Listen to this Post
A rapidly expanding cyber fraud operation has come to light, weaponizing fake online stores to steal payment data from unsuspecting users. At the center of this scheme is a malicious network of 71 scam websites, many of which impersonate a well-known German discount retailer. Detected by Recorded Future’s Payment Fraud Intelligence team on May 8, 2025, this scheme demonstrates an industrial-scale abuse of e-commerce platforms designed to commit direct payment fraud.
Criminals Set Up Fake Shops That Actually Process Payments
The fraudulent network revolves around the domain lidlorg[.]com, supported by dozens of other scam sites, all of which create the illusion of legitimacy using brand impersonation, stolen logos, and fake merchant accounts. But these aren’t just ordinary phishing pages—they are capable of processing actual transactions, meaning victims willingly enter their payment details, believing they’re buying from a legitimate site.
The infrastructure is shockingly complex. The Recorded Future team found 71 scam domains, most less than three months old, using 12 different merchant accounts such as AKRU KERAMIK GMBH, MYCOZYBABIES, and YSP\QHWLKJSHOP. These accounts span various merchant codes and banks, indicating a highly organized operation. Domains were promoted through compromised advertiser accounts and dark web malvertising services, directing targeted traffic to fraudulent shops.
What makes this campaign particularly insidious is transaction laundering—merchant accounts are tied to domains unrelated to their listed business names, making it hard for banks to detect the fraud. A merchant listed as “PETHOUSEN LLC” might be operating a domain like bililability[.]com, completely unrelated to its stated purpose.
The fraud is supported by a dark web ecosystem offering services like ad boosting, traffic generation, and merchant account rentals. It’s unclear whether this infrastructure is run by a single threat actor or multiple groups sharing criminal services, but the speed at which new domains and merchant accounts are spun up suggests a flexible, professional criminal marketplace.
What Undercode Say:
This campaign highlights a dangerous evolution in payment fraud. Traditional phishing relied on tricking users into typing in card details through crude fake forms. What we’re seeing now is far more advanced: fraud-as-a-service, with real transactions, laundering, and anonymization happening in near real-time.
The use of typosquatted domains—websites with URLs that are slight misspellings of well-known brands—is an old trick, but combining them with functioning payment processing elevates the danger. Users trust a site that can accept a credit card; this trust is being exploited to devastating effect.
The choice of impersonating a popular discount retailer is no coincidence. These brands have large, price-sensitive customer bases who are constantly hunting for deals online, making them ideal targets. The criminals’ ability to scale across 12 merchant accounts with unique business names and operate across diverse product categories (from clothing to food containers) shows how well they’ve mapped the financial system’s weak points.
The use of malvertising and compromised ad networks also points to a growing overlap between traditional marketing systems and cybercrime. By hijacking ad platforms, attackers can target potential victims efficiently, bypassing the need for phishing emails or suspicious links.
Merchant acquirers are now on the front line of defense. However, they’re at significant risk—not only of facilitating fraud but of regulatory backlash. If acquiring banks are found to be processing fraudulent transactions via laundered merchant accounts, they could face fines, license reviews, or more stringent oversight.
What’s more alarming is the modular nature of this infrastructure. Domains are spun up, burned down, and replaced in quick succession. Fraudulent merchants rotate through a mix of category codes and business identities, making pattern detection harder. The criminals have built an ecosystem that’s both scalable and disposable.
Recorded Future’s advice is sound: financial institutions must increase monitoring, use domain-level merchant tracking, and elevate risk scores for accounts tied to suspect merchants. But given the agility of this fraud model, proactive disruption is essential. Waiting for a red flag to be triggered is no longer enough.
This operation represents the future of payment fraud: decentralized, dark web-fueled, and difficult to stop using traditional defenses. Unless banks, payment processors, and ad platforms collaborate on systemic changes, these scams will only grow more sophisticated.
Fact Checker Results:
✅ Verified source: Recorded Future
⚠️ 71 domains confirmed malicious, linked to 12 shady merchants
🔍 Fraud confirmed through live transaction processing, not phishing forms
Prediction:
As long as digital infrastructure remains cheap and fraud detection reactive, this scam model will expand. Expect a rise in AI-enhanced impersonation, more merchant account laundering, and hyper-targeted scam sites. Financial institutions will need to adopt real-time behavioral analytics and AI-driven fraud models to stay ahead. Regulatory pressure is likely to mount on payment processors to enhance merchant vetting and monitoring.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
