Scammers are hijacking trusted brand names to push people toward online casinos unrelated to those companies. Instead of building fake bank sites or phishing emails, they exploit the trust people place in familiar logos.
The scam starts simply. A consumer scrolling Facebook, Instagram, TikTok, or Threads sees an ad claiming a familiar brand, such as a bank, retailer, or streaming service, has launched its own slots or casino game.
Some ads even show a testimonial from someone who supposedly won big playing “Brand Slots”. Researchers at Netcraft identified these scam advertising campaigns and found them far more organized than typical clickbait.
Netcraft said in a report shared with Cyber Security News (CSN) that the operation spans dozens of impersonated brands across several countries, pointing to a coordinated effort.
Clicking the ad takes the victim to a landing page dressed up to look like an official app store listing, complete with the brand’s logo and a fabricated developer name.
From there, users are guided to install what looks like an app but is actually a Progressive Web App, a browser shortcut disguised as a native application.
Once opened, that shortcut quietly loads an unrelated gambling site through affiliate tracking links, generating a payout for whoever ran the ad. Affiliate platforms reportedly pay between $50 and $350 for every player who signs up and deposits money.
Scammers Impersonate Trusted Brands
Netcraft found three approaches used across these campaigns, each showing an escalating level of effort. The simplest version slaps a brand name onto a generic slots ad, relying on ordinary people in everyday scenes to sell the idea.
A more elaborate version lifts a brand’s actual logo, color scheme, and forged screenshots of its app. One example targeting Monzo showed a fabricated account balance next to text declaring the bank had “officially launched online slots,” complete with a real Monzo sort code for legitimacy.
The most convincing tactic uses AI generated promotional videos filmed to look like they were shot outside real brand locations, featuring fake employees and authentic branding.
.webp)
For viewers who recognize the company, these clips are hardest to dismiss as fake. Fake app store listings follow the same playbook, using stolen logos, invented developer names such as “Tesco Entertainment UK Limited,” and fabricated star ratings and reviews.
.webp)
A smaller number of campaigns instead show a spin wheel game that always wins, pushing users to “claim” their prize by installing the disguised app.
Some ads display one URL, such as a Google Play address, while actually leading elsewhere.
Netcraft even found cases where a domain built to impersonate one brand was later used to run ads for a completely different brand, hinting operators recycle infrastructure across campaigns.
Brands Being Impersonated and Who Is at Risk
The brands caught up in this scheme span several industries. UK banks like Monzo, Revolut, and Barclays have been impersonated, alongside household names such as Tesco and the Irish National Lottery, plus global names including Amazon, Netflix, and Facebook.
While most identified ads target UK consumers, Netcraft also spotted variants in German and Spanish, along with one offering a bonus in Canadian dollars, pointing to international reach.
Once installed, the fake app keeps showing the impersonated brand’s name in the browser title bar even as it loads an unrelated casino site underneath. Push notifications are also sent to nudge users into finishing registration, keeping the illusion alive after install.
Because the casino sites function as real, working gambling platforms with genuine games and bonuses, they do not directly impersonate any brand, making them harder to take down than the ads and landing pages.
Netcraft noted it could not confirm whether these linked casinos hold proper licensing for their target markets.
Anyone encountering an ad claiming a bank or retailer suddenly launched a gambling product should treat it with suspicion, verify claims through the brand’s official app or website, and avoid installing anything prompted through a social media ad.
Checking whether an “install” button leads to a genuine app store, rather than a browser shortcut, is a simple way to catch this scam early.
Netcraft has published indicators of compromise tied to this campaign in a public GitHub repository, giving researchers and platforms a way to track and block the infrastructure behind it.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | 345rodeoslot[.]com | Gambling site loaded inside a PWA disguised as “Amazon Slots” |
| Domain | revvo-online[.]website | Casino endpoint linked to the fake app campaign |
| Domain | tescogames[.]com | Casino/landing domain used in Tesco-branded scam ads |
| Domain | monzoslots[.]life | Landing page impersonating Monzo for a fake slots product |
| Domain | rewardsmonzo[.]website | Domain used in Monzo-branded scam campaign |
| Domain | topstatus[.]site | Generic non-branded landing domain used for the scam |
| Domain | optimismphantasm[.]shop | Generic non-branded landing domain used for the scam |
| Domain | prideeuphoric[.]shop | Generic non-branded landing domain used for the scam |
| Domain | seekerlucis[.]shop | Generic non-branded landing domain used for the scam |
| Domain | blinkd[.]com | Casino endpoint identified in the campaign |
| Domain | spinlynx36[.]com | Casino endpoint identified in the campaign |
| Domain | roulettino12[.]com | Casino endpoint loaded via a fake app titled “Amazon Slots” |
| URL | play[.]monzo[.]com (spoofed display URL) | Fake display URL impersonating Monzo’s real domain in ad metadata |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

