A coordinated fraud campaign has constructed more than 15,000 fake TikTok Shop domains, complete with AI-generated influencer videos and crypto-draining malware. TikTok’s platform moderation can’t see any of it.
A 57-year-old woman in Singapore clicked on a TikTok ad in late 2025 promising easy money through an online store opportunity. Someone contacted her, explained that she would place orders with suppliers, pay upfront, and earn commissions afterward. He sent her a link to register.
The first orders were small, a few hundred dollars, and she successfully withdrew her commission twice. Encouraged, she continued as order values climbed into the tens of thousands. She kept depositing, borrowing from family, friends, banks, and loan companies to meet the escalating requirements. When she finally tried to withdraw her accumulated earnings, she was told she had missed deadlines, that her credit limit was insufficient, and that she owed penalties. She lost more than S$100,000, her life savings, without recovering a cent.
Her story follows a pattern now documented at industrial scale. In August 2025, cybersecurity firm CTM360 published findings on a campaign it called FraudOnTok: more than 15,000 lookalike domains mimicking TikTok Shop, TikTok Wholesale, and TikTok Mall, supported by over 10,000 phishing URLs and 5,000 malicious app download sites. The infrastructure exists to do what happened to that woman in Singapore, millions of times over, to anyone who believes they’re on TikTok’s platform.
The gap between platform and perimeter
TikTok has not been passive. In the first half of 2025, the company rejected more than 1.4 million seller applications, blocked 70 million products before listing, and removed roughly 700,000 sellers for policy violations. Nicolas Waldmann, who leads TikTok Shop’s global governance, has acknowledged that generative AI has become “a powerful new tool for fraudsters” and that the platform faces organized crime networks attempting to sell counterfeits at scale. By TikTok’s account, 99.5% of violative listings are caught before reaching customers.
TikTok Shop now operates in 17 countries, with U.S. sales alone reaching nearly $16 billion in just two years. That growth has made it a target.
That enforcement operates inside TikTok’s walls. The 15,000 fake domains exist on the open web, distributed through Meta ads, WhatsApp messages, and Telegram channels that TikTok has no visibility into. When the Singapore woman clicked that ad and followed the link to register her “store,” she left TikTok’s ecosystem entirely. The interface looked right. The early payouts worked. Nothing signaled she’d crossed into infrastructure designed to extract everything she had.
The FraudOnTok operation targets users in all 17 countries where TikTok Shop officially operates and many where it has not launched. It doesn’t require victims to be TikTok Shop customers. It only requires them to believe they are. Threat actors produce AI-generated influencer videos and official-looking brand ambassador clips to drive traffic, then harvest credentials or distribute malicious apps infected with SparkKitty spyware. The malware extracts cryptocurrency wallet seed phrases from device photo galleries, enabling attackers to drain funds long after the initial infection.
Where the money goes
The Singapore woman kept depositing because the early payouts worked. This is how mature fraud works: small withdrawals that prove legitimacy, followed by escalating commitments until victims have borrowed from everyone they know. Cryptocurrency makes it irreversible. Unlike credit card transactions, crypto payments offer no chargeback protection. Once funds move to an attacker-controlled wallet, they are gone.
Crypto scam losses reached an estimated $17 billion globally in 2025, with impersonation schemes growing more than 1,400% year over year. The average payment rose from $782 to $2,764, reflecting deeper extraction from each victim. AI-enabled scams proved 4.5 times more profitable than traditional approaches, and FraudOnTok shows why: fake storefronts impersonating TikTok and brands like Dyson, payment flows through USDT and ETH, and an interface convincing enough that victims believe they’re building a real business.
The domains hosting these operations use cheap top-level extensions like .top, .shop, and .icu, making them inexpensive to register and easy to cycle through as they get flagged. TikTok’s Intellectual Property Report shows 40 million products rejected for IP violations and 143 million videos removed for marketing counterfeit goods in the first half of 2025. The platform is actively fighting fraud where it can see it. The problem is that the most sophisticated operations have moved outside its field of view.
The brand problem
Somewhere, a customer service team is fielding a complaint about a Dyson vacuum that never arrived, purchased from what appeared to be a legitimate TikTok Shop storefront. The company never sold that product on TikTok. The listing was on one of the 15,000 fake domains. The customer doesn’t know that. The brand association persists.
For companies selling on TikTok Shop, the exposure extends in directions that traditional brand protection does not cover. The mechanics follow patterns familiar from other brand impersonation campaigns: attackers register lookalike domains, construct convincing storefronts using stolen product images, then drive traffic through paid advertising and social engineering.
What makes FraudOnTok distinctive is the integration of AI-generated video. Threat actors produce fake influencer promotions and official-looking brand ambassador clips that appear on both TikTok and Facebook, exploiting the same algorithmic distribution that makes legitimate social commerce effective. The videos look professional. The offers look real. The brands being impersonated have no way to know their names are being used until victims start complaining about products they never sold.
The affiliate trap
The Singapore woman was not buying a vacuum. She was recruited as what she believed was an affiliate, someone who would earn commissions facilitating transactions. This is the second attack vector: fake affiliate management platforms that mimic TikTok’s seller interface and convince creators to “top up” digital wallets in order to unlock commissions or withdrawal bonuses that never materialize.
TikTok Shop’s legitimate affiliate program has more than 100,000 creators, and engagement rates for affiliate links significantly exceed those on competing platforms. The promise of high-commission partnerships and early access to trending products provides exactly the urgency that social engineering depends on. When the system works as described and early withdrawals succeed, victims have no reason to suspect the interface exists only to extract their deposits.
Creators who have their accounts compromised may then distribute malicious links to their followers, extending the attack into legitimate audiences who trust the influencer relationship. The pattern mirrors similar exploitation of professional networks: what begins as credential harvesting becomes a distribution channel for malware, counterfeit goods, or additional scams, all conducted under the banner of a creator who appears affiliated with recognizable brands.
Outside the perimeter
TikTok can remove 700,000 sellers and block 70 million listings, but it cannot take down the 15,000 domains registered to impersonate its marketplace. That responsibility falls to registrars, hosting providers, and the brands being exploited.
For those brands, the challenge is visibility. Traditional brand protection focuses on marketplaces and search results, leaving detection gaps in channels like ads, messaging apps, and AI-generated video — exactly where social commerce fraud operates. Defensive domain registration helps. Coordination with TikTok’s Intellectual Property Protection Center helps. But the starting point is recognizing that protecting a brand on TikTok Shop means protecting it in places TikTok cannot see.
The Bottom Line
The woman in Singapore saw an ad, clicked a link, and followed a path that looked like participation in a booming global marketplace. By the time she understood what had happened, she had borrowed from everyone she knew. The platform’s moderation protects the marketplace it controls. What happens outside that perimeter requires a different kind of defense.
