Ok, I don't think I'm exactly newbie on IM, but for the last two months I'm facing an issue with one hacker/spammer which I can't understand, and the curiosity is killing me. Two months ago, one post of my 1 year old blog almost accidentally ranked for a spammy term. Let's say "cheap tiffany". I didn't rank through linkbuilding, I guess people liked the article because it was a different content than the usual pages that try to rank for that keyword. The point is that one day I found that my post had disappeared from SERPs. I took a look at the first page, where I used to be, and I saw a hacked website with my title and my metadescription on it. It was the website of a local institution with a very nice PR. The hacker made the usual cloaking: when Googlebot entered the site, he saw my website (I mean the entire HTML page, not only the text), but if the useragent wasn't Googlebot there was a redirection to a spammy store. I just thought that Google was stupid enough to attribute the authorship of the original content to the website with bigger PR (the hacked website) and expeled mine from SERPs thinking that I was the duplicated content. I warned the hacked webmaster, he fixed the website and I got my rankings back. Few weeks later, the hacker made it again: he hacked another high-PR website and cloned my website on it, with the usual cloaking. This time, though, the hacked domain kept his title. But now comes what is driving me mad: 1) I checked my website on WMT, and there were tons of new backlinks coming "Via This Intermediate Link" + the hacked domain. In case you don't know, "Via This Intermediate Link" appears on WMT when there are links pointing to a domain that redirects to your domain. And that's what I don't understand at all: is the hacker pasting my HTML code on the hacked domain or is he redirecting it to mine with some kind of masking? I say masking because if I change the useragent to Googlebot with a Chrome extension and enter the hacked site through Google, I see my website (cloned exactly), but the URL in the browser doesn't change, is still the hacked one. 2) If I search the URL of my original post with the site: or allinurl: command I see my website with the title of the hacked domain on it!! I kept Googlebot useragent and checked the cache of my website, and this title is not showing anywhere, so I'm pretty sure that my website isn't hacked. I'm not very desperate, since the monetization of my web doesn't rely on that keyword, but, Jesus, I'm fuc***g curious on how is he doing it! Cheers!