Cybercriminals are scaling fake online stores into a coordinated multinational business.

A Bitdefender Labs investigation identified more than 55 fake-shop campaigns targeting consumers across 12 European countries between March and May 2026. The campaigns mimicked some of the world’s most recognizable brands, including Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, and SHEIN.

Attackers used Facebook ads, WhatsApp messages, email campaigns, SMS messages, phone calls and fraudulent websites to lure victims into making payments, sharing personal information or buying fake goods.

Bitdefender researchers mapped more than 40 domains associated with these operations and observed repeat tactics that linked campaigns across multiple countries. Some operators relied on rotating domains and misleading redirects. Others built counterfeit supply chains through WhatsApp and password-protected catalogs. Several campaigns exploited anticipation surrounding the 2026 FIFA World Cup.

The findings show that fake-shop operations have evolved far beyond isolated scam websites. Many now resemble professional e-commerce businesses with advertising budgets, localization strategies and infrastructure designed to evade detection.

Key takeaways

• Researchers identified more than 55 confirmed fake-shop campaigns targeting consumers across Europe.
• Attackers impersonated Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, SHEIN and other major brands.
• Social media ads and WhatsApp emerged as the most-abused channels.
• Several campaigns exploited FIFA World Cup 2026 excitement.
• Operators reused infrastructure across countries and brands.
• Redirect chains, Unicode lookalike domains, domain rotation, and localized content helped attackers evade detection.

By the numbers

• 55+ confirmed fake-shop campaigns.
• 15+ impersonated brands.
• 12 European countries targeted.
• 40+ fake domains mapped.
• 6 attack channels observed.

The investigation tracked coordinated campaigns operating between March and May 2026 across social media platforms, WhatsApp, email, SMS, phone calls, and fraudulent e-commerce websites.

Fake-shop campaigns spread across Europe

Bitdefender security researchers have observed confirmed activity across the EU and the United Kingdom, including Germany, France, Italy, Poland, Spain, the Netherlands, Sweden, Portugal, Austria, Ireland and Romania.

The campaigns appeared on multiple channels:

• Social media advertisements
• WhatsApp messages
• Email campaigns
• SMS campaigns
• Phone calls
• Dedicated fake e-commerce websites

Rather than relying on a single fraudulent storefront, many operators rotated domains, changed brands, and adapted messaging to local audiences.

Samsung Galaxy S26 Ultra offered at 90% discounts

One campaign promoted Samsung Galaxy S26 Ultra devices for only €249 while advertising discounts of up to 90%.

The operation targeted German consumers through Facebook advertisements and used domains such as:

• shopintertec[.]com
• shop.zppzddw[.]shop
• shop.fjjfxxz[.]shop

Researchers found a mix of unrelated advertising personas promoting the same fraudulent offer. The campaign generated substantial engagement, including hundreds of thousands of ad views.

Researchers also saw a Netherlands-based variant that abused KPN branding. According to the investigation, ads promised Samsung-related offers through what appeared to be KPN-affiliated promotions, then redirected users to the fraudulent storefront crowndistrictstore[.]com.

ZARA and Nike campaigns shared the same infrastructure

Researchers also identified a Polish hub operating through notcia[.]shop that impersonated both ZARA and Nike.

The ZARA campaign advertised Italian fashion products and seasonal collections while directing shoppers to fake storefronts at the same time. The Nike campaign promoted apparel and requested detailed delivery information, including home addresses and postal codes.

Researchers also linked related domains to the operation, including:

• nebularaless[.]info
• shryxla-mynx[.]icu
• isblkx[.]shop

Both campaigns used the same domain, notcia.shop, and the same advertising identity, suggesting an operational link between the ZARA and Nike impersonation activities. The Nike campaign also requested detailed delivery information, including house numbers and postal codes.

Moreover, these campaigns seek to gather personal information from their targets. The website states the following (translated from Polish):

“Please provide your exact delivery address (including street address, house number, and postal code), otherwise we cannot guarantee product delivery! Thank you for your cooperation! Processing time: Ships within 48-72 hours of payment. Money-back guarantee.”

