Malwarebytes Maps 20,000 Fake Shops Tied to Single Network

Security researchers at Malwarebytes published findings in March 2026 that should make every online shopper pause before hitting 'buy now.' They mapped a sprawling fraud operation running over 20,000 fake storefronts, all controlled by a single coordinated network and hosted on just 36 IP addresses.

The scale is staggering. But what makes this story more unsettling is how invisible the operation is to most shoppers.

The telltale detail hiding in plain sight

Every one of these fake shops shares a browser tab title most people never look at: 'Unrivaled selection only for you.'

That single phrase ties together thousands of sites with completely different brand names, product catalogs, and checkout pages. It's the thread Malwarebytes researchers followed to unravel the entire network.

The storefronts look legitimate. They have product listings, brand logos, customer reviews, shopping carts, and functional-looking checkout flows. Some mimic well-known retailers. Others pose as independent boutiques. All run on WordPress and use templates from Sellvia, a legitimate U.S.-based e-commerce platform designed for dropshipping businesses.

According to the Malwarebytes report, the six different storefront designs observed are really just two base themes with cosmetic variations. The fraud operators reuse Sellvia's themes and pull product images from its network, then paste different business names on top.

The real product being sold isn't what's in the photos. It's your payment credentials, billing address, and personal details.

A 790 percent surge in fake e-shop scams

Malwarebytes didn't uncover this network in a vacuum. Fake e-shop scams rose 790 percent in the first quarter of 2025 compared to the same period the year before, according to recent threat intelligence data cited in the report.

During the 2024 holiday season alone, researchers identified over 80,000 fake stores. Many disappeared or rebranded within days. Industry telemetry from late 2025 found that fake shops accounted for 65 percent of all threats blocked on social media, with Facebook and YouTube serving as the primary launchpads.

These aren't isolated scams. They're industrialized operations.

In February 2026, cybersecurity firm CTM360 documented a separate but related campaign called FraudWear, involving more than 30,000 fraudulent stores impersonating over 350 fashion brands worldwide. That operation used ad-driven traffic acquisition, fake social media profiles, and aggressive discount messaging to trigger impulse buying.

The pattern is repeatable, scalable, and designed to evade enforcement.

How the franchise model works

The 20,000-domain network operates like a franchise. A core team manages the servers, templates, and payment processing infrastructure. Individual operators register domains and launch storefronts on top of that shared backbone.

When one site gets flagged or taken down, another replaces it. The infrastructure stays intact.

All 20,000+ domains resolve to a set of just 36 IP addresses, according to Malwarebytes. That level of concentration isn't typical for legitimate online retailers. It's a hallmark of bulk fraud operations where one group controls the servers and templates while individual fraudsters spin up domains at speed.

Much of the activity clusters around IP ranges in the 207.244.x.x and 23.105.x.x space, pointing to a preference for specific hosting providers and a setup designed for rapid deployment.

Malwarebytes researchers noted that this clustering is both a strength and a weakness. Disrupt a small number of servers, and you can take thousands of sites offline. But as long as the core infrastructure persists, new domains keep appearing.

What you actually receive after you pay

In some cases, victims receive nothing at all. The payment goes through, the site confirms the order, and then silence.

In other cases, a package does arrive weeks later. Inside: a cheap knockoff worth a fraction of the advertised price. The item bears no resemblance to the product photos on the site.

Either way, your data has been harvested. Payment credentials, billing addresses, email addresses, and phone numbers are resold on criminal marketplaces or used directly for account takeover attempts, identity fraud, and additional scams down the line.

The Merchant Risk Council's 2026 Global eCommerce Payments and Fraud Report, which surveyed over 1,100 merchants across 35+ countries, found that refund and policy abuse is now the number-one ranked fraud threat across e-commerce for the first time. Almost two-thirds of merchants report rising first-party misuse, with more than one in four seeing it grow by 25 percent or more.

