Ddos 
Cyber threat analysts at Silent Push have uncovered a sprawling digital fraud operation dubbed “GhostVendors”, a fake online marketplace campaign leveraging thousands of fraudulent domains and exploiting Facebook’s advertising infrastructure to deceive consumers and impersonate dozens of well-known brands.
In their May 2025 report, the Silent Push team revealed the scale and sophistication of this cyber scam, identifying over 4,000 domains involved in impersonating retailers, selling counterfeit or nonexistent products, and disappearing without a trace after their fraudulent ad campaigns run their course.
The operation abuses Meta’s ad infrastructure—specifically Facebook Marketplace ads—to promote scam offers such as heavily discounted toolboxes or footwear. The ads run temporarily, then are rapidly taken down, leveraging a loophole in Meta’s Ad Library policy which only retains data for active ad campaigns.
“We determined that the threat actors are exploiting an existing Meta policy… and then completely remove previously posted ads,” the report explains. “As soon as a campaign ends, the ads are removed from the Ad Library… making it much more difficult to track threats.”
This policy creates a significant challenge for defenders, as evidence of the scam disappears from public view almost immediately after the ads are paused or terminated.
The scam’s digital infrastructure is both vast and evasive. Silent Push analysts documented:
- Use of Domain Generation Algorithms (DGAs) to quickly create and abandon malicious sites.
- Brand impersonation on a massive scale, targeting major names like Amazon, Costco, L.L. Bean, Rolex, Wayfair, and GE Appliances.
- Deployment of multiple fake identities such as “Millaeke”, “Rabx-B”, and “Tools Clearance” on Facebook Marketplace to circulate misleading product listings.
One example detailed in the report was an ad selling a “Milwaukee 56 Premium 18-Drawer Tool Box” through the domain wuurkf[.]com. The product name remained consistent across multiple domains like toolzde[.]com, gardonset[.]com, and yvnbpm[.]com, which often mimicked legitimate marketplaces.
“This campaign appears to focus on impersonating brands that buy large amounts of online ads—many… are huge and well-known,” the report states.
The GhostVendors operation is not just a widespread financial fraud threat—it undermines trust in legitimate e-commerce, advertising platforms, and consumer protections. Many of the spoofed websites feature ultra-low prices designed to bait clicks, but ultimately deliver no products or harvest credit card details for later abuse.
“We believe it’s likely that many of these don’t deliver the promised products and may instead engage in financial fraud by abusing credit cards,” the report warns.
Donate