Online shopping scams in Europe have grown from one-off fake websites into a coordinated, multinational business, according to a new investigation from Bitdefender Labs. Researchers Alecsandru Catalin Daj and Silviu Stahie tracked more than 55 fake-shop campaigns hitting consumers across 12 European countries between March and May 2026, all impersonating household-name brands to take shoppers' money and personal data.
What the researchers found
The campaigns mimicked Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, and SHEIN, among others, and reached victims through Facebook ads, WhatsApp messages, email, SMS, phone calls, and dedicated fake storefronts. Bitdefender mapped more than 40 domains and found operators reusing the same infrastructure across multiple countries and brands. Confirmed activity spanned Germany, France, Italy, Poland, Spain, the Netherlands, Sweden, Portugal, Austria, Ireland, and Romania. Rather than running a single fraudulent shop, the operators rotated domains, swapped brands, and localized their messaging for each audience.
How the scams work
One Facebook campaign advertised the Samsung Galaxy S26 Ultra for just 249 euros, claiming discounts of up to 90 percent, and racked up hundreds of thousands of ad views before funneling German shoppers to fraudulent stores. A Polish operation ran ZARA and Nike knock-off shops from the same hub, harvesting home addresses and postal codes under the guise of arranging delivery. On WhatsApp, a China-based seller calling himself "Carl" pitched "1:1 quality" counterfeits through password-protected Yupoo catalogs. Several campaigns leaned on excitement around the 2026 FIFA World Cup, promising free Adidas fan kits or selling counterfeit jerseys, a lure that has also powered fake World Cup streaming scams.
Attackers also registered Unicode lookalike domains, web addresses that swap in near-identical foreign characters so a fake site reads as adidas or nike to the human eye while being technically different. Other tactics included redirect chains, rapid domain rotation to outlast takedowns, and storefronts that advertise card and PayPal payment but ultimately accept only bank transfers, which are far harder for victims to claw back. Boosting fake reputation with phony engagement is a recurring theme in these operations, as seen with fake stars and reviews pushing malware.
What you should do
Treat steep discounts on in-demand products as a warning sign, and reach stores by typing the official address yourself rather than clicking an ad or message. Check the domain carefully for odd characters, and be wary of any shop that pushes you toward a bank transfer or an off-platform chat to complete a purchase. With World Cup scams already spreading, Bitdefender expects fake-shop activity to keep growing through 2026.
Indicators of compromise
Selected fraudulent domains (defanged): shopintertec[.]com, crowndistrictstore[.]com, notcia[.]shop, cyberloria[.]cfd, sheinnotice[.]com, feasino[.]shop, footballiscrazy[.]com. World Cup fan-kit redirects: linkrdr[.]cc, dealgo[.]cc, rewardpillar[.]cc. The full indicator set is in the original Bitdefender Labs report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.