This threat involves a coordinated network of 71 fraudulent purchase scam websites that have been active since February 2025. These sites leverage brand impersonation techniques, including typosquatting—registering domain names similar to legitimate retailers—and misuse of brand logos to deceive victims into believing they are interacting with trusted merchants. The scam network is supported by 12 shared merchant accounts that process transactions, which are likely fraudulent and facilitate card compromise and transaction laundering. Victims are targeted through online advertisements that direct them to these malicious sites, where they may unknowingly submit payment information. The network’s operational structure is unclear; it may be controlled by a single threat actor or multiple actors collaborating via dark web services. The campaign employs various tactics and techniques aligned with MITRE ATT&CK identifiers such as T1587.001 (Develop Capabilities), T1586.001 (Compromise Accounts), T1598.003 (Phishing for Information), and others related to command and control, execution, and credential access. Although no direct exploits or malware are involved, the threat exploits social engineering and fraudulent transaction mechanisms to achieve financial fraud. The compromised merchant accounts facilitate laundering of illicit transactions, increasing the risk for card issuers and merchant acquirers. This scam network poses a significant risk to consumers and financial institutions by enabling unauthorized card use and financial loss. Mitigation strategies focus on enhanced transaction monitoring, merchant account vetting, and consumer awareness to reduce fraud and compliance risks.

For European organizations, particularly financial institutions, payment processors, and e-commerce platforms, this scam network presents a multifaceted risk. Financial losses may arise from fraudulent transactions processed through compromised merchant accounts, leading to chargebacks and reputational damage. Card issuers face increased risk of card compromise and fraud-related losses, while merchant acquirers may encounter compliance violations and penalties if fraudulent merchants are not promptly identified and removed. Consumers in Europe may suffer direct financial harm and erosion of trust in online retail channels. The use of typosquatting and brand impersonation can also damage the reputation of legitimate European retailers, potentially leading to customer churn and brand dilution. Additionally, increased fraud activity can strain fraud detection systems and increase operational costs. The campaign’s reliance on online ads and social engineering means that even well-protected organizations may see indirect impacts through customer-targeted scams. Overall, the threat undermines the integrity of the European digital commerce ecosystem and financial services sector.

1. Implement advanced transaction monitoring systems that use machine learning to detect anomalous patterns indicative of fraudulent merchant accounts or transactions. 2. Enforce strict merchant onboarding and continuous vetting processes, including verification of business legitimacy and monitoring for suspicious merchant account activity. 3. Collaborate with payment networks and card issuers to share intelligence on identified fraudulent merchant accounts and block transactions associated with them. 4. Deploy domain monitoring tools to detect typosquatting and brand impersonation domains targeting European retailers, enabling rapid takedown requests. 5. Enhance consumer awareness campaigns focusing on recognizing legitimate online retailers, risks of typosquatting, and safe online shopping practices. 6. Work with advertising platforms to identify and remove malicious ads promoting fraudulent sites, including leveraging ad verification and fraud detection services. 7. Strengthen authentication and fraud detection mechanisms at the point of sale, such as multi-factor authentication for high-risk transactions and real-time risk scoring. 8. Establish incident response protocols specifically for transaction laundering and purchase scams to quickly isolate and remediate affected merchant accounts. 9. Engage with law enforcement and industry groups to share threat intelligence and coordinate takedown efforts of scam networks. These targeted measures go beyond generic advice by focusing on the specific tactics used in this campaign and the financial ecosystem’s vulnerabilities.