A series of large-scale, interconnected cybercrime operations has been uncovered, exploiting outdated software, user trust in digital platforms, and the lure of quick financial gains to spread malware and carry out wire fraud.
A joint investigation by NordVPN’s Threat Intelligence team and TechRadar’s security researchers identified three major campaigns driving these activities.
The first campaign focuses on FCKeditor, an obsolete browser-based rich text editor once widely integrated into early content management systems, forums, and administrative dashboards. Although no longer supported, many prominent websites still run the software, making them attractive targets for attackers.
Previously, in February 2024, TechRadar highlighted how “dozens of educational websites” were manipulated through this vulnerability to contaminate search engine results, host phishing pages, and facilitate fraudulent schemes. Security researcher @g0njxa observed attacks targeting institutions such as MIT, Columbia University, Universitat de Barcelona, Auburn University, the University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of HawaiĘ»i. Government and corporate platforms, including those of Virginia, Austin, Texas, Spain, and Yellow Pages Canada, were also affected.
The root issue lies in a known vulnerability, CVE-2009-2265, which enables directory traversal attacks. This flaw allows remote attackers to place executable files in unauthorized locations. According to the report, cybercriminals have recently exploited this weakness to compromise over 1,300 high-value domains spanning government, corporate, and research sectors. Once infiltrated, these websites are used to distribute malware or redirect visitors to fraudulent e-commerce platforms and phishing portals.
The second campaign involves a “highly organized” phishing operation designed to trick victims into transferring money. It typically begins with an email claiming a significant cryptocurrency deposit—often 15 bitcoin—has been made into a newly created wallet. Victims receive login credentials and a link that leads to a counterfeit exchange or wallet interface displaying the fake balance.
To access the funds, users are prompted to pay “gas fees” or “taxes.” Any payments made are ultimately stolen by the attackers. Investigators identified more than 100 active domains supporting this scheme.
“This is social engineering at an elite scale,” said Domininkas Virbickas, Product Director at NordVPN. “Criminals are leveraging the allure – and confusion – of cryptocurrency to reinvent old scams in new digital forms.”
The third operation is even more extensive, involving over 800 fraudulent e-commerce websites spanning categories such as fashion, automotive, and health products. Linked to a single Chinese-speaking threat actor, the network uses platforms like WordPress, WooCommerce, and Elementor to rapidly deploy convincing storefronts.
These fake shops promote heavily discounted, limited-time deals designed to create urgency and suppress consumer skepticism. Unsuspecting buyers complete transactions but never receive the promised goods.
“This network demonstrates the industrialization of online fraud,” added Virbickas. “Automation and template-based site creation now allow single actors to manage entire fraudulent ecosystems that mimic legitimate online retail.”
“These “shops” lure victims with unrealistic offers, creating urgency and bypassing consumer skepticism. Indicators of Chinese origin include untranslated Chinese characters and localized file artifacts across the network. NordVPN linked the sites through shared digital fingerprints and discovered consistent hosting under the registrar Spaceship, Inc.” says Domininkas Virbickas.