Fake H&M sales targeted Italian shoppers

Another campaign promoted heavily discounted clothing through cyberloria[.]cfd.

This operation primarily targeted consumers in Italy and used Facebook advertisements that imitated legitimate H&M promotions. Attackers exploited brand recognition and discount claims to drive traffic toward a suspicious domain unrelated to the actual retailer.

WhatsApp becomes a counterfeit marketplace

The “Supplier Carl” counterfeit network

Bitdefender researchers also uncovered a China-based operator calling himself “Carl” who contacted European users through WhatsApp. The messages promoted “1:1 quality” counterfeit products, including Nike, Adidas, Jordan, Golden Goose, various watches, luxury accessories and much more.

Victims were directed toward password-protected Yupoo catalogs, including:

• carl-album.x.yupoo[.]com
• adidas555.x.yupoo[.]com
• golden-goose.x.yupoo[.]com
• xy666999.x.yupoo[.]com

The messages indicated that the operator offers DHL shipping to Europe and researchers observed the same infrastructure being promoted to users in Germany, France, and Italy.

Here is an example of such a message (original text):

“Nice to meet you, my name is Carl, I am a supplier from China. I specialize in 1:1 quality, I have shoes, clothes, bags, belts, watches, sunglasses and other products. About shipping. The express delivery for European countries is DHL, the shipping time is about 7-12 days. The express delivery for other countries is FedEx and the shipping time is 7 days. Here are some of my yupoo products. Please click to view. If you like the item, please send me a picture and I will tell you the price.”

Adidas World Cup Fan-Kit scams

Another campaign targeted German users with messages promising free Adidas Deutschland 2026 Fan Kits.

The operation distributed thousands of WhatsApp messages and relied on redirect infrastructure such as:

• linkrdr[.]cc
• rewardpillar[.]cc
• dealgo[.]cc
• offerpilot[.]cc
• msgdeal[.]cc

The campaign exploited enthusiasm for the FIFA World Cup to convince recipients that they had won exclusive promotional merchandise.

Unicode lookalike domains bypass traditional checks

Researchers also identified campaigns that abused visually deceptive domains—a surprisingly common tactic. Not everyone checks the actual URLs of the websites they open, and attackers know this all too well.

Examples included:

• adidas[.]com
• adidas[.]com
• adidȧs[.]com
• ṇike[.]com
• niḳe[.]com
• rołex[.]com

These domains appeared legitimate to human users while remaining technically different from authentic brand domains. The campaigns typically promised free shoes, watches, coupons, or anniversary gifts.

Email, SMS, and phone scams expand the ecosystem

SHEIN-themed email campaigns

Security researchers also identified a large-scale email operation impersonating SHEIN order-confirmation messages.

The campaign relied on domains including:

• sheinnotice[.]com
• sheinemail[.]com

The attackers tried to make the messages look authentic through localized European content and retailer-themed branding. One unusual indicator involved legal documentation hosted on Google Drive rather than official websites.

Counterfeit World Cup merchandise stores

Researchers also observed counterfeit merchandise campaigns exploiting FIFA World Cup 2026 interest.

Associated domains included:

• footballiscrazy[.]com
• unitedfutballjersey[.]com
• kicksfireshoes.com[.]co

The operators promoted jerseys and football merchandise through email and SMS campaigns targeting European fans.

Amazon clone sites and subscription traps

Amazon branding emerged as one of the most frequently observed in terms of impersonation attempts during the investigation.

Researchers identified:

• feasino[.]shop
• amazon-clone-*.vercel[.]app

These operations seemed to be designed to exploit consumer trust in the Amazon brand to collect payment information and potentially enroll users in unwanted subscription schemes.

Established fake-shop networks continue operating

Homborg Online Handel runs a rotating network of German fake shops

One of the most mature operations identified during the investigation was a network operating under variations of the name “Homborg Online Handel.”

