A single criminal operation built an infrastructure-as-a-service model for fake e-commerce. The architecture explains why takedowns alone cannot stop it.
In March 2026, Malwarebytes documented a network of more than 20,000 fake online stores sharing just 36 IP addresses. Detection data from late 2025 found that fake shops accounted for 65% of all threats blocked on social media, with Facebook and YouTube as the primary traffic sources. A separate investigation earlier in the year uncovered more than 30,000 fraudulent stores impersonating 350 fashion brands across 80 countries. The operations are industrial in scale and show no sign of slowing.
The best look inside how these operations actually work comes from SRLabs’ investigation into BogusBazaar, a criminal network that has operated more than 75,000 fraudulent store domains since 2021, affecting over 850,000 victims across the United States and Western Europe. The architecture SRLabs documented is the blueprint the current generation of fake store networks is built on.
How BogusBazaar builds and scales fake stores
BogusBazaar does not operate like a single criminal enterprise running 75,000 stores. It operates like a franchise. A small core team handles infrastructure: developing software, deploying backends, customizing WordPress plugins, and maintaining the servers and payment processing systems that the entire network depends on. That core team runs only a handful of stores itself, likely for testing purposes.
The stores themselves are managed by a decentralized network of franchisees who use the tools and infrastructure the core team provides. Each franchisee operates a portfolio of fake shops on the shared platform, handling day-to-day operations while the core team maintains the foundation underneath. SRLabs described the arrangement as an “infrastructure-as-a-service” model, and the comparison is precise: the core team is the platform provider, the franchisees are the tenants.
A typical server in the network runs about 200 stores, with some hosting more than 500. Each server is associated with more than a hundred IP addresses and exposed to the public internet through Cloudflare. Most servers are hosted in the United States. The stores themselves are built on WooCommerce, the WordPress e-commerce plugin, and are deployed semi-automatically with customized names, logos, and product catalogs.
Two architectural decisions make the operation especially resilient. The first is the separation between storefronts and payment infrastructure. Payment pages can be rotated without changing the storefronts. When a payment page is flagged for fraud and blocked by a processor, the operator swaps in a new one while the store itself remains unchanged. The second is the domain strategy. BogusBazaar acquires previously expired domains that retain the domain reputation and search engine authority they built during their legitimate lifetime. A fraudulent store on a five-year-old domain outranks one on a domain registered last week, regardless of what is on the page. Allure Security’s detection data shows the same pattern across the broader financial sector: more than 40% of domains used in brand impersonation attacks are over five years old, and less than 10% are registered within 30 days. BogusBazaar operationalized this at industrial scale.
Why fake store takedowns fail at scale
When a brand protection vendor identifies a fraudulent store and initiates a takedown, the process targets a single storefront on a single domain. The hosting provider or registrar reviews the abuse report, validates the claim, and removes the site. The process works, and for isolated impersonation campaigns it works well.
Against a franchise operation, the math changes. Removing one store from a network of 22,500 active domains eliminates 0.004% of the operation. The core infrastructure, including the servers, the payment processing, the deployment tools, and the franchise relationships, remains intact. The operator can spin up a replacement on a different aged domain within hours, using the same templates, the same payment infrastructure, and the same Cloudflare configuration.
SRLabs noted that BogusBazaar’s “extensive orchestration capabilities enable [it] to quickly deploy new webshops or rotate payment pages and domains in response to take-downs.” The operation was designed from the beginning to absorb takedown pressure without meaningful disruption. The individual storefront is expendable. The franchise is not.
This is the structural challenge that the counterfeit-versus-security distinction identifies at the category level: the enforcement model built around removing individual listings is mismatched against operations that treat each storefront as a disposable node in a resilient network. BogusBazaar is the most documented example of what that mismatch looks like at scale.
How to detect franchise-scale fake store networks
The BogusBazaar architecture points toward a different approach to disruption. The storefronts are disposable, but the infrastructure they run on is not. The 36 IP addresses serving 20,000 stores, the Cloudflare configurations, the payment page rotation patterns, the WooCommerce plugin customizations, and the aged domain acquisition pipeline are all structural signatures that persist across individual store lifecycles.
Detection that examines what is on the page, including visual similarity to impersonated brands, credential harvesting forms, and payment page behavior, can identify franchise-operated stores regardless of which domain they appear on or how recently the domain was acquired. Blocking members and customers from reaching those pages within the first hours of operation prevents the damage that takedowns, however efficient, arrive too late to stop.
The franchise model will not disappear. The economics are too favorable and the barrier to entry too low. What can change is whether the brands being impersonated detect and block the stores fast enough that the franchise’s per-store return diminishes to the point where the operation becomes less profitable. That is a detection problem, not a takedown problem.
The Bottom Line
BogusBazaar built a criminal franchise that has operated 75,000 fake stores across three years, survived multiple rounds of takedowns, and processed over a million orders. The operation’s resilience is not accidental. It is architectural: decoupled storefronts and payment systems, aged domains that bypass reputation filters, semi-automated deployment, and a franchise model that distributes risk across a decentralized network. The brands being impersonated cannot dismantle the franchise one store at a time. They can make each store less profitable by detecting and blocking it before customers arrive.
Key Takeaways
BogusBazaar is a criminal e-commerce network documented by SRLabs that has operated more than 75,000 fraudulent online stores since 2021. The network uses an infrastructure-as-a-service model where a core team maintains the platform and decentralized franchisees run individual stores, processing over one million orders and affecting more than 850,000 victims.
A core team develops software, deploys servers, and maintains payment processing infrastructure. Franchisees use these shared tools to operate portfolios of fake stores. A typical server hosts about 200 stores. Payment pages are decoupled from storefronts and can be rotated independently when flagged for fraud.
Expired domains retain the search engine reputation they built during their legitimate lifetime, including backlink profiles and age-based authority. BogusBazaar acquires expired domains at scale to give its fraudulent stores the search visibility and credibility signals that newly registered domains cannot achieve.
Removing one store from a network of 22,500 active domains eliminates 0.004% of the operation. The core infrastructure remains intact, and replacement stores can be deployed within hours using the same templates and payment systems. The operation was designed to absorb takedown pressure without meaningful disruption.
Detection that examines page content, including visual brand similarity, credential harvesting forms, and payment page behavior, can identify franchise-operated stores regardless of domain. Blocking customers from reaching fraudulent pages within hours of deployment prevents the damage that takedowns arrive too late to stop.
