Hi,
One of my tracking sites seems to have been hacked? When Distill checks the link or i click it, I get a malware looking page:
// Unsecured Target: Access Log
pcp@BlackWitch~/$
We pay our affiliates
When i manually copy/paste the link it does open the page as expected.
Any ideas what’s going on?
Hi @dave2626
Thank you for reaching out. I want to assure you that Distill itself is completely safe, and there is no issue with our tool. The unexpected behavior you’re seeing is coming from the website you were monitoring, which appears to be compromised or serving malicious/unauthorized content.
In cases like this, we strongly recommend:
Stopping any monitoring of the affected URL for now.
Avoiding interaction with the compromised site to prevent any security risks.
Informing the website’s administrator or support team so they can investigate and resolve the issue as soon as possible.
Hi @srijith , thanks for the quick reply.
When I copy/paste the link from Distill into the browser it works as expected. The website I’m monitoring is Athlon.com, a large multinational. I highly doubt their website has been hacked; from what I can tell this has been happening for days or longer.
Any other suggestions?
Wait what the hell, the page it sends me to is blackwitch.x.com (redacted link). Looking for ‘Black witch / PCP hack’ brings me to news articles about hospitals etc. being hacked in the Netherlands two days ago.
This would suggest either Distill or Athlon (supposedly the latter) has been hacked by this group as well?
@dave2626
Thank you for sharing these details — I can imagine how alarming that must look. Let me reassure you: Distill has not been hacked, and everything on our end is operating normally and securely.
What you’re seeing is almost certainly the result of Athlon’s server (or their CDN/security provider) returning redirects or alternate responses specifically for automated requests like Distill’s. This can happen when:
The site uses aggressive bot-protection,
The server misidentifies automated traffic,
Or a security layer is incorrectly routing non-browser visitors.
These systems sometimes redirect automated traffic to unrelated domains — including “decoy” or “sinkhole” pages that look alarming but are not actual hacks of the requesting tool.
Since your browser loads Athlon.com correctly, and only automated requests get redirected, this strongly points to a server-side filtering or misconfiguration, not a compromise of Distill.
The “BlackWitch” content you’re seeing is not coming from Distill. It is served directly by the destination site (or an upstream layer such as their CDN, proxy, or WAF). Distill simply displays whatever the server returns.
When a website or CDN blocks automated traffic, it may:
Return unrelated content,
Redirect to external domains,
Serve placeholder or “trap” pages for bots.
This matches the behavior you’re seeing.
Distill is secure and not affected.
The issue is isolated to how Athlon’s server responds to automated requests.
I recommend contacting Athlon’s technical team or webmaster and letting them know that automated requests are being redirected to suspicious external content. They will be able to confirm and correct the behavior on their end.
In the meantime, you may want to pause monitoring that URL until they resolve it.
