Snopes was able to identify apparent clients of Maxpay using a combination of tools.
Our primary dataset originated from analysis performed by the business intelligence and website analytics company SimilarWeb, which provided Snopes with a list of referral data to the website maxpay.com for the period of time spanning December 2020 to November 2021. The SimilarWeb data reveal 408,573 referrals from 144 domains. The majority of referral traffic comes from URLs whose websites do not ever mention or publicly link to Maxpay.
These data refer to times in which a user arrives at or connects to maxpay.com from an external website. A common way to think of a referral is a user who has clicked on a link on one website to arrive at another, but such data could also reveal times in which components of one website connect to maxpay.com to perform some function, service, or monitoring.
Verifying a Connection to Maxpay
To test the hypothesis that this subset of referral traffic could come from processing payment information on external websites, Snopes analyzed each of these domains — either from their live versions or, in cases in which the websites had been removed, from archived data captured by either Archive.org's Wayback Machine or urlscan.io. The latter is a website that logs, categorizes, and archives myriad aspects of a URL, its function, and its communication with other websites at a given point in time.
As an example, get.booklounge.net is the second most significant source of referral traffic to maxpay.com. An attempt to load this website, at the time of this reporting, displays only a blank screen with the text "ok." This is, at least in part, because content only appears at this web address if its url contains a specific page and contains tracking tags. These tags (the text that appears after a question mark in a URL) serve a few purposes. They tie the visit to a specific affiliate marketer for the purpose of compensation, and they also dictate what content appears on the page itself.
Finding archived copies of the full URLs is the best way to view the versions of the site that their potential customers would see. One place to hunt for these snapshots is Archive.org's Wayback Machine. Entering the web address get.booklounge.net* (with a * appended to the end) creates search for all archives of that website that begin with that URL. In the case of booklounge.net and many others, such a search reveals functional URLs:
Another method uses the tool urlscan.io. Similar to Archive.org, this site also archives information from past versions of websites, but it does so with a focus on logging a website's behavior and identifiers helpful in linking related enterprises. At this website, a search for get.booklounge.net reveals several full Book Lounge URLs as well:
That website, booklounge.net, which is discussed in detail in part two of this series, purports to be an ebook subscription service. It is, however, a front for predatory sweepstakes contests purporting to enter registrants into a chance to win a variety of prizes after they provide a credit card number. These full addresses reveal landing pages where visitors enter such raffles without realizing they are also signing up for an expensive recurring monthly charge:
These .js files can be viewed in source form on a regular web browser. This code, Snopes found, is what betrays booklounge.net's connection to maxpay.com and provides what we interpret to be the cause of the referral to maxpay.com logged in the SimilarWeb data:
Booklounge URLs also record evidence of this same link to Maxpay when analyzed by urlscan.io:
Both of these landing pages were archived within the window of time covered by the SimilarWeb referral data. These combinations of factors — referral data from SimilarWeb and source code information independently collected by Snopes — led us to conclude that many of the URLs in our dataset are or were from websites apparently utilizing a Maxpay service in some way. The complete table with these added data can be found here:
Snopes discovered 14 broad classifications of apparent clients. A brief discussion of each client type, as well as the verification process we used in each case, is described below. Here is their distribution:
|Regular Builder Portal*||73345||18.0%|
Subscription trap scams are found in several of these categories and, as a unit, account for 61.6% of referral traffic to Maxpay.com.
