bitdefender.com
Alina BÎZGĂ
February 17, 2026
Bitdefender Labs is tracking an ongoing scam campaign on Meta platforms targeting people in the EU and the US, using fraudulent “Olympics Shop” advertisements that offer discounts of up to 80% on Milano Cortina 2026 merchandise.
Bitdefender Labs is tracking an ongoing scam campaign on Meta platforms targeting people in the EU and the US, using fraudulent “Olympics Shop” advertisements that offer discounts of up to 80% on Milano Cortina 2026 merchandise.
Users who click on these ads and interact with the fraudulent websites expose themselves to several risks. Many similar scam operations are designed to steal payment card information at checkout, harvest personal details such as names, addresses, phone numbers, and email accounts, and in some cases collect login credentials.
Victims may also receive counterfeit merchandise — or nothing at all — after completing a purchase. In many instances, the sites disappear shortly after processing payments, leaving buyers with no way to recover their money.
At a glance, the ads look legitimate.
They feature official Olympic imagery, professional product photos, and convincing promotional messages such as:
“Olympics Exclusive! Up to 80% OFF.
30 Days No Excuse Free Return.
🛒Get Yours Before Out of Stock!”
“Olympics Esclusivo! Sconti fino all'80%.”
“Reso gratuito entro 30 giorni, senza domande.”
“Acquistalo prima che finisca!”
But the danger begins after the click.
Near-Perfect Clones of the Official Olympics Shop
The fraudulent websites are not crude copies – they are near-perfect replicas of the official Olympics merchandise store.
Bitdefender Labs observed that the scam sites use:
The same product photos
Identical color schemes
The same merchandise collections
Official branding elements
Similar layout structure
At a glance, most users would struggle to tell the difference.
The deception lies in the small details.
For example:
The legitimate store promotes “Sign up & Save 15%.”
The scam websites advertise “Sign & Save 80%.”
Official Olympics Shop
Fake Olympics Shop
That small wording change reflects the core tactic: inflate discounts to trigger a sense of urgency and bypass skepticism.
Font rendering may be slightly different. Minor layout inconsistencies appear in certain sections. Domain names look similar but are newly registered and unrelated to the official organization.
These subtle discrepancies are easy to miss when a user is focused on a limited-time deal.
Coordinated Scam Infrastructure
This campaign shows clear signs of coordination, and as Labs researcher Andreea Olariu points out, most of the fraudulent domains were registered within days of each other:
www.olympics2026[.]store – created Feb 3
Olympicseu[.]shop – created Feb 9
olympics-sale[.]top – created Feb 9
olympics-hot[.]top – created Feb 9
www.olympics-top[.]shop –created Feb 10
Olympicssportswear[.]shop – created Feb 10
Olympexapparel[.]shop – created Feb 10
Lifestylecollection[.]shop – created Feb 10
www.2026olympics[.]store – created Feb 11
Following the initial detection of the scam advertisements, Olariu observed ongoing domain registrations consistent with the same impersonation strategy. The daily appearance of new lookalike domains indicates an adaptive infrastructure designed to evade detection and extend the campaign’s lifespan.
Most recent domains include:
Olymponline[.]top – created Feb 11
Postolympicsale[.]com created Feb 11
sale-olympics[.]top - created Feb 11
olympics-save[.]top - created Feb 11
olympicssportswears[.]shop - created Feb 11
olympicsfashionhub.[]shop - created Feb 12
All these domains are flagged as fraudulent by Bitdefender security systems.
In some instances, ads appear to display the official shop preview but silently redirect users to www.olympics2026[.]store for example.
Newly Created Facebook Pages Running the Ads
Another strong indicator of fraud: the Facebook pages promoting these ads are newly created.
Bitdefender Labs observed that several of these pages were set up on the same day the scam domains were registered. This suggests a rapid deployment model:
Register domain
Clone official website
Create Facebook page
Launch ad campaign
Begin collecting payments
All within a short time window.
Legitimate global brands rarely create brand-new pages and immediately launch aggressive 80% discount campaigns tied to major international events.
The sophistication of the cloning significantly increases the risk. When scam sites mirror official branding almost perfectly, users default to visual familiarity instead of domain verification.
That’s exactly what attackers are counting on.
NewsGuard's Reality Check
newsguardrealitycheck.com
Nov 17, 2025
What happened: In an effort to discredit the Ukrainian Armed Forces and undermine their morale at a critical juncture of the Russia-Ukraine war, Kremlin propagandists are weaponizing OpenAI’s new Sora 2 text-to-video tool to create fake, viral videos showing Ukrainian soldiers surrendering in tears.
Context: In a recent report, NewsGuard found that OpenAI’s new video generator tool Sora 2, which creates 10-second videos based on the user’s written prompt, advanced provably false claims on topics in the news 80 percent of the time when prompted to do so, demonstrating how the new and powerful technology could be easily weaponized by foreign malign actors.
A closer look: Indeed, so far in November 2025, NewsGuard has identified seven AI-generated videos presented as footage from the front lines in Pokrovsk, a key eastern Ukrainian city that experts expect to soon fall to Russia.
The videos, which received millions of views on X, TikTok, Facebook, and Telegram, showed scenes of Ukrainian soldiers surrendering en masse and begging Russia for forgiveness.
Here’s one video supposedly showing Ukrainian soldiers surrendering:
And a video purporting to show Ukrainian soldiers begging for forgiveness:
Actually: There is no evidence of mass Ukrainian surrenders in or around Pokrovsk.
