Inside a network of 20,000+ fake shops

Keypoints

• Researchers identified a cluster of over 20,000 fake e-commerce domains that share identical storefront templates and resolve to just 36 IP addresses, demonstrating centralized infrastructure.
• Many sites use the .shop TLD and Sellvia WordPress templates, reusing product images and two base themes with cosmetic variations to impersonate legitimate retailers.
• Fraud networks have scaled into franchise-style operations—examples include FraudWear (30,000 stores) and BogusBazaar (75,000 domains and 1M+ orders)—with core teams managing servers and decentralized operators launching shops.
• Fake shops harvest payment details, billing addresses, and personal information for resale or direct identity fraud, relying on ad clicks, search results, countdown timers, and deep-discount psychology to drive victims.
• Activity concentrates in IP ranges such as 207.244.x.x and 23.105.x.x, meaning takedowns of a small number of servers can disrupt thousands of fraudulent stores.
• Defensive guidance includes using browser protection (e.g., Malwarebytes Browser Guard), scrutinizing unfamiliar TLDs (.shop, .top, .store, .xyz), checking independent reviews, and using credit or virtual cards for safer payments.