A sophisticated network of 71 fraudulent websites impersonating a major German discount
retailer has been uncovered, revealing an elaborate scheme designed to steal payment information and personal data from unsuspecting consumers.
These sites use typosquatting techniques by registering domain names that closely resemble legitimate retailer addresses. They also run deceptive online advertising campaigns to lure victims.
The operation has been active since at least February 2025 and primarily targets European consumers with fake discount offers on electronics and household goods.
Unlike typical phishing scams, this fraud does not just collect data. The fake websites actively process payments using compromised merchant accounts.
Victims who believe they are purchasing heavily discounted electric scooters and other products from a trusted retailer end up sending their payment details directly to the fraudsters. These criminals capture the financial information and never deliver any merchandise. This scam reflects a growing trend in e-commerce fraud that combines brand impersonation with functional payment processing capabilities.
Researchers from Recorded Future Payment Fraud Intelligence identified the network after discovering lidlorg[.]com on April 19, 2025. This site was designed to impersonate Lidl, the German international discount retailer.
Further investigation connected this initial site to a larger network of 71 domains using similar tactics and shared merchant infrastructure.
“This campaign shows a concerning evolution in purchase scams,” the Recorded Future team said in their analysis.
“The operators have built an entire ecosystem of fake storefronts, advertisement networks, and payment processing channels to maximize their ability to defraud consumers and harvest financial data for further fraud.”
At the center of this operation is a sophisticated infrastructure linking seemingly unrelated websites through twelve shared merchant accounts.
These accounts, with names like AKRU KERAMIK GMBH, MYCOZYBABIES, and YSPCLOTHINGGSHOP, handle victim payments while enabling the theft of personal and financial information.
The domains themselves share common traits. They have been active for about 65 days on average and score an alarming 88 out of 100 on DomainTools risk assessment metrics.
Anatomy of the Scam Network
The technical setup behind this fraud reveals careful planning and coordination. The attackers use Facebook ad accounts with names such as “EU STORE” and “L Clearance” to distribute ads featuring the impersonated retailer’s logo alongside offers that seem too good to be true.
These ads direct victims to the fake domains, which appear legitimate but hide their malicious purpose.
What makes this scam network particularly notable is its ability to process payments. Unlike traditional phishing sites that only collect information, these domains complete the fraud cycle by processing real transactions through compromised merchant accounts.
The merchant accounts linked to these domains show signs of transaction laundering. This practice disguises high-risk or fraudulent transactions as legitimate business.
For example, PETHOUSEN LLC officially lists its URL as pethousen[.]com. However, Recorded Future researchers found it processing payments for scam domains such as biliability[.]com, dknyonlineuk[.]com, and outletmalleu[.]shop.
The investigation has not yet determined whether this network is controlled by a single sophisticated threat actor or if it represents a collaborative effort among multiple criminal groups sharing resources.
The merchant infrastructure could be part of a “cash-out” service rented on dark web markets, or the entire operation could be managed by one group rotating domain and merchant combinations to avoid detection.
Financial institutions are advised to block transactions involving the identified merchant accounts. They should also monitor any customer cards that have previously been used with these accounts for additional signs of fraud. Merchant acquirers should analyze similar merchant registrations in their portfolios to find other potentially compromised accounts.
As the operation continues to launch new domains and advertising campaigns to replace those taken down, vigilance is essential for both consumers and financial institutions in detecting and avoiding these increasingly sophisticated purchase scams.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