But payment fraud remains a massive problem. The report found that merchants lose an average of 3 percent of total e-commerce revenue to fraud, and U.S. merchants lose $4.61 for every dollar of fraud when factoring in chargebacks, fees, operational costs, and lost merchandise.

Red flags that work in 2026

Scammers have gotten better at visual polish. Grammar is cleaner. Layouts look professional. Contact pages exist. But certain patterns still give them away.

Check the domain extension. Most of the 20,000 sites in the Malwarebytes network use .shop, which has become a favorite among fraudsters due to cheap registration fees. Cloudflare's email security data now ranks .shop among the top domains associated with spam and malicious activity.

Look at the browser tab title. If it says 'Unrivaled selection only for you,' close the tab immediately. That phrase is the signature of this specific network.

Search for the business name plus the word 'scam' or 'complaint.' If the site is new or part of a known fraud operation, you'll often find warnings from other shoppers or security researchers.

Check for real contact information. Fake shops often list a phone number that doesn't work or a physical address that's either nonexistent or tied to a random location with no connection to the supposed business. Call the number. See if anyone answers. Google the address and check if it's a real storefront or a residential mailbox service.

Look for HTTPS and verify the exact domain spelling. Scammers buy up every variation of a popular retailer's domain that someone might mistype. One letter off can land you on a clone site.

Avoid sites that offer only one payment option, especially if that option is a wire transfer, cryptocurrency, or a payment app set to 'friends and family' mode. Legitimate retailers offer multiple payment methods, and they never ask for irreversible payments upfront.

If you already paid

Contact your credit card issuer or bank immediately and dispute the charge. Explain that the site was fraudulent. Most credit card companies offer strong fraud protection and will reverse the charge if you report it quickly.

If you paid via debit card, Zelle, Venmo, or another peer-to-peer app, recovering your money is harder. But you should still report the fraud to your bank and request a chargeback or reversal. Under increasing pressure from the FTC, some banks are processing Zelle fraud reversals in cases involving scam merchants.

If you paid through PayPal Goods and Services, file a dispute through PayPal's Resolution Center within 180 days of the transaction. PayPal offers buyer protection for eligible purchases.

Report the scam to the FTC and the FBI's Internet Crime Complaint Center. Your report feeds into databases that law enforcement agencies use to track scam patterns and build investigations. While individual recovery is rare, your report helps protect other potential victims and supports ongoing enforcement actions.

Change your passwords immediately if you created an account on the fake site or reused a password. Assume that any credentials you entered on the fraudulent site are now compromised.

Monitor your credit card statements and bank accounts closely for unauthorized transactions. Consider placing a fraud alert on your credit reports through IdentityTheft.gov if you shared personal information beyond payment details.

Why this matters beyond one network

The 20,000-site operation Malwarebytes documented isn't an outlier. It's a snapshot of how e-commerce fraud has industrialized.

Low infrastructure costs, disposable domains, and ad-based distribution allow fraud operations to scale faster than enforcement can respond. Each storefront functions as a replaceable component rather than a standalone operation, enabling continuous regeneration.

From a consumer perspective, the core challenge is recognizing that professional-looking websites no longer guarantee legitimacy. The old red flags.bad grammar, broken layouts, missing contact info.are less reliable now that scammers use the same templates and tools as legitimate businesses.

The new red flags are structural. Shared IP addresses. Identical tab titles. Newly registered domains. Payment flows that route through disposable intermediaries. These patterns require a different kind of vigilance.

Slow down before you click 'buy now.' Verify the site through independent sources. Use credit cards instead of debit whenever possible. Keep all shopping and package tracking inside official apps or verified websites, not links sent via text or email.

The fraud ecosystem is organized, well-funded, and designed to move faster than you can check. But checking still works.

Verified against Malwarebytes threat intelligence research published March 18, 2026, CTM360 FraudWear campaign analysis from February 2, 2026, and the Merchant Risk Council 2026 Global eCommerce Payments and Fraud Report. Last updated: June 11, 2026. Reviewed and published by the RecentScam Editorial Team on 2026-06-11.