If you manage affiliate programs for well-known brand names, you’ll eventually run into unauthorized PPC bidding, or ad-hijacking.
You probably already know, but just in case, ad hijacking refers to a practice where affiliate publishers bid on your brand name or branded keywords without permission, or in breach of your affiliate programme rules. It is usually just a slightly more alarming term for “unauthorised PPC”.
This issue isn’t new. Those of us who’ve worked in affiliate marketing for years have seen it play out repeatedly. What’s frustrating is how many brand bidders still get away with it, thanks to increasingly sophisticated redirect and masking techniques.
And one of the most common domain names we see associated with this behavior is go2cloud.org
What Is go2cloud.org?
go2cloud.org is a redirect domain used by Tune (formerly HasOffers) to handle tracking. It is part of a subdomain, so you might see something like digikwik.go2cloud.org in your reports.
Tune is a legitimate affiliate and ad server, but in most cases, there is no legitimate reason for a go2cloud.org redirect to appear in an affiliate referral path unless some sort of paid media was involved.
Technically, the redirect is just a neutral tool, but in practice it’s a red flag. If your affiliate program doesn’t allow PPC it is not unreasonable to suspect ad hijacking when this domain shows up.
Why Detection Tools Struggle
Tools like AdPolice and BrandVerity are commonly used to monitor for brand bidding and unauthorized PPC activity. They crawl search results globally to find ads that might violate program rules, but they are easily outmanoeuvred.
What we often see, buried in a maze of HTTP headers and redirect URLs, is one or more passes through the go2cloud.org domain.
Fraudsters know exactly how detection works. The go2cloud redirect is usually just one part of a broader system that:
- Strips out HTTP headers
- Cloaks referrers
- Masks the true origin
By the time the click lands on the merchant’s site, all identifying signs that it originated from unauthorized PPC are gone. The affiliate cookie looks clean, the traffic appears legitimate, and analytics show nothing suspicious.
Common tactics include:
- VPN detection
- Chains of redirects that remove referrer info
- Session Jumping
- JavaScript cloaking
- Header stripping
- Geo-based cloaking
- Asynchronous JavaScript
- Time-based window switching
If you want to get technical, the main method seems to be on firing things begins the ‘scenes’, in hidden tabs or using deferred / asynchronous JavaScript.
They also have advanced logic that won’t drop an affiliate cookie if they suspect the visitor isn’t a normal user. So even if you find a suspicious ad and click it, you won’t be able to see which affiliate placed the ad. Or they might direct you to an alternate page that looks perfectly fine.
Even the companies behind the detection tools admit they can’t always keep up with all the redirects, dynamic paths, scripts, and obfuscation. It is very much a game of cat and mouse.
Enter the Blind Subnetworks
So, where does this traffic usually come from? One word: subnetworks. In particular, Blind subnetworks
Subnetworks allow dozens or even hundreds of publishers to run campaigns under a single affiliate ID. They are great for publishers who can’t manage thousands of individual affiliate relationships and need an efficient way to monetise their content, but they can also be mis-used by publishers who would never be allowed to join your programme if they applied directly.
Blind subnetworks:
- Don’t disclose who their publishers are
- Offer little to no transparency
- Frequently turn a blind eye to policy violations
When approached, they often respond with something like, “That publisher has been removed.” But there is no guarantee that is true.
They are also interchangeable – ad hijackers often switch between subnetworks once they are caught. While many offenders originate from regions like India, China, or Russia, I have encountered unscrupulous blind networks and brand-bidders registered in California and Germany as well.
Can We Track It Back?
The suspicious go2cloud.org link you may see in your reports is usually a subdomain like: digiklik.go2cloud.org.
The subdomain identifies a specific Tune client. But most affiliate managers will tell you: if they reached out to Tune for more details, they would not expect a reply.
That said, I have spoken to Tune and they mentioned they do cooperate with at least one brand protection vendor. I’ll have a think about whether to name them – I haven’t personally used their service so I can’t recommend it yet.
To be fair to Tune, they provide ad management infrastructure – they are not the affiliate police. It’s not their job to enforce your affiliate rules. Just because go2cloud.org is useful to fraudsters doesn’t necessarily make Tune complicit.
Also, if Tune is used as part of a sophisticated chain of redirects, then it isn’t a given that they will have much to contribute.
Not All Ad Hijacking Is Equal
Unauthorized PPC bidding is one thing, but the same cloaking and redirection techniques are often used to conceal far riskier activity.
When the source of affiliate traffic isn’t transparent and you rely too heavily on last-click attribution In these cases, affiliates aren’t just bending the rules – they are actively routing toxic, illegal, or non-human traffic through redirect chains to make it look legitimate.
These are some of the real sources being cloaked:
- Malware-infected devices
- Hacked websites (CMS injections, .htaccess redirects)
- DNS hijacks
- Botnets, proxy farms, and private blog networks
By the time it reaches your site, it appears to be organic, direct, or clean paid media. But in reality, it could pose legal, reputational, or security risks to you and your customers.
Why would publishers risk this? Well, sometimes these sources pass as legitimate and fly under the radar, but the main reason is that they are very cheap. We’re talking millions of impressions for just a few pounds of dollars. With very little to lose if they get caught, a lot of publishers get tempted. It also attracts the attention of Hot Houses, who openly embrace things which may be criminal.
One of the reasons the industry doesn’t talk about it more is because a lot of the discussion and awareness is driven by the vendors, and they don’t really have a solution to tackle this particular side of the coin.
Unauthorized PPC is one thing. Using malware or hijacked traffic in affiliate marketing is another thing entirely, and we need to treat it that way.
Complicated, But Manageable
That just about sums it up. The technical challenges are significant, policing is inconsistent and the blame is sometimes misplaced, but the presence of go2cloud.org links is a common denominator that we need to be aware of.
Ad hijacking is a multi-layered problem. It is fuelled by:
- Weak enforcement by affiliate networks
- Lack of transparency in blind subnetworks
- Open encouragement by some blind subnetworks
- Inadequate fraud detection
- And yes, opaque redirect chains
Pointing fingers at infrastructure providers like Tune only goes so far. What we need instead is:
- Better transparency
- Stricter partner policies
- Modernized attribution standards
- And a willingness to walk away from bad actors
I would also add: these publishers are paid by the mainstream affiliate networks. Affiliate networks around the world are still rewarding this behaviour and doing far too little to stop it.
And while I personally avoid blind subnetworks wherever I can, some of the clients I represent don’t want to remove publishers who hit their short-term performance targets. That’s part of the problem too.