Scammers are increasingly taking advantage of consumer trust in well-established household and financial brands by crafting highly polished and misleading Google Play Store pages, along with social media advertisements that promote unverified Progressive Web Apps (PWAs) leading directly to online casinos.
The fraudulent scheme kicks off on popular social media platforms, including Facebook, Instagram, Threads, and TikTok. Scammers utilize paid advertisements that either feature straightforward labels like “Brand Slots” or more sophisticated imitations that closely mimic authentic brand logos, product interfaces, and even AI-generated videos showcasing supposed staff members or fictional branded locations. The goal is simple: to lure unsuspecting consumers into believing they have discovered an “official” launch of slot or casino applications.
These ads often come supplemented with fabricated testimonials, along with fake app-store metadata designed to boost their credibility. When users click on these enticing advertisements, they are redirected to a landing page that is designed to resemble a Google Play or App Store listing, or a branded promotional page. However, the “Install” button does not lead to a legitimate app download from an official source; instead, it triggers a browser prompt that allows the user to add a PWA to their device’s home screen.
Once the PWA is installed, it appears to function like a native app, complete with a branded title and icon. Yet, in reality, it is a facade that simply serves as a gateway to a third-party casino URL. According to investigations conducted by Netcraft, this coordinated scheme is largely driven by affiliate marketing, where scammers impersonate reputable names such as Tesco, Amazon, Monzo, and Revolut. This routing from paid social ads to counterfeit app listings ultimately results in the installation of PWAs that lead to unrelated gambling websites.
The criminals behind this operation are employing affiliate tracking parameters embedded within the PWAs and their launch URLs. This method enables them to track downstream activities, such as registrations and deposits, attributing them back to the specific advertising campaigns.
Netcraft’s analysis suggests that the economic incentive for the scammers is substantial. Information available on affiliate platforms indicates that cost-per-acquisition payouts for new depositing players typically range from $50 to $350. This financial motive explains why these attackers are willing to invest in convincing advertising creative and extensive ad distribution efforts. For example, one specific series targeting Monzo customers displayed what appeared to be screenshots of the actual Monzo app, featuring a fabricated account balance, all the while proclaiming that “MONZO OFFICIALLY LAUNCHES ONLINE SLOTS.”
Common traits can be recognized across these deceptive campaigns. The ads range from rudimentary text-based offerings that insert any brand’s name, to convincing “official announcements” that employ brand color schemes and fabricated UI screenshots. Some even feature sophisticated AI-generated promotional videos that place imagined brand employees and fictitious locations at the forefront of the advertisement.
The landing pages these ads lead to can be alarmingly realistic; they often contain fake app listings adorned with spurious developer names, download counts, and even counterfeit user reviews. Additionally, some pages include interactive elements like simulated winning opportunities on a branded spin wheel, prompting users to “claim” a prize in exchange for installing the PWA.
In terms of domain choices, scammers tend to favor generic or innocuous-looking hostnames, such as seekerlucid.shop or optimisphantasm.shop, making them less likely to be flagged by automated filtering systems. In other scenarios, attackers utilize branded domains or URLs that closely resemble real web addresses, thereby further decreasing suspicion among potential victims.
Further examination by Netcraft reveals a high level of operational consistency among these scam campaigns. Individual advertisers often run numerous ad variants across different markets and languages. In some cases, identical infrastructure facilitates the impersonation of various brands, indicating a shared threat actor or a network of affiliates working in unison.
In response to this growing threat, platforms and advertisers are urged to enhance their creative verification processes, monitor for instances of brand impersonation, and disrupt the affiliate flows that direct users toward gambling endpoints. Consumers face a dual risk: potential financial losses through unauthorized gambling activities and a deteriorating trust in genuine brand communications. PWAs installed through these deceptive means can obscure their true objectives, featuring branded title bars while minimizing browser elements, thereby making it easy for users to confuse a casino site with an official app from a trusted brand.
To mitigate these threats, a combination of user vigilance and proactive platform action is essential. Consumers are advised to approach unsolicited “official launch” ads with skepticism and verify the authenticity of app sources through official vendor pages. Moreover, they should avoid downloading PWAs from unknown landing pages to protect themselves from falling victim to these sophisticated scams.