The videos contain multiple inconsistencies, including gear and uniforms that do not match those used by the Ukrainian Armed Forces, unnatural faces, and mispronunciations of the names of Ukrainian cities. NewsGuard tested the videos with AI detector Hive, which found with 100 percent certainty that all seven were created with Sora 2. The videos either had the small Sora watermark or a blurry patch in the location where the watermark had been removed. Users shared both types as if they were authentic.
The AI-generated videos were shared by anonymous accounts that NewsGuard has found to regularly spread pro-Kremlin propaganda.
Ukraine’s Center for Countering Disinformation said in a Telegram post that the accounts “show signs of a coordinated network specifically created to promote Kremlin narratives among foreign audiences.”
In response to NewsGuard’s Nov. 12, 2025, emailed request for comment on the videos, OpenAI spokesperson Oscar Haines said “we’ll investigate” and asked for an extension to Nov. 13, 2025, to provide comment, which NewsGuard provided. However, Haines did not respond to follow-up inquiries.
This is not the first time Kremlin propagandists have weaponized OpenAI’s tools for propaganda. In April 2025, NewsGuard found that pro-Kremlin sources used OpenAI’s image generator to create images of action figure dolls depicting Ukrainian President Volodymyr Zelensky as a drug addict and corrupt warmonger.
Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".
The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.
This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.
To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.
Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.
This campaign used the URL https[:]//deepseek-platform[.]com.
The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".
A LinkedIn message drew a former waitress in Minnesota into a type of intricate scam involving illegal paychecks and stolen data
Christina Chapman looked the part of an everyday American trying to make a name for herself in hustle culture.
In prolific posts on her TikTok account, which grew to more than 100,000 followers, she talked about her busy life working from home with clients in the computer business and the fantasy book she had started writing. She posted about liberal political causes, her meals and her travels to see her favorite Japanese pop band.
Yet in reality the 50-year-old was the operator of a “laptop farm,” filling her home with computers that allowed North Koreans to take jobs as U.S. tech workers and illegally collect $17.1 million in paychecks from more than 300 American companies, according to federal prosecutors.
In a June 2023 video, she said she didn’t have time to make her own breakfast that morning—“my clients are going crazy,” she said. Then she describes the açaí bowl and piña colada smoothie she bought. As she talks, at least 10 open laptops are visible on the racks behind her, their fans audibly whirring, with more off to the side.
In 2023, Christina Chapman posted a TikTok that had racks of laptops visible in the background. The Wall Street Journal highlighted the laptops in this clip of the video.
Chapman was one of an estimated several dozen “laptop farmers” that have popped up across the U.S. as part of a scam to infiltrate American companies and earn money for cash-strapped North Korea. People like Chapman typically operate dozens of laptops meant to be used by legitimate remote workers living in the U.S.
What the employers—and often the farmers themselves—don’t realize is that the workers are North Koreans living abroad but using stolen U.S. identities. Once they get a job, they coordinate with someone like Chapman who can provide some American cover—accepting deliveries of the computer, setting up the online connections and helping facilitate paychecks. Meanwhile the North Koreans log into the laptops from overseas every day through remote-access software.
Chapman fell into her role after she got a request on LinkedIn to “be the U.S. face” for a company that got jobs for overseas IT workers, according to court documents. There’s no indication that she knew she was working with North Koreans.
A detailed analysis of a multi-stage card skimming attack exploiting outdated Magento software and fake image files.
In today’s post we’re going to review a sophisticated, multi-stage carding attack on a Magento eCommerce website. This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website.
The client was experiencing some strange behaviour on their checkout page, including clients unable to input their card details normally, and orders not going through. They contacted us for assistance. Thinking this would be a straightforward case of credit card theft instead what we found was actually a fascinating and rather advanced malware which we will explore in detail in this post.
Learn how a convincing Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena. A real-world phishing example you need to see.
Are you willing to hack and take control of Chinese websites for a random person for up to $100,000 a month?
Someone is making precisely that tantalizing, bizarre, and clearly sketchy job offer. The person is using what looks like a series of fake accounts with avatars displaying photos of attractive women and sliding into the direct messages of several cybersecurity professionals and researchers on X in the last couple of weeks.
Large-scale phishing attacks use DoH and DNS MX records to dynamically serve fake login pages
Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …
DPRK IT workers exploit GitHub to pose as Asian developers, securing remote jobs to fund missile and nuclear programs.
Key findings Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new
Invitations to try a beta lead to a fake game website where victims will get an information stealer instead of the promised game
A phishing campaign is using CrowdStrike recruitment branding to deliver malware disguised as a fake application. Learn more.
In December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft’s monthly Patch Tuesday release. Both vulnerabilities were deemed as highly significant due to the widespread use of LDAP in Windows environments:
CVE-2024-49112: A remote code execution (RCE) bug that attackers can exploit by sending specially crafted LDAP requests, allowing them to execute arbitrary code on the target system.
CVE-2024-49113: A denial-of-service (DoS) vulnerability that can be exploited to crash the LDAP service, leading to service disruptions.
In this blog entry, we discuss a fake proof-of-concept (PoC) exploit for CVE-2024-49113 (aka LDAPNightmare) designed to lure security researchers into downloading and executing information-stealing malware.
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from…
ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.
GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.
HYPR recently experienced a fake IT worker attempting to gain employment. We are sharing the details to bring awareness to how widespread the problem is.
