Do Son 
At a glance
- Actor: Suspected cybercriminal networks (e.g., “Supplier Carl” and “Homborg Online Handel”)
- Activity Type: Fake e-commerce websites, WhatsApp sales, and phishing
- Targets: Consumers across 12 European countries
- Scale: Over 55 campaigns and 40 mapped domains
- Jurisdiction: Active operations; no official arrests announced
- Source: Bitdefender Labs
TL;DR
Attackers launched over 55 fake shop campaigns across Europe between March and May 2026. These suspected cybercriminal networks impersonate major brands to sell counterfeit goods. Shoppers must verify websites carefully to avoid severe financial losses.
What happened
Over 55 fake shop campaigns recently emerged across 12 European countries. Attackers impersonate famous brands like Samsung, Nike, Adidas, and ZARA. They use Facebook ads, WhatsApp messages, and email to lure victims. Often, they promise huge discounts on popular items. For example, one campaign offered a Samsung Galaxy S26 Ultra for just €249. Another scam promoted free Adidas kits for the 2026 FIFA World Cup. These operations trick users into paying for non-existent or counterfeit goods.
Furthermore, attackers steal sensitive delivery addresses and payment details. The counterfeit merchandise network reaches deep into local markets. For instance, scammers sent localized emails mimicking SHEIN. These messages used correct European languages to look authentic. Attackers even hosted fake legal documents on Google Drive. According to a recent Bitdefender Labs investigation, fake stores are evolving rapidly. The report states, “Many now resemble professional e-commerce businesses with advertising budgets.” They use localization strategies to evade detection.
Who is behind it
Security experts suspect several distinct cybercriminal networks run these operations. Researchers identified a China-based operator who calls himself Carl. He sells counterfeit goods directly through WhatsApp messages. Another network operates in Germany under the name Homborg Online Handel. They run a rotating set of German fake stores. The attackers use Unicode lookalike domains to bypass traditional security checks. Authorities have not yet charged anyone.
Impact or scale
The scale of these fake shop campaigns is massive. Researchers mapped more than 40 domains linked to these operations. The scams target shoppers in countries like Germany, France, Italy, and Poland. Some campaigns focus entirely on harvesting payments. Others prioritize collecting personal information or credentials. Shoppers also face threats from fake Amazon clone sites. These clones try to enroll victims in unwanted subscription schemes.
The products sold vary widely across these campaigns. Victims buy fake fashion items, health supplements, and household goods. Bank transfers offer limited recourse once funds are sent. This leaves victims with serious challenges in recovering their money. Additionally, attackers often change their website domains quickly. When one fake store closes, another opens immediately. This domain rotation helps them survive law enforcement efforts. Consequently, many victims lose money via irreversible SEPA bank transfers.
What comes next and protection
Cybercriminals will likely launch more fake shop campaigns. Experts expect World Cup scams to grow throughout 2026. Therefore, consumers must remain extremely cautious. Shoppers should verify domain names before making any purchases. Always avoid clicking suspicious promotional links in WhatsApp or SMS messages. Victims often receive phone calls confirming fake orders. Scammers pressure them into paying for unrequested products. Finally, buyers should use credit cards instead of direct bank transfers to ensure fraud protection.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
