Inside a network of hundreds of fake online stores run by a single threat actor

What looks like independent online stores is one coordinated operation

NordVPN’s Threat Intelligence team documented over 800 fraudulent e-commerce websites operating across multiple product verticals, including fashion, electronics, home goods, and automotive parts. To the untrained eye, each appears to be a standalone operation — complete with its own branding, product catalog, and customer-facing infrastructure.

But the facade crumbles when we move past the customer-facing layer and get more into the operational layer. There, we see a single contact email (support@carpartsoffice.com) that is hardcoded across the entire network, serving not as a support channel but as a centralized operational control point.

The technical stack only reinforces centralized control and further confirms systematic orchestration. These sites operate on uniform WordPress and WooCommerce platforms, follow template-based deployment, and share architectural similarities that point to deliberate replication and not organic development.

So when we look at this in context and start connecting the dots, what we’re essentially looking at is a coordinated network of fake shops designed to run in parallel.

How the operation is built to scale

What makes an operation like this possible is standardization. The threat actor reuses the same infrastructure over hundreds of different domains, which allows them to deploy new storefronts with very little variation or effort.

Looking at how these sites are put together, the build pattern is consistent enough to be unmistakable. All 800 run on WordPress with WooCommerce, giving the operator a stable e-commerce framework that can be copied, modified, and relaunched under a new domain.

This reuse of the same framework also explains why these sites can pass the eye test. The threat actor simply uses ready-made templates to define layout and structure, swaps product catalogs in bulk, and adjusts branding just enough to suggest a legitimate, independent business. To an everyday online shopper, it’s just a normal site. But the fact is, it is not.

Scale here is not incidental to the operation but central to how it was built. The same system that creates one storefront can produce hundreds more with minimal changes, which is how a single threat actor is able to run a network of this size.

Why these fake stores work on people

Building the network at scale is one problem. Getting real shoppers to hand over their payment details is another — and in this specific fraud operation, the solution the threat actor settled on is as old as fraud itself: the appearance of a deal too good to pass up. Across this network of sites, products are listed at discounts ranging from 50% to 80% below typical market prices — a pricing strategy that is anything but accidental.

Discounts at this level are calibrated to create urgency. The implied message is that the window is closing, the stock is limited, and hesitating means missing out. For a shopper who stumbles across one of these sites through a search result or a social media ad, that type of framing is designed to compress the time between landing on the page and entering payment details. It helps the entity behind the operation bypass the kind of due diligence most people would otherwise apply.

The product range is deliberately broad. The network spans fashion and luxury goods, electronics, automotive parts, health products, toys, pet supplies, gardening equipment, and more. Such breadth is not a sign of operational complexity but of automation. The same templated infrastructure that runs a fake car parts store can be applied to a fake cosmetics store with minimal reconfiguration. The variety exists to maximize the surface area for potential victims, not because there is a specialized operation behind each vertical.

What makes these sites particularly effective is how convincingly they mimic legitimate retail. The layouts follow standard e-commerce conventions, the product photography is professionally sourced, and the checkout flows are designed to feel like any other online purchase. Nothing about the front-end experience is intended to raise flags — which is precisely the point.

What the operation is actually collecting

The storefronts of these sites are just that — a front-end layer. But what the operation is actually built to harvest is payment credentials and personal data.

When a user proceeds to checkout on one of these sites, they are submitting card details, billing addresses, full names, phone numbers, and email addresses to infrastructure controlled entirely by the threat actor. There is no order being processed on the other end. The transaction completes — or appears to — and the data is retained.

This kind of data has compounding value because payment credentials can be used directly for fraudulent transactions or sold in bulk. Personally identifiable information (PII) feeds into secondary fraud operations, phishing campaigns, and identity theft schemes. A single victim interaction produces multiple exploitable data points, which is part of what makes a network of this scale worthwhile to operate and maintain.

Tracing the operation back to a Chinese-speaking threat actor

Most fraud operators work hard to obscure their origins, but this one left enough forensic traces to make attribution possible with confidence.

The most telling evidence is linguistics. Across multiple sites in the network, our team found Chinese-language artifacts embedded in the content, including untranslated characters, Chinese-language file names, and Chinese watermarks on stock imagery. These are not the kind of traces left by someone using an automated translation tool or building from a generic template. They indicate that content creation and site management were carried out natively, or near-natively, in Chinese.

Beyond the language artifacts, the infrastructure is just as revealing. Every site in the network is registered through a single registrar — Spaceship, Inc. — and all share the same support contact: support@carpartsoffice.com. Our team also identified a consistent cryptographic hash across the network, a shared digital fingerprint that links the sites at a technical level regardless of how different their storefronts appear to the naked eye. Combined, these indicators point to a single threat actor (or a tightly coordinated group) operating from a centralized management structure rather than a distributed or franchised model.

This is not crime-as-a-service, where infrastructure is rented out to multiple operators. The uniformity of the email address, the registrar, and the technical fingerprints rules that out. This is one actor running the entire ecosystem.

How this investigation was conducted

This investigation was carried out using open-source intelligence methodology (OSINT) in close collaboration with the TechRadar security team. The process combined advanced search techniques, including targeted search strings applied across both general and specialized search engines, with domain and infrastructure analysis tools such as Fofa.io and Shodan.io.

The goal was not simply to identify theoretically vulnerable or suspicious domains, but to verify which sites were actively compromised or operationally fraudulent — and to map the perimeter of the network with as much precision as the available data would allow. Every conclusion drawn here is grounded in corroborated, cross-referenced findings.

How to protect yourself

A network of over 800 stores built on identical infrastructure, selling implausible discounts across dozens of product categories, is not something most shoppers are trained to recognize as fraud. But there are reliable ways to spot the warning signs and avoid falling for the scam.

The single most consistent red flag across this entire network is pricing. Discounts of 50–80% on products that don’t go on sale at that level anywhere else are not deals. They are bait. If the price looks implausible, treat the site as suspect before you treat it as an opportunity.

Before purchasing from an unfamiliar store, take a few minutes to verify it independently. Search the domain name alongside terms like “scam” or “reviews.” Check whether the site has a traceable business history, real customer feedback on third-party platforms, and transparent contact information beyond a generic support email. If the only contact point is a non-branded address, that alone is worth pausing for.

Beyond manual verification, NordVPN’s Threat Protection Pro™ adds an active layer of defense by blocking access to known malicious domains before a connection is established. That means even if you encounter one of these sites through a search result or a redirected link, it can intervene before you reach the checkout page.

The fake shop ecosystem documented here is not a fringe phenomenon but an industrialized operation running at scale. Awareness of how it works is the first line of defense. The second is having tools in place that can identify and block malicious domains at the network level, before a connection is ever established.