MALWAREBYTES maps a sprawling fake shop operation comprising over 20,000 domains that share infrastructure and use identical storefronts with different names. The network runs on WordPress and is powered by Sellvia, a US-based e-commerce platform, with six observed templates, effectively two base themes dressed differently.
In total, more than 20,000 domains resolve to just 36 IP addresses, clustered around specific ranges such as 207.244.x.x and 23.x.x.x, a pattern that indicates bulk fraud operations rather than legitimate retail. The same thread is visible across 20,000+ domains and demonstrates a franchise-style model where a core group manages servers, templates and payment setup while operators spin up domains on top, enabling rapid replacement when sites are taken down.
According to Cloudflare, the .shop top-level domain is popular with scammers, helping these sites appear legitimate while they harvest payment details and personal data. The article notes that campaigns such as FraudWear and BogusBazaar show how such networks operate at scale, driving both altered brand appearances and mass disappearance of sites. 18 March 2026.