So there's a nice debate going on here about BHW not being blackhat anymore. I've seen a theme not only in that thread, but throughout many threads on people being confused with criminal blackhat versus civil blackhat and the consequences/risks of each. In this thread I hope to give people an inside perspective on what I've encountered over the years and perhaps they can make a more informed decision. I'm not a lawyer so just gonna talk about a few of my experiences rather than the law itself. Alright so first we need to form some basic assumptions to get our baseline: Standard Blackhat Criminal Activity: Carding, hacking, theft of property, theft of info, etc. This kind of discussion isn't tolerated here and rightfully so. I don't involve myself with it or with people doing it. Standard Blackhat Civil Activity: Anything that violates a website's ToS (100s of examples could be named so I'll skip doing that). This is what I focus on. Moral Compass: What you're morally willing to do without taking any legal consequences into consideration. Risk Tolerance: Taking into consideration and accepting the consequences of your actions if caught (civil or otherwise). End Game/Exit Strategy: What your final objective is. I know the above sounds all serious but its something that every marketer should face/consider before doing ANY kind of marketing tactic that violates a rule/policy. It's something that I've considered time and time again since I needed to evaluate if something was worth pursing. Since I don't partake in criminal activity we're just gonna throw that option out and focus on the civil liability aspects of doing blackhat methods since 99% of the blackhat discussions here are civil based. I'll provide a few examples of situations I've been in and how I avoided any consequences (since that should supersede any monetary gain). Situation 1: Back in 2003 I learned about a hustle that lawyers used in order to extract settlements out of companies that violated debt collection laws. Fast forward to 2005ish and I find out several prosecutors from various states were investigating me for doing the same practice. I knew the law was on my side and just cause I didn't have a degree on my wall but knowing my rights didn't mean I was no longer entitled to them. I stood my ground and continued on, knowing that I had case law/precedent on my side. Not once were any charges brought cause they had no case to make. I was simply playing the system just like every lawyer was doing. Lesson: You need to think practically about a situation before getting involved in it. Ask yourself about morality, your risk tolerance, potential of crossing over into criminal territory and finally your end game. For instance, there's a difference between buying coupons to get 400k in free facebook/bing/google advertising and what Mr. Grunin did (albeit his case was still civil). I'm not sure if he had an end game as he could have gotten out clean with FB once they told him to stop, but he kept at it. Once a company finds you and puts you on official notice to stop, you stop! If it gets to the courts and they tell you to stop and you don't, you're in contempt and go to jail. In my situation if I sent random lawsuits with fake claims to businesses demanding money to make the case go away, well, I would have served time. But since I knew the game these lawyers were playing against debt collectors I followed their script and turned what I did away from a criminal action on its face into a sustainable biz model backed-up by law. Situation 2: In '07 I found an opportunity to spam Adwords with ringtones listing. This continued for 6 months or so and I noticed Shoemoney wrote a couple blog posts about it. That had me a little concerned cause whenever a large company gets publicly exposed for weaknesses they tend to hit back hard at the people doing it. After having an anonymous conversation with him I learned the FBI got involved since some people were copying the method but using stolen credit cards instead. I figured it was the right time to exit the method as things were getting too hot. Lesson: If you're abusing a platform its always a good practice to try and get an insider perspective on what they're thinking or planning on doing in reaction to your actions. Look at the company's blog posts, call them, check their twitter account or check for any communications they've sent to you. In one instance a company knew I was using throwaway email accounts so they would communicate by changing my campaign names and leaving me messages such as, "we're onto you" or "we're gonna find out who you are" etc. In Google's case they contacted my affiliate network but thankfully they had my back: To follow that up you should always check with the affiliate network to make sure they're cool with what you're doing. Be transparent but don't tell them everything. If the exploited company can't find you then they'll check your aff links to see what network and advertiser is working with you. Google had leverage against Azoogle in which the network forced me to change my method up some but I was able to continue on till the FBI talk came about. Situation 3: A couple years ago I got into exploiting online casinos. I'm not smart enough to know how to hack into a server (nor would I) so needed to find out a different approach. I quickly realized that a lot of casinos coded the games themselves and failed to secure the structures of the game client-side, allowing me to break them with simple free software and manipulate certain aspects of the game. The casinos were running illegally in the US anyway, so I knew they didn't have many options for recourse. Problem was one in particular had another option: Lesson: Be careful using blackhat methods against smaller companies cause they're more likely to respond on a personal level. Annoying executives or security teams at fortune 50 companies is one thing but when you're effecting a small business, things can go sideways pretty quick. Luckily for me I was offering consulting at the time and they took me up on the offer rather than, who knows. Closing There's many degrees/interpretations of what blackhat methods are. Sure, going strictly by the book you're "breaking the law" if you have a fake FB or IG account or whatever, just like you're breaking the law if jaywalking. Before you dive into violating a company's ToS you need to first understand what you're trying to extract out of the company, when to exit, what your risk tolerance is and the possible consequences of pulling it all off. Don't let me or anyone here impose upon you how far you should take it, only you can answer that. Thanks for your time reading this.