ElRat Designs stolen content warning graphic - How to fight back against scam sites stealing your content

How Independent Merchants Can Fight Back Against E-Commerce Fraud Networks: A Practical Guide

January 7, 2026

TL;DR: Fraud networks scrape billions of product images using automated bots. They're too big for traditional enforcement. I'm fighting back by swapping my product images with warning graphics that poison their entire pipeline. If enough merchants join, we can make automated scraping unprofitable. Here's how.

An Independent Artist Refuses to Accept Consequences Without Action

I'm El, the neurodivergent human behind ElRat Designs. I hand-print T-Shirts and original art, I make merch for Kristin