Inside a Network of 20,000+ Fake Shops: How Scammers Built an E-Commerce Empire to Steal Your Data

They look real. They have product listings, brand logos, customer reviews, shopping carts, and checkout pages that work exactly like you’d expect. The only thing they don’t do is deliver what you ordered. Welcome to the world of fake shops — and according to new research from Malwarebytes published on March 18, 2026, the problem is far bigger than anyone realized.

Malwarebytes has mapped a single coordinated operation running over 20,000 fake e-commerce domains, all served from just 36 IP addresses, all using identical storefront templates with different brand names pasted on top. The thread tying them all together? A browser tab title most people would never think twice about: “Unrivaled selection only for you.”

These sites exist for one purpose: to steal your payment details and personal data.

The Scale of the Fake Shop Epidemic

Fake e-commerce scams have exploded. According to threat intelligence from Avast, fake e-shop scams rose 790% in Q1 2025 compared to the same period the year before. The drivers are painfully predictable: economic anxiety around trade tariffs is pushing consumers toward bargain alternatives online, and scammers are ready to catch them.

The numbers keep getting worse:

  • During the 2024 holiday season alone, researchers identified over 80,000 fake stores, many of which disappeared or rebranded within days
  • Industry telemetry from late 2025 found that fake shops accounted for 65% of all threats blocked on social media, with Facebook and YouTube as the primary launchpads
  • The FraudWear campaign involved over 30,000 fraudulent stores impersonating more than 350 fashion brands worldwide
  • The BogusBazaar network processed over a million orders across 75,000 domains since 2021

These operations are industrial. They run on franchise models where a core team maintains servers, payment processing, and template infrastructure while decentralized operators spin up individual storefronts on top. When one site gets flagged or taken down, another takes its place within hours.

How Malwarebytes Mapped the Network

While investigating suspicious e-commerce domains, Malwarebytes identified a cluster of more than 20,000 sites sharing common infrastructure patterns.

The Domain Strategy

Most of the fake shops use the .shop top-level domain (TLD), which has become a scammer favorite thanks to cheap registration fees and a plausible-looking extension. The .shop TLD now ranks among the top domains associated with spam and malicious activity, according to Cloudflare’s email security data.

Other common TLDs in the network include .xyz, .store, and .top — all cheap to register, all increasingly associated with fraudulent activity.

The Infrastructure

Behind the visual similarities, these fake shops share a common backbone:

  • 20,000+ domains all resolve to just 36 IP addresses
  • Most hosting clusters around the 207.244.x.x and 23.105.x.x IP ranges
  • All sites run on WordPress powered by Sellvia, a legitimate U.S.-based e-commerce platform
  • Only six visual templates are used across the entire network — really just two base themes with cosmetic variations
  • Product images are pulled directly from Sellvia’s content delivery network

That level of IP concentration isn’t typical for legitimate online retailers. It’s the hallmark of a bulk fraud operation where one group manages the servers and templates while individual operators spin up domains on top.

The Template Giveaway

Every single one of these 20,000+ sites shares a telltale sign in their HTML source: the page title “Unrivaled selection only for you.” It’s the default title from the shared template that operators never bother to customize. Different brand name on the homepage, same fingerprint under the hood.

Malwarebytes identified six “different” storefronts that turn out to be the same two base templates with cosmetic variations — different logos, different color schemes, but identical underlying code, identical product catalogs, and identical checkout flows.

How the Scam Works

The lifecycle of a fake shop scam follows a predictable pattern:

  1. Bait: Victims find the site through social media ads (especially Facebook and YouTube), search engine results, or links in spam messages. The sites often advertise impossibly low prices on popular products.

  2. Hook: The storefront looks professional. It has product photos, descriptions, reviews, and a working shopping cart. Countdown timers and “limited stock” warnings create urgency.

  3. Harvest: When you enter your payment details at checkout, the scammers capture your credit card number, billing address, name, email, and phone number.

  4. Aftermath: You either receive nothing, or you get a cheap knockoff worth a fraction of the advertised price. Meanwhile, your payment credentials are resold on criminal marketplaces or used directly for identity fraud and unauthorized charges.

How to Spot a Fake Shop

The good news: fake shops leave plenty of red flags if you know what to look for.