The German consumer protection association Verbraucherschutz Deutschland online e.V. has published warnings about the operation, which reportedly runs multiple professional-looking online stores that target shoppers with attractive pricing and what look like legitimate checkout experiences.

According to the investigation, the storefronts advertise multiple payment options, including card payments and PayPal, but ultimately accept only SEPA advance bank transfers during checkout. Because bank transfers offer limited recourse once funds are sent, victims face serious challenges recovering their money.

Researchers observed a pattern of rapid domain rotation. When one domain is removed or blocked, another appears shortly afterward. As of May 2026, the network included domains such as:

• alpinvolt[.]de
• kaimoro[.]de
• havro[.]de
• kavri[.]de
• heyomi[.]de
• norya[.]de

This extensive operation shows how fake-shop networks increasingly resemble legitimate e-commerce businesses, complete with professional storefronts, customer-service workflows, and infrastructure designed to survive enforcement efforts.

Romanian fake-order calls

Another operation relied on telephone calls. Victims received calls claiming they had already placed an online order. Attackers pressured recipients to confirm purchases, provide personal information, or complete payments for products they never requested.

The products varied widely, from fashion items to health supplements and household goods.

Lidl-themed fake shops

Researchers also found Lidl impersonation campaigns delivered through sponsored search advertisements. The fake storefronts visually mimicked Lidl branding and appeared directly within search results, making it more likely that consumers would mistake them for legitimate retailer listings.

Fake shops are becoming professionalized

The investigation shows how fake-shop operators increasingly combine paid advertising, messaging platforms, counterfeit supply chains, and localized social engineering into coordinated campaigns spanning multiple countries.

Rather than relying on a single fraudulent website, operators rotate domains, impersonate multiple brands simultaneously and adapt the messages to local audiences. Some campaigns focus on harvesting payments while others prioritize collecting personal information, delivery addresses or credentials. Many do both.

With FIFA World Cup 2026-related scams already emerging and several campaigns showing signs of expanding elsewhere in Europe, consumers should expect fake-shop activity to continue growing throughout 2026.

The evolution from isolated scam websites to coordinated fake-commerce ecosystems suggests that fake shops will remain one of the most persistent consumer cyberthreats in Europe.

Indicators of compromise (IOCs)

• shopintertec[.]com
• shop.zppzddw[.]shop
• shop.fjjfxxz[.]shop
• shop.pjjpjjq[.]shop
• shop.oqqovvy[.]shop
• shop.jrsjrsx[.]shop
• crowndistrictstore[.]com

ZARA and Nike infrastructure

• notcia[.]shop
• nebularaless[.]info
• shryxla-mynx[.]icu
• isblkx[.]shop

H&M infrastructure

• cyberloria[.]cfd

SHEIN infrastructure

• sheinnotice[.]com
• sheinemail[.]com

Amazon impersonation infrastructure

• feasino[.]shop
• amazon-clone-*.vercel[.]app

World Cup merchandise infrastructure

• footballiscrazy[.]com
• unitedfutballjersey[.]com
• kicksfireshoes.com[.]co

Unicode lookalike domains

• adidas[.]com
• adidaš[.]com
• adidȧs[.]com
• adidạs[.]com
• ṇike[.]com
• niḳe[.]com
• rołex[.]com
• rolẹx[.]com

Counterfeit supplier infrastructure

• carl-album.x.yupoo[.]com
• adidas555.x.yupoo[.]com
• golden-goose.x.yupoo[.]com
• xy666999.x.yupoo[.]com
• qiqiyg[.]com
• bags.qiqiyg[.]com

Homborg network

• alpinvolt[.]de
• kaimoro[.]de
• havro[.]de
• kavri[.]de
• heyomi[.]de
• norya[.]de

Additional fake-shop infrastructure

• zarino-originals[.]com
• newsparkings[.]com
• love-outdoor[.]com
• dropshipexpress.net
• markandrebels[.]com
• zenouv[.]com

Redirect infrastructure

linkrdr[.]cc
dealgo[.]cc
rewardpillar[.]cc
offerpilot[.]cc
msgdeal[.]cc

This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.