A skimming operation tracked as GorgonAgora is running over 4,800 fake storefronts that impersonate real brands and steal payment data from anyone who checks out. An independent researcher has been mapping the infrastructure since August 2025, and shared the dataset with Sansec.
The storefronts copy product catalogs scraped from real Shopify stores belonging to hundreds of brands, including household names like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, Toyota, Nike, DJI, Pokemon, Fender, Steve Madden, Acer, Yamaha Motor and AMC Theatres. Every store runs the same Medusa.js commerce stack and loads the same custom checkout SDK, which renders a fake Stripe iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova.
The campaign has been active since August 2025 and is still expanding as of today. urlscan.io currently returns 6,000+ scans matching the network's CSS fingerprint, so the 4,880 storefronts confirmed in the dataset shared with Sansec are a floor, not a ceiling.
Update June 3, 2026: The confirmed count has risen to 5,714 storefronts, growing at roughly 70 new domain registrations per day before the operator stalled deployment. A second skimmer server turned up at
80.96.109.154(AlexHost, Romania, same ASN), with card-form files carrying an identical ETag deployed in the same 4-second window as the first. Domain registrant fingerprints tie the same operator to parallel WordPress/WooCommerce fake-store campaigns on servers in Turkey and Georgia, with the earliest known domain dating to July 2023.
| Property | Value |
|---|---|
| Confirmed storefronts | +4,880 (.shop TLD) |
| Impersonated brands | hundreds, scraped from real stores |
| Backend | Medusa.js (commerce framework) |
| Skimmer SDK | payment-vanilla.iife.js |
| Skimmer C2 | 80.97.160.51 (AlexHost, Moldova, AS48753) |
| Exfiltration | AES-256-GCM over WebSocket, real-time 3DS relay |
| Active since | August 2025 |
The operator shipped two distinct backends:
Both generations share the same CSS webpack chunk (d482fd41f7f1f379.css) and the same payment-vanilla.iife.js skimmer SDK, which makes the network trivially fingerprintable in spite of the backend re-architecture.
Every storefront loads a custom checkout SDK that registers a Medusa payment provider named pp_payment-iframe_payment-iframe. The SDK exposes two global objects on window:
window.PaymentVanilla
window.UserInputMonitor
When a shopper reaches checkout, PaymentVanilla injects a pixel-perfect fake Stripe iframe sourced from the skimmer server at 80.97.160.51. The iframe collects card number, expiry, CVV and billing details. UserInputMonitor watches keystrokes inside the iframe and streams them in real time.
Exfiltration runs over WebSocket with an AES-256-GCM payload, and the C2 maintains a live 3D Secure relay: when the victim bank returns a 3DS challenge, the operator proxies it back to the shopper through the fake iframe so the transaction completes and the theft stays invisible.
The SDK contains Chinese-language error strings, and the C2 server fingerprints as a BaoTa / aaPanel installation, a Chinese-language hosting control panel popular with operators in that region.
The skimmer C2 at 80.97.160.51 is multi-purpose. Its TLS certificate covers 23 domains. The .shop domains on the cert serve the GorgonAgora skimmer infrastructure. The .top domains (batppp*.top, onepay*.top, newpay*.top) host a parallel lottery scam operation that harvests SSNs and bank account credentials from US victims.
The single server runs the entire payment fraud stack: card skimming for GorgonAgora plus SSN and ACH theft for the lottery scams.
80.97.160.51 Primary C2 (AlexHost Moldova, AS48753)
80.96.109.154 Second skimmer server (AlexHost Romania, same ASN)
207.246.96.240 Historical C2 (Vultr Los Angeles, decommissioned)
SHA256 (file): e6c60ca4f996b209bbaf7429182d7ed76acf761bb9c1de63486fcb76635fa58c
SHA256 (body): 05f74c23ac2b6b750c3f5ed33c23ef79a086651965695d43d0e0510c32db6efa
Filename: payment-vanilla.iife.js
JS globals: window.PaymentVanilla, window.UserInputMonitor
Provider ID: pp_payment-iframe_payment-iframe
CSS bundle: d482fd41f7f1f379.css
JS chunk: e74951a75cd93e7f.js
Favicon (murmur3 hash): -440889551
Cloudflare SNI: b8ed836d.sni.cloudflaressl.com
batppp26.top batppp556.top dysimasyd.shop hidoslsk.shop
hivuwnd.shop indaspands.shop kihdsmas.shop kimsjafw.shop
longpih.shop loveuina.shop minkadsus.shop newpay115.top
onepay114.top onepay178.top onepay234.top onepay58.top
yumigdjsna.shop
A handful of the 4,880 confirmed storefronts, picked to show the brand impersonation pattern:
starbucksofficial.shop shopstarbuckscoffee.shop
fordmerchandisehub.shop fordmerchandiseonline.shop
fordmerchandisestore.shop sonyworlddirect.shop
sonyworldelectronics.shop shopsonymusiclatin.shop
thesonymusicvinyl.shop mattelcreationshq.shop
mattelplay.shop mymattelcreations.shop
officialmattelcreationsuk.shop buymattelcreations.shop
hasbrotoyland.shop legolandnyco.shop
officiallegolandcalifornia.shop disneyartonmainstudio.shop
getharrypotter.shop toyotagazooracingofficial.shop
djistoreusstore.shop djiusacentral.shop
buynikestrength.shop getufcgym.shop
ufcgymstore.shop acerhq.shop
amctheatresonline.shop fendertech.shop
yamahamotordirect.shop yamahamotorindiastore.shop
buypokemon4ever.shop buythepokemonshop.shop
pokemoncgo.shop pokemonshopworld.shop
shoppokemon.shop shopstevemaddenisrael.shop
stevemaddenisraelstore.shop wearstevemadden.shop
Shoppers. If you bought from any domain in the IOC list above, or from a storefront that does not match a brand's real website, treat the card as compromised and request a replacement. Watch for unfamiliar domains in checkout receipts, payment confirmations and bank statements.
Brand owners. Search urlscan.io for storefronts cloning your catalog. The operator scrapes product data and imagery directly from real Shopify stores, so trademark and DMCA takedowns are usually straightforward once a clone is identified.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。