A new report uncovers three global scam operations that are reshaping the cybersecurity threat landscape. The findings reveal a troubling pattern — cybercriminals are industrialising deception, blending outdated technologies, fake online stores, and cryptocurrency phishing to reach millions of users worldwide.
Compromised domains
The report comes from NordVPN’s Threat Intelligence group and it reveals that attackers are exploiting CVE‑2009‑2265, a 15‑year‑old flaw in the obsolete FCKeditor tool. Over 1,300 compromised domains — including corporate and research sites — have been hijacked to deliver malware and redirect traffic to phishing pages. These campaigns abuse trusted websites to bypass normal security filters, turning legitimate domains into tools for fraud.
Attackers have compromised over 1,300 high-value domains, including governmental, public, corporate, high-value brands, and research institutions. Once compromised, these trusted sites distribute malware or redirect traffic to fake stores and phishing pages — all while bypassing traditional defences enabled by domain allow listing.
Evidence, explained within the report, shows these compromised sites serve as launchpads for secondary scams, including fake crypto wallets and counterfeit e-commerce sites. The campaign has impacted users in Europe, the U.S., and China, signalling global reach.
The compromise of these trusted domains represents a high risk to user security. By exploiting the reputation and authority of these platforms, cybercriminals manage to evade normal defense mechanisms and trick users into clicking on malicious links, downloading infected software, or entering sensitive data on decoy sites. The use of authoritative domains lends an appearance of legitimacy to the scams, making them particularly dangerous and difficult for the average user to recognize.
Cryptocurrency
There are also frauds associated with cryptocurrency. Investigators exposed a global phishing network of over 100 fake crypto domains, using mass “erroneous deposit” emails promising 15 Bitcoin windfalls. Victims are tricked into logging in to cloned platforms and later paying fake “GAS fees,” enabling both financial theft and identity compromise.
Once victims sign in, the site displays a fictitious crypto balance, prompting them to “complete verification” by entering personal data like full name, phone number, and secondary passwords. This stage harvests data for identity theft and future attacks.
The final act of the scam requests “GAS Fees” or “transfer taxes” for the user to claim funds – charges that are entirely fabricated. Victims end up losing money and compromising their financial credentials.
NordVPN’s investigation further identified over 100 active domains impersonating cryptocurrency brands (including coinpoint[.]su, coinend[.]net, and paypot[.]net) used to carry out these scams.
Fake e-commerce sites
A third area of inquiry, which the report captures, is with a Chinese‑linked fake e‑commerce network. The team also discovered an organized web of 800+ fake stores built on WordPress and WooCommerce. These sites share the same contact address — support@carpartsoffice.com — and lure buyers with huge discounts. All point to a centralized fraud operation, showcasing how automation enables single actors to run massive fake‑shop ecosystems across multiple regions.
Key websites associated with this campaign include carpartsoffice[.]com, smashgeardepot[.]com, and qualitybaglab[.]com.
“Online scams are evolving faster than ever before,” explains Domininkas Virbickas, Product Director at NordVPN, to Digital Journal. “What once looked like crude attempts to trick a few users have become global, data‑driven operations capable of targeting millions.”
