Google put out a video with instructions to help you deal with a hacked site: [web.dev...]

Note - if you can see them, Google can too and may start warning visitors in their listings, to keep people from clicking. Your situation may or may or may not be harmful to others, it is best to use the tools they offer to identify and repair a problem.

thanks for the video but no mention of any tools.
Basically just and find a pro.
Do you know of any tool to remove the 10k urls?
thanks, art

No, sorry. Google used to have a set of tools to help find and repair such problems. When I looked up my link to those tools - [support.google.com...] it is redirected to a newer page full of answers and "How-to" information.

That may or may not give you what you need, but I can't get a link to the newer content because it all has the hashtag # element that breaks links here. That old link will take you to their new page full of answers, but that's the only way to get there from here.

Something like this happened to me about 3 years back, though the site itself was not hacked---whole bunch of bogus links ...

Made sure the site was clean, then looked for, and found, regex masks to deny in .htaccess JUST TO MAKE SURE these were NOT attributed to example.com and inside of three weeks these things FINALLY disappeared.

Not sure this is the same thing... but might take a look and see what your logs say.

Tangort, can i have an example of a REGEX mask so i can check my htacces?

I would suggest that if there is no warning in Google's SERPs where your site is listed than it is more likely to be as tangor suggests. I thought that the 10K links part was a known fact. Often the appearance of unusual links in GSC are NOT on your site, but appear to be to your pages from a bogus site. Yes, those disappear in a short time and have no effect.

Something as simple as

SetEnvIfNoCase Request_URI "wp-" ban

NOTE: that is example only. I don't use word press and reject ALL things word press!

I don't use word press and reject ALL things word press!

Amen to that!

not2easy
10k links show up on a site: example.com search
They are still there. 10k japanese or chinese urls
However all of them link only to a 404 message.

Search console, pages shows them as well showing as crawled, not indexed.
Do you recommend using a bulk removal tool
One at a time manual removal takes far too much time.

The 404 will eventually make them disappear. My solution to send 403 merely makes it happen a bit faster. If the links/urls are invalid, they serve no purpose as far as the search engines are concerned and will be EVENTUALLY deprecated. Again, I suggest looking at your system logs to verify the 404 failures.

Also remember, those links you see are not the kind of things USERS are looking for in the first place! Since they are DOA (dead on arrival) they won't really hurt you, just look ugly in the logs.

@Arturo
You should play back a back up or change to some other Server as lang as you cannot rule out any involvement.

A bit of caution here ... unless you KNOW your site was hacked and you found EVIDENCE of malicious code instead of merely being TARGETED by a bunch of script kiddies banging domains with hacking ATTEMPTS, hold off on making major changes to the site.

Resolve the issue of being HACKED first. As for the other, all of us face that every few months, and the IPS never remain the same.