As the global holiday shopping season reaches its peak, cybersecurity researchers have uncovered a massive, industrialized operation designed to defraud consumers through a sophisticated network of counterfeit e-commerce sites.
In a report released in November 2025, PreCrime Labs, the research division of BforeAI, identified a coordinated campaign involving the mass registration of fake online shop domains.
These sites are designed to impersonate legitimate retailers, steal financial data, and distribute malware through counterfeit checkout systems.
The investigation analyzed 244 domains registered since the start of the year, revealing a clear strategy to target major retail events such as Black Friday and Singles’ Day.
The telemetry indicates a well-structured operation primarily rooting back to Chinese infrastructure. Of the identified domains, 79 were registered in China, with West263 International Limited (46 domains) and Dynadot (41 domains) serving as the top registrars.
Industrialized Infrastructure and TTPs
The campaign is not a collection of isolated incidents but a “highly organized infrastructure-as-a-service model.” The peak registration activity occurred in October, with 78 new domains appearing just in time to capture early holiday traffic.
Researchers noted that over 50% of these WHOIS entries utilize privacy protection to obscure attribution, though backend ASN metadata consistently points to Chinese or Hong Kong hosting providers.
Threat actors are utilizing automated site-generation tools to mass-produce these storefronts.
Cross-referencing through OSINT exposed shared JavaScript libraries, identical checkout templates (often mimicking Shopify structures), and reused tracking pixels across multiple domains.
Pivoting via DNSlytics revealed that while some domains use Cloudflare to hide their origin, the hosting blocks are frequently recycled for new clusters every few weeks.
The report highlights several distinct strategies used to deceive victims:
- Agenda-Oriented Campaigns: Some domains, such as “peaceforsecurity[.]com,” masqueraded as high-end fashion stores selling “Women Dresses 2025.” This tactic likely attempts to exploit charitable sentiments or align with legitimate humanitarian campaigns from major brands to evade detection.
- Ambiguous Cross-Branding: Attackers are mixing brands to confuse consumers. For instance, “lululemonsalehub[.]com” was found promoting hair products unrelated to the athletic brand while page titles referenced “Shein,” creating a chaotic multi-brand impersonation.
- Seasonal Urgency: To drive immediate clicks, actors registered domains like “mango-flashsale[.]com” and generic sites like “gymclothes980[.]store.” These sites utilize crude templates and “free shipping” offers to harvest Personally Identifiable Information (PII) and credit card details.
Mitigation and Outlook
This campaign highlights the critical need for continuous monitoring of domain registration trends, particularly those synchronizing with major retail periods to maximize visibility on social platforms like TikTok and Facebook.
In response to these findings, BforeAI escalated confirmed domains to registrars like GMO and Dynadot for immediate suspension.
While server takedowns have rendered several clusters non-resolving, the resilience of these operators suggests they will likely pivot to new TLDs such as .top, .shop, and .vip.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.