Text, Label, Newspaper

The CEO of Maxpay founded Genome, according to his Linkedin profile:

Flyer, Advertisement, Paper

Fake Merchants Used For Sweepstakes (21%)

Over 84,000 referrals to come from online merchants that operate in a manner  similar to Piggy Budget and Book Lounge, which were described in detail in part two of this series. These subscription-based products, which fall into the categories of e-book libraries, budgeting services, and fitness programs, are in actuality used as companies that "sponsor" sweepstake giveaways requiring a credit card to sign up for that serve to sign individuals up for monthly recurring charges:

URL Referrals Percent Category 137 0.0% Budgeting 601 0.1% Budgeting 1,785 0.4% Budgeting 1,792 0.4% Budgeting 2,240 0.5% Budgeting 119 0.0% EBooks 171 0.0% Ebooks 336 0.1% Ebooks 535 0.1% Ebooks 591 0.1% Ebooks 1,238 0.3% Ebooks 3,769 0.9% Ebooks 48,733 11.9% Ebooks 136 0.0% Fitness 139 0.0% Fitness 140 0.0% Fitness 207 0.1% Fitness 517 0.1% Fitness 1,377 0.3% Fitness 1,573 0.4% Fitness 1,594 0.4% Fitness 1,633 0.4% Fitness 1,755 0.4% Fitness 2,118 0.5% Fitness 2,177 0.5% Fitness 3,212 0.8% Fitness 5,431 1.3% Fitness
SimilarWeb data

The list below provides evidence of the above URLs being in sweepstakes and other subscription trap schemes within the window of time covered by the Similar Web dataset. Evidence used by Snopes includes scans from, archived pages identified in's Wayback Machine, or publicly reported complaints asserting bait-and-switch charges associated with the urls:

Regular Builders, Monitor Builders, and Drive Builders (18%)

An additional 18% of referral traffic to comes from what Snopes classifies as "regular builders" or "drive builders." Similar to the sweep and stream merchants, the urls are associated with payment portals that engage in two forms of subscription trap scams.

Companies and/or products bearing the name Regular Builder, Monitor Builder, or Drive Builder — which claim to provide the software for individuals to monetize their own files or streaming content — are common to each of these payment portals.

These portals are associated with a file-sharing or streaming scheme in which access to a PDF document, e-book, or other file for download is alleged via a trial to file sharing service. In the case of the latter, the portals appear to be associated with offers to stream live sporting events.

A credit card is required for the download or stream to start. After providing this number, a user has signed up for a recurring charge —  purported to a file sharing platform or streaming platform. In at least some cases, the credit card entry is predicated on the notion that it is needed to confirm geographic location, and will not actually be charged.  

Myriad short-lived URLs have been used for the above purposes but they broadly share several characteristics including use of the ".xyz" top-level domain, the use of a series of letters and dashes that involve portions of the word monitor, regular, drive, and/or builder, and the use of servers housed in Russia.

These varied urls are spread out over only four Russia-based IP addresses, and (in addition to being a source of referral traffic to Maxpay) are connected to Maxpay via their use of Covery. Those domains and their evidence of their use in these scams is detailed below:

Domain % # IP Reference 0.0% 151 Unknown Unknown 0.0% 155 0.1% 210 0.1% 214 0.1% 218 0.1% 223 0.1% 246 0.1% 250 Unknown 0.1% 288 Unknown 0.1% 356 Unknown 0.1% 356 Unknown 0.1% 360 0.1% 397 Unknown 0.1% 427 Unknown 0.1% 448 Unknown 0.1% 471 0.1% 540 0.1% 609 0.2% 666 0.2% 759 0.2% 795 0.2% 801 0.2% 908 0.2% 921 Unknown 0.2% 967 0.2% 990 0.2% 1018 Unknown 0.3% 1053 0.3% 1112 Unknown 0.3% 1199 Unknown 0.4% 1680 0.4% 1726 0.4% 1771 0.5% 1884 0.7% 2831 0.7% 2878 0.7% 3017 0.8% 3365 1.0% 4251 2.4% 9794 5.3% 21831
SimilarWeb and data

Additional Sources of Referral Traffic (38%)

The following classifications of referral sources do not fit into the category of obvious subscription traps: Merchant Services, Account Trading, Software or Services, Casinos, Banking Institutions, Media Coverage, Games, and Internal Links. Snopes was unable to classify URLs linked to just over 3% of Maxpay's traffic.

Merchant services refer to a variety of URLs that appear to be associated with external financial services. Snopes classifies 15% of Maxpay referral traffic in this category. The most prominent example is, which is a "payment authentication network."  Another example is, which is "a digital wallet that makes managing your money quick, easy and secure."

Account trading refers to websites that sell "premium access" to a variety of domain names associated with file sharing. 14% of traffic to Maxpay falls into this category. Premium access offers faster upload and download speeds on file sharing sites. Two companies appear in the referral data — and

In the case of these two companies — which offer premium access to the same collection of domains — successful transactions require the seller to have a pre-existing relationship with the buyer via a third party website:

Software or services (3.2%) include what appear to be actual products. The most prominent example is an iPhone surveillance service named mSpy (1.1% of referral traffic). The company markets itself as a way to monitor children's safety. ClickDealer advertises the project as a way to spy on unfaithful romantic partners.

Communication between and online gambling operations account for another 0.6% of referral traffic. Two casino brands appear in the referral traffic: 22bet and Games (0.2%), a separate category, involves what are potentially functional non-gambling games that require payment to play.

Referrals that stem from actual links contained in media reports (0.6%) fall into the category of media coverage. Internal links refer to communication between Maxpay and internal or customer service communication products like zendesk.

Finally, 0.4% of referral traffic stems from an actual bank based in Latvia. We classify this as a "banking institution." That bank is Latpastabanka AS, also known as LPB Bank.

Alex Kasprak is an investigative journalist and science writer reporting on scientific misinformation, online fraud, and financial crime.