🔴 Red Flag #1: The Domain

Be immediately suspicious of unfamiliar domains ending in .shop, .top, .store, or .xyz — especially when paired with generic, brand-sounding names. Legitimate retailers typically operate on .com domains with established brand recognition.

Check the domain age. Most fake shops are registered days or weeks before they start advertising. You can check domain registration dates at who.is or ICANN Lookup. A domain registered last week selling luxury goods at 80% off is almost certainly a scam.

🔴 Red Flag #2: Too-Good-To-Be-True Pricing

If an item is sold out everywhere else but heavily discounted on one unknown site, it’s bait. Scammers know exactly which products are trending and price them just low enough to trigger impulse buying.

🔴 Red Flag #3: Identical Layouts Across “Different” Stores

If you notice that multiple sites have identical layouts, product images, and banner designs under different brand names, they’re using the same template. Legitimate stores don’t operate like that.

🔴 Red Flag #4: No Independent Reviews

Search the store name with terms like “review” or “scam.” If the only search results are the site itself (and maybe a few other fake sites in the same network), that tells you everything.

🔴 Red Flag #5: Pressure Tactics

Countdown timers. “Only 3 left!” warnings. “Sale ends in 2 hours!” banners. Legitimate retailers use these too, but fake shops use them aggressively because they need you to buy before you think.

🔴 Red Flag #6: Missing Contact Information

Look for a physical address, phone number, and customer service email. Fake shops typically have a “Contact Us” form that goes nowhere, or provide a generic email address. Legitimate retailers have verifiable contact information.

How to Protect Yourself

Before You Buy

  • Use browser protection. Tools like Malwarebytes Browser Guard, uBlock Origin, and similar extensions can block known scam domains before you reach checkout.
  • Search before you shop. A quick search for “[store name] scam” or “[store name] reviews” takes 30 seconds and can save you hundreds of dollars.
  • Verify the URL. Type the retailer’s address directly into your browser rather than clicking links from ads or social media.

During Checkout

  • Use a credit card, not a debit card. Credit cards offer better fraud protection and easier chargebacks. If your debit card is compromised, the money comes directly from your bank account.
  • Consider virtual cards. Services like Privacy.com generate temporary card numbers that can be limited to a single transaction or merchant.
  • Never pay by wire transfer, cryptocurrency, or gift cards. These payment methods are irreversible — which is exactly why scammers prefer them.

After a Scam

If you’ve already entered payment information on a suspected fake shop:

  1. Contact your bank or credit card company immediately to report the fraud and request a new card number
  2. Monitor your accounts for unauthorized charges
  3. Change passwords if you created an account on the fake site (especially if you reuse that password elsewhere)
  4. Report the site to the FTC at ReportFraud.ftc.gov and to your browser’s safe browsing program

The Infrastructure Weakness

There’s a silver lining in Malwarebytes’ findings: the same IP concentration that makes these operations efficient also makes them vulnerable. Disrupting just 36 servers could take 20,000+ fake shops offline simultaneously.

This is where ISPs, hosting providers, and law enforcement coordination becomes critical. The hosting providers serving these IP blocks — particularly in the 207.244.x.x and 23.105.x.x ranges — have the ability to shut down thousands of fraudulent storefronts with a single action.

Until that happens, the responsibility falls on consumers to stay vigilant. Fake shops succeed because they exploit familiar shopping behavior: clicking ads, following search results, and landing on polished-looking sites. They layer psychological pressure on top — limited-time offers, countdown timers, disappearing stock warnings.

A few extra seconds of checking can save you from handing over your money and your data to cybercriminals. If a deal seems too good to be true, it is.

Sources

  • Malwarebytes, “Inside a network of 20,000+ fake shops,” March 18, 2026
  • Avast Threat Intelligence, “Fake e-shop scam data,” 2025
  • CTM360 Research, “FraudWear: 30,000 fraudulent stores impersonating 350+ brands,” February 2026
  • SRLabs, “BogusBazaar investigation,” 2024
  • Cloudflare, “Top-level domains and email phishing threats,” 2025
  • Gen Digital Q4 2025 Threat Report, “Over 80,000 fake stores identified during holiday season”