Together Networks/Other Dating Websites (24%):
Nearly 24% of Maxpay's traffic comes from online dating websites associated with these URLs:
One Night Friend, Flirt, Uniform Dating, Tender Meets and BeNaughty are all associated with Max Polyakov or Together Networks. The most prevalent dating site was the flagship Be Naughty. Within the period of time covered by our SimilarWeb data, BeNaughty and other related websites ran identical .js files including the phrase chunk.dating that made reference to both Maxpay and Genome, a company connected to Maxpay, in a section of code related to payments:
The CEO of Maxpay founded Genome, according to his Linkedin profile:
Fake Merchants Used For Sweepstakes (21%)
Over 84,000 referrals to maxpay.com come from online merchants that operate in a manner similar to Piggy Budget and Book Lounge, which were described in detail in part two of this series. These subscription-based products, which fall into the categories of e-book libraries, budgeting services, and fitness programs, are in actuality used as companies that "sponsor" sweepstake giveaways requiring a credit card to sign up for that serve to sign individuals up for monthly recurring charges:
The list below provides evidence of the above URLs being in sweepstakes and other subscription trap schemes within the window of time covered by the Similar Web dataset. Evidence used by Snopes includes scans from urlscan.io, archived pages identified in Archive.org's Wayback Machine, or publicly reported complaints asserting bait-and-switch charges associated with the urls:
- workout-master.com (no record)
- healthy-avenue.com (no record)
Regular Builders, Monitor Builders, and Drive Builders (18%)
An additional 18% of referral traffic to maxpay.com comes from what Snopes classifies as "regular builders" or "drive builders." Similar to the sweep and stream merchants, the urls are associated with payment portals that engage in two forms of subscription trap scams.
Companies and/or products bearing the name Regular Builder, Monitor Builder, or Drive Builder — which claim to provide the software for individuals to monetize their own files or streaming content — are common to each of these payment portals.
These portals are associated with a file-sharing or streaming scheme in which access to a PDF document, e-book, or other file for download is alleged via a trial to file sharing service. In the case of the latter, the portals appear to be associated with offers to stream live sporting events.
A credit card is required for the download or stream to start. After providing this number, a user has signed up for a recurring charge — purported to a file sharing platform or streaming platform. In at least some cases, the credit card entry is predicated on the notion that it is needed to confirm geographic location, and will not actually be charged.
Myriad short-lived URLs have been used for the above purposes but they broadly share several characteristics including use of the ".xyz" top-level domain, the use of a series of letters and dashes that involve portions of the word monitor, regular, drive, and/or builder, and the use of servers housed in Russia.
These varied urls are spread out over only four Russia-based IP addresses, and (in addition to being a source of referral traffic to Maxpay) are connected to Maxpay via their use of Covery. Those domains and their evidence of their use in these scams is detailed below:
Additional Sources of Referral Traffic (38%)
The following classifications of referral sources do not fit into the category of obvious subscription traps: Merchant Services, Account Trading, Software or Services, Casinos, Banking Institutions, Media Coverage, Games, and Internal Links. Snopes was unable to classify URLs linked to just over 3% of Maxpay's traffic.
Merchant services refer to a variety of URLs that appear to be associated with external financial services. Snopes classifies 15% of Maxpay referral traffic in this category. The most prominent example is arcot.com, which is a "payment authentication network." Another example is netteller.com, which is "a digital wallet that makes managing your money quick, easy and secure."
Account trading refers to websites that sell "premium access" to a variety of domain names associated with file sharing. 14% of traffic to Maxpay falls into this category. Premium access offers faster upload and download speeds on file sharing sites. Two companies appear in the referral data — hkaccounttrading.com and centercoast.net.
In the case of these two companies — which offer premium access to the same collection of domains — successful transactions require the seller to have a pre-existing relationship with the buyer via a third party website:
Software or services (3.2%) include what appear to be actual products. The most prominent example is an iPhone surveillance service named mSpy (1.1% of referral traffic). The company markets itself as a way to monitor children's safety. ClickDealer advertises the project as a way to spy on unfaithful romantic partners.
Communication between maxpay.com and online gambling operations account for another 0.6% of referral traffic. Two casino brands appear in the referral traffic: 22bet and mr.bet. Games (0.2%), a separate category, involves what are potentially functional non-gambling games that require payment to play.
Referrals that stem from actual links contained in media reports (0.6%) fall into the category of media coverage. Internal links refer to communication between Maxpay and internal or customer service communication products like zendesk.
Finally, 0.4% of referral traffic stems from an actual bank based in Latvia. We classify this as a "banking institution." That bank is Latpastabanka AS, also known as LPB Bank.