Researchers at NordVPN and TechRadar say they have traced three large online fraud operations that rely on a familiar mix of technical weakness and human persuasion: outdated web software, counterfeit cryptocurrency windfalls, and hundreds of sham retail sites. Together, the campaigns show how criminal groups can turn neglected internet infrastructure and fast-moving online trends into engines for malware, phishing, and payment fraud.
The findings span more than 1,300 compromised domains tied to the abuse of FCKeditor, over 100 active domains linked to a crypto-payment scam, and more than 800 fraudulent e-commerce sites. The scale matters because these are not isolated traps on obscure corners of the web; they are campaigns built to borrow the credibility of trusted institutions, mimic legitimate services, and move victims toward a payment before suspicion catches up.
Old software remains a modern attack surface
One strand of the report centers on FCKeditor, a browser-based text editor that was once common in content management systems, forums, and administrative portals. Software like this often lingers long after its active life ends, especially on large institutional websites where legacy components can remain buried inside older pages or forgotten back-end tools.
That creates an opening. According to the report, attackers have recently exploited the long-known vulnerability CVE-2009-2265 to compromise high-value domains including government, corporate, public-sector, and research websites. Once inside, they can turn a reputable site into a staging ground for malware delivery, phishing pages, or redirects to fraudulent storefronts. The effect is powerful because users are more likely to trust a familiar domain than a newly registered one with no public reputation.
This is one of the enduring problems in cybersecurity: the internet does not retire old software on its own. Institutions often focus on visible redesigns and front-end improvements, while neglected plug-ins, editors, and file-management tools remain exposed behind the scenes. A flaw disclosed years ago can still be useful to criminals if patching, replacement, or full decommissioning never happened.
Crypto fraud thrives on confusion as much as greed
The second campaign described by the researchers is less technical and more psychological. Victims receive an email claiming that a large bitcoin deposit has been made to a new wallet on an exchange, along with a link and login credentials. What follows is a classic confidence trick updated for the crypto era: the account appears funded, but the target is told that fees or taxes must be paid before any withdrawal can happen.
The tactic works because cryptocurrency still combines aspiration, novelty, and opacity. Many people know enough to believe digital assets can produce sudden wealth, but not enough to recognize how easily the language of wallets, gas fees, and exchange accounts can be staged. Fraudsters do not need victims to understand the system in depth; they need them to fear missing a windfall and to accept one urgent payment as the price of access.
That pattern reflects a broader shift in online crime. Rather than stealing money only by breaking into bank accounts, criminals increasingly build convincing narratives that persuade people to authorize the payment themselves. For victims, recovery is often difficult, particularly when funds are routed quickly across borders or through payment channels designed to be hard to reverse.
Fake stores are becoming mass-produced fraud tools
The third operation pushes the same principle into online retail. NordVPN says it identified more than 800 fake shopping domains spanning product categories from fashion to health goods and automotive items. Built with common web tools including WordPress, WooCommerce, and Elementor, the sites appear professional enough to pass a quick inspection while relying on steep discounts and short-lived offers to rush buyers into a purchase.
That matters because online fraud no longer requires unusual technical skill or bespoke design. Off-the-shelf website builders, templates, cheap hosting, and reusable payment flows make it easier to assemble entire networks of deceptive stores. The report’s description of consistent digital fingerprints and shared infrastructure suggests a production model: repeatable, scalable, and cheap to relaunch when one domain is taken down.
For consumers, the warning signs are familiar but easy to overlook under pressure: prices that are implausibly low, sparse company information, poor or copied product text, limited contact options, and payment demands that offer little buyer protection. For institutions, the report is a reminder that cybercrime is not only about code execution or malware samples. It is also about trust. A neglected editor, a convincing login page, or a polished storefront can all become vehicles for the same outcome: getting a person to click, install, or pay.
What the findings suggest about the wider internet
Taken together, the three campaigns point to an online environment where technical debt, platform familiarity, and economic anxiety can be fused into highly effective fraud. Attackers are not choosing between software exploits and social engineering; they are combining both, moving from compromised trusted sites to fake services and then to direct payment requests.
The response has to be equally broad. Organizations need to inventory and remove unsupported software, not merely patch what is easy to see. Digital platforms and registrars face renewed pressure to identify repeat fraud patterns faster. And users need to treat unsolicited crypto claims, urgent payment requests, and spectacular online bargains with the same suspicion. The oldest lesson in internet security still applies: if a digital offer depends on haste, secrecy, or upfront payment, the offer is usually the trap.
