Silent Push Threat Analysts have been tracking a threat actor’s activity throughout 2024 that has been noticeably ramping up over the past few months.

Our observations of a few suspicious domains impersonating Etsy led to the discovery of a large-scale phishing and pig-butchering network targeting retail brands and a crypto phishing campaign.

• The retail phishing campaign extends beyond Etsy – taking aim at major retailers and marketplaces, including but not limited to Amazon, BestBuy, eBay, Wayfair, and more.
• The threat actor has been building phishing websites using a popular website template and integrating chat services for its phishing activities.
• The threat actor behind this “Aggressive Inventory Zombies” retail campaign is also targeting crypto audiences, and the scale of the sites in this network proves it is a substantial effort.
• Silent Push Threat Analysts received a substantial source of pivots for this network by collaborating on takedown efforts of some related campaign infrastructure with Stark Industries. They shared several dozen other IPs with us that the threat actor had been using, which helped us flesh out the full extent of these malicious campaigns.
• Our research can confirm the threat actor has some financial ties to India.

Silent Push Threat Analysts recently observed a few suspicious domains appearing to impersonate the e-commerce company Etsy—something we initially thought was timely for the 2024 holiday season. Further investigation, however, led us to uncover a large-scale phishing campaign and a crypto phishing network.

We found that the retail phishing campaign extends beyond Etsy and targets major retailers, including, but not limited to, Amazon, BestBuy, eBay, Rakuten, Wayfair, and more.

The threat actor has been using a popular website template to build phishing websites and appears to primarily conduct phishing activities over chat services integrated into the sites. Based on some sensitive details acquired when testing the phishing process on retail sites, our team can confirm that the threat actor has some financial ties to India.

It’s clear that the threat actor behind this “Aggressive Inventory Zombies” retail campaign is also targeting crypto audiences, and the scale of the sites in this network proves this is a substantial effort.

This blog’s research will begin with our understanding of the AIZ retail network and then provide additional context about the crypto sites and other infrastructure we found.