Learning to code can be daunting and challenging. It’s easy to fall into what’s called
"tutorial hell"—an endless sequence of tutorials that often have little impact on real learning. A few years ago, one weekend, I stumbled upon a quick tutorial showing how to build and deploy a fully functional URL shortener. Although a URL shortener is a relatively basic product, it’s an excellent project for learning the fundamentals of I/O with a live database, input filtering and cleaning, and data storage.
At the time, my coding knowledge was limited to what I could do on my own machine. I wanted to learn how to deploy a Python app properly. The URL shortener seemed like a manageable short-term project to work on while building foundational skills to eventually create a fully-fledged SaaS product.
Adding a Unique Feature
I wanted to develop something slightly more advanced than a simple shortener. My tool would generate a downloadable, unique QR code for each shortened URL, allowing users to bring those links into the real world. I was intrigued by the potential use cases and curious to see how people might start spreading links. This was pre-COVID so I wasn't really envisioning any "scan the QR code for the menu" type of use case. For someone learning to program, this offered an interesting challenge, at least at a basic level.
The Role of URL Shorteners
URL shorteners have been around for a long time. Their use case is straightforward: URLs can grow excessively long and hard to decipher, especially with the development of the modern internet. A shortener increases the portability and shareability of lengthy URLs. The rise of CGI (the primary driver of URL length explosion) certainly contributed to the demand for such tools.
One interesting property of URL shorteners, however, is their ability to obscure the original referral source. This can be both annoying to webmasters and useful to malicious users. If you’ve worked in web analytics, you know how frustrating it is to see traffic from a URL shortener without being able to trace back the original source. While some services, like
Bit.ly, have built businesses around improving tracking, this obfuscation can still present challenges. In a cookie-less world, URL shorteners remain a useful tool for many applications.
Use Cases—The Good, the Bad, and the Ugly
Masking the original URL is beneficial for various users—some legitimate and others less so. I analysed the shortened URLs almost daily, and I've never run out of surprises so far... Here are a few notable examples:
Phishing Attempts
Phishing accounts for the majority of malicious uses. Typically, scammers set up a mirror website of a popular platform on free hosting services, send phishing emails with shortened links, and hope users won’t notice they’re entering credentials into a fake site. URL shorteners make the original host URL less obvious, increasing the likelihood of success. Some even pair shortened URLs with QR codes to further obscure their tracks and avoid liability. My most faithful users/scammers come from either far east or African countries and they tend to target US and EU based users. Sometimes we play a cat and mouse game in which they post the link, I remove it and they post it again not once but 5 times, just to be sure.
Stolen Goods/Weapons Black Market
Surprisingly, a noticeable percentage of links created with the service (around 20%) appear to lead to pages advertising stolen goods or black-market weapons. While I’m unsure how much of this traffic relies on QR codes versus direct links, it’s an unsettling trend.
Kind of weird to think I've played some part in someone purchasing a M4 at some point.
Ukraine Fundraisers
There have also been sketchy attempts to raise funds for Ukrainian troops, complete with functional checkout pages where users can donate significant amounts of money. The legitimacy of these fundraisers is dubious at best.
Onion Links
While I’ve never delved into the specifics of dark web links, some users clearly take advantage of URL shorteners to obscure onion links. I assume there are already shorteners tailored for the dark web, but it seems this practice has spilled over into regular shorteners as well. I have never really checked out the destination links in the end, for some reason I have a feeling this is not legal content and neither I want to check if I'm really wrong at this point.
Conspiracy Theory Content
This is the funniest stuff by far. There’s a persistent flow of conspiracy theory content. I actively police and remove these links, often recognizing users through a combination of the links themselves and their country of origin. Interestingly, even after I remove these links, some users continue distributing the now-dead links, causing spikes in 505 errors from recipients trying to access non-redirecting URLs.
Reflecting on the Experience
In the end, it wasn't that much of technical challenge but I've learned a few things for sure. To some extent, the internet is still that wild and unpredictable environment that it was back in my early days, which is both reassuring and scary at the same time. From conspiracy theories to phishing attempts and guns black market, there's still plenty happening at the edge of the internet.