NordVPN’s Threat Intelligence research unit – in collaboration with TechRadar – has revealed three major, interconnected global cybercrime operations exploiting user trust in digital platforms, outdated technology, and cryptocurrency markets.
“Online scams are evolving faster than ever before,” says Domininkas Virbickas, product director at NordVPN. “What once looked like crude attempts to trick a few users have become global, data-driven operations capable of targeting millions. Our research shows that cybercriminals are industrialising deception – blending psychology, automation, and emerging technologies.”
NordVPN’s latest investigation revealed an alarming resurgence of legacy software exploitation. A large-scale campaign exploits CVE-2009-2265, a critical vulnerability in the FCKeditor Web tool decommissioned over 15 years ago.
Attackers have compromised over 1 300 high-value domains including governmental, public, corporate, high-value brands, and research institutions. Once compromised, these trusted sites distribute malware or redirect traffic to fake stores and phishing pages – all while bypassing traditional defences due to domain allowlisting.
Evidence shows these compromised sites serve as launchpads for secondary scams including fake crypto wallets and counterfeit e-commerce sites. The campaign has impacted users in Europe, the US and China, signaling a truly global reach.
The compromise of these trusted domains represents a high risk to user security.
By exploiting the reputation and authority of these platforms, cybercriminals manage to evade normal defence mechanisms and trick users into clicking on malicious links, downloading infected software, or entering sensitive data on decoy sites. The use of authoritative domains lends an appearance of legitimacy to the scams, making them particularly dangerous and difficult for the average user to recognise.
“This campaign reminds us that neglecting old technology can create new frontlines in cybersecurity,” says Virbickas. “Even obsolete plugins, left untouched, can serve as digital open doors for modern attackers.”
NordVPN analysts uncovered a highly organised phishing and fraud campaign that merges the classic advance fee scam with modern cryptocurrency phishing. The scheme begins with deceptive “erroneous deposit” emails, falsely notifying victims of a substantial transfer – typically 15 Bitcoin – and providing credentials to a fake exchange or wallet site.
Once victims sign in, the site displays a fictitious crypto balance, prompting them to “complete verification” by entering personal data like full name, phone number, and secondary passwords. This stage harvests data for identity theft and future attacks.
The final act of the scam requests “GAS Fees” or “transfer taxes” for the user to claim funds – charges that are entirely fabricated. Victims end up losing money and compromising their financial credentials.
NordVPN’s investigation identified over 100 active domains impersonating cryptocurrency brands (including coinpoint[.]su, coinend[.]net, and paypot[.]net) used to carry out these scams.
“This is social engineering on an elite scale,” says Virbickas. “Criminals are leveraging the allure – and confusion – of cryptocurrency to reinvent old scams in new digital forms.”
A separate operation, traced primarily to a Chinese-speaking threat actor, involves a network of over 800 fraudulent e-commerce domains spanning categories from fashion to automotive and health products. Built using WordPress, WooCommerce, and Elementor, all sites share a single support contact – support@carpartsoffice.com – suggesting centralised management rather than a distributed crime-as-a-service model.
“These ‘shops’ lure victims with unrealistic offers, creating urgency and bypassing consumer skepticism,” explains Virbickas. “Indicators of Chinese origin include untranslated Chinese characters and localised file artifacts across the network. NordVPN linked the sites through shared digital fingerprints and discovered consistent hosting under the registrar Spaceship, Inc.”
Key websites associated with this campaign include carpartsoffice[.]com, smashgeardepot[.]com, and qualitybaglab[.]com.
“This network demonstrates the industrialisation of online fraud,” adds Virbickas. “Automation and template-based site creation now allow single actors to manage entire fraudulent ecosystems that mimic legitimate online retail.”
All three investigations share a concerning pattern, says Virbickas – the weaponisation of legitimacy. Whether through cloned crypto exchanges, realistic shopping portals, or malicious government domains cybercriminals are refining scams that blend technological sophistication with emotional manipulation.