A campaign utilizing artificial intelligence has created 15,000 counterfeit TikTok Shop websites that distribute malware and steal cryptocurrency.

Cybersecurity researchers have uncovered a widespread malicious campaign targeting TikTok Shop users globally, aiming to steal credentials and distribute trojanized applications. Threat actors exploit the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware. The core tactic involves creating deceptive replicas of TikTok Shop, tricking users into believing they are interacting with legitimate affiliates or the actual platform. This scam campaign, codenamed ClickTok by the Bahrain-based cybersecurity company CTM360, employs a multi-pronged distribution strategy that includes Meta ads and artificial intelligence (AI)-generated TikTok videos mimicking influencers or official brand ambassadors.

Central to this malicious effort is the use of lookalike domains that resemble legitimate TikTok URLs, with over 15,000 impersonated websites identified to date. The majority of these domains are hosted on top-level domains such as .top, .shop, and .icu. These domains host phishing landing pages designed to either steal user credentials or distribute bogus applications that deploy a variant of known cross-platform malware called SparkKitty, capable of harvesting data from both Android and iOS devices. Additionally, many phishing pages lure users into depositing cryptocurrency on fraudulent storefronts by advertising fake product listings and heavy discounts. CTM360 has identified at least 5,000 URLs set up to download malware-laced applications disguised as TikTok Shop. The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging and distributing malware.