GorgonAgora: 4,800+ fake storefronts skim cards across hundreds of impersonated brands
by Sansec Forensics Team
Published in Threat Research − June 02, 2026
Independent researcher Hunter Heaivilin shared with Sansec a Medusa.js-based skimming network of over 4,800 fake .shop storefronts impersonating brands like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, Toyota and many more. All checkouts funnel card data to a single skimmer server in Moldova.
A skimming operation tracked as GorgonAgora is running over 4,800 fake storefronts that impersonate real brands and steal payment data from anyone who checks out. Independent researcher Hunter Heaivilin has been mapping the infrastructure since August 2025, and shared the dataset with Sansec.
The storefronts copy product catalogs scraped from real Shopify stores belonging to hundreds of brands, including household names like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, Toyota, Nike, DJI, Pokemon, Fender, Steve Madden, Acer, Yamaha Motor and AMC Theatres. Every store runs the same Medusa.js commerce stack and loads the same custom checkout SDK, which renders a fake Stripe iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova.
The campaign has been active since August 2025 and is still expanding as of today. urlscan.io currently returns 6,000+ scans matching the network's CSS fingerprint, so the 4,880 storefronts confirmed in the dataset shared with Sansec are a floor, not a ceiling.
Network at a glance
| Property | Value |
|---|---|
| Confirmed storefronts | +4,880 (.shop TLD) |
| Impersonated brands | hundreds, scraped from real stores |
| Backend | Medusa.js (commerce framework) |
| Skimmer SDK | payment-vanilla.iife.js |
| Skimmer C2 | 80.97.160.51 (AlexHost, Moldova, AS48753) |
| Exfiltration | AES-256-GCM over WebSocket, real-time 3DS relay |
| Active since | August 2025 |
Two backend generations
The operator shipped two distinct backends:
- Generation 1 (~339 stores, January to March 2026) runs every storefront against a single shared Medusa.js database with one publishable API key. That single key fronts 544 scraped brand catalogs across 5 regions. Anyone with the key can enumerate the entire victim catalog from a single endpoint.
- Generation 2 (~4,500+ stores, March 30th onwards) deploys an individual Medusa instance per storefront, each with its own publishable key. The shared-key enumeration vulnerability is gone, but the frontend code, CSS bundle and skimmer infrastructure are unchanged between generations.
Both generations share the same CSS webpack chunk (d482fd41f7f1f379.css) and the same payment-vanilla.iife.js skimmer SDK, which makes the network trivially fingerprintable in spite of the backend re-architecture.
The PaymentVanilla skimmer SDK
Every storefront loads a custom checkout SDK that registers a Medusa payment provider named pp_payment-iframe_payment-iframe. The SDK exposes two global objects on window:
window.PaymentVanilla
window.UserInputMonitor
When a shopper reaches checkout, PaymentVanilla injects a pixel-perfect fake Stripe iframe sourced from the skimmer server at 80.97.160.51. The iframe collects card number, expiry, CVV and billing details. UserInputMonitor watches keystrokes inside the iframe and streams them in real time.
Exfiltration runs over WebSocket with an AES-256-GCM payload, and the C2 maintains a live 3D Secure relay: when the victim bank returns a 3DS challenge, the operator proxies it back to the shopper through the fake iframe so the transaction completes and the theft stays invisible.
The SDK contains Chinese-language error strings, and the C2 server fingerprints as a BaoTa / aaPanel installation, a Chinese-language hosting control panel popular with operators in that region.
One server, many crimes
The skimmer C2 at 80.97.160.51 is multi-purpose. Its TLS certificate covers 23 domains. The .shop domains on the cert serve the GorgonAgora skimmer infrastructure. The .top domains (batppp*.top, onepay*.top, newpay*.top) host a parallel lottery scam operation that harvests SSNs and bank account credentials from US victims.
The single server runs the entire payment fraud stack: card skimming for GorgonAgora plus SSN and ACH theft for the lottery scams.
Indicators of Compromise
Skimmer infrastructure
80.97.160.51 Primary C2 (AlexHost Moldova, AS48753)
207.246.96.240 Historical C2 (Vultr Los Angeles, decommissioned)
Skimmer SDK
SHA256 (file): e6c60ca4f996b209bbaf7429182d7ed76acf761bb9c1de63486fcb76635fa58c
SHA256 (body): 05f74c23ac2b6b750c3f5ed33c23ef79a086651965695d43d0e0510c32db6efa
Filename: payment-vanilla.iife.js
JS globals: window.PaymentVanilla, window.UserInputMonitor
Provider ID: pp_payment-iframe_payment-iframe
Fingerprints shared across all storefronts
CSS bundle: d482fd41f7f1f379.css
JS chunk: e74951a75cd93e7f.js
Favicon (murmur3 hash): -440889551
Cloudflare SNI: b8ed836d.sni.cloudflaressl.com
Live skimmer domains on the C2 TLS certificate
batppp26.top batppp556.top dysimasyd.shop hidoslsk.shop
hivuwnd.shop indaspands.shop kihdsmas.shop kimsjafw.shop
longpih.shop loveuina.shop minkadsus.shop newpay115.top
onepay114.top onepay178.top onepay234.top onepay58.top
yumigdjsna.shop
Sample fake storefronts
A handful of the 4,880 confirmed storefronts, picked to show the brand impersonation pattern:
starbucksofficial.shop shopstarbuckscoffee.shop
fordmerchandisehub.shop fordmerchandiseonline.shop
fordmerchandisestore.shop sonyworlddirect.shop
sonyworldelectronics.shop shopsonymusiclatin.shop
thesonymusicvinyl.shop mattelcreationshq.shop
mattelplay.shop mymattelcreations.shop
officialmattelcreationsuk.shop buymattelcreations.shop
hasbrotoyland.shop legolandnyco.shop
officiallegolandcalifornia.shop disneyartonmainstudio.shop
getharrypotter.shop toyotagazooracingofficial.shop
djistoreusstore.shop djiusacentral.shop
buynikestrength.shop getufcgym.shop
ufcgymstore.shop acerhq.shop
amctheatresonline.shop fendertech.shop
yamahamotordirect.shop yamahamotorindiastore.shop
buypokemon4ever.shop buythepokemonshop.shop
pokemoncgo.shop pokemonshopworld.shop
shoppokemon.shop shopstevemaddenisrael.shop
stevemaddenisraelstore.shop wearstevemadden.shop
Recommendations
Shoppers. If you bought from any domain in the IOC list above, or from a storefront that does not match a brand's real website, treat the card as compromised and request a replacement. Watch for unfamiliar domains in checkout receipts, payment confirmations and bank statements.
Brand owners. Search urlscan.io for storefronts cloning your catalog. The operator scrapes product data and imagery directly from real Shopify stores, so trademark and DMCA takedowns are usually straightforward once a clone is identified.
Credit
This research was carried out by independent researcher Hunter Heaivilin (hunter@supersistence.org), who mapped the network and assembled the IOC dataset.
Read more
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce, Sylius and many more.
Learn more
