A sprawling network of 71 fake websites has been discovered impersonating a major German discount retailer, in a sophisticated payment fraud scheme targeting European consumers.
Uncovered by Recorded Future’s Payment Fraud Intelligence team, the operation uses typosquatting domain names, fraudulent ad campaigns, and even real payment processing to steal personal and financial information from unsuspecting shoppers.
Not Just Phishing — Real Payment Fraud
This scam goes beyond typical phishing. Instead of just collecting user information, these fake sites process real payments through compromised merchant accounts. Victims believe they are buying discounted products like electric scooters, but never receive anything in return.
The operation has been running since at least February 2025, primarily targeting consumers in Germany and neighboring countries with offers that appear to be from well-known retailers such as Lidl.
How the Scam Works
The scam begins with Facebook ads run through accounts with names like “EU STORE” and “L Clearance”. These ads use real logos and branding from the impersonated retailer to lure users in with seemingly legitimate deals.
Clicking on the ad redirects victims to a cloned website that mirrors the look and feel of the real retailer’s online store. However, the checkout process routes payment data through fraudulent merchant accounts.
Fraud Ecosystem: Fake Sites, Real Transactions
Researchers traced the scam to a network of twelve merchant accounts tied to fake storefronts with names like:
- AKRU KERAMIK GMBH
- MYCOZYBABIES
- YSPCLOTHINGGSHOP
These merchants process victim transactions while also harvesting sensitive details like names, addresses, and credit card numbers.
One account, PETHOUSEN LLC, officially operates as pethousen[.]com but was found processing payments for scam sites such as:
- biliability[.]com
- dknyonlineuk[.]com
- outletmalleu[.]shop
Who’s Behind It?
It’s unclear whether the scam is run by a single group or multiple actors collaborating. Experts believe it may involve a “cash-out” service advertised on dark web forums, or a coordinated criminal operation rotating domains and merchant credentials to avoid detection.
All identified domains had been live for an average of 65 days and scored a high 88/100 risk rating on DomainTools.
What Financial Institutions Should Do
Security analysts recommend that banks and payment processors:
- Block known fraudulent merchant accounts
- Flag and monitor customer transactions with these entities
- Investigate other merchants with similar patterns or naming conventions
Consumers are urged to remain cautious of heavily discounted online offers, verify domain spellings, and avoid unfamiliar online stores promoted through ads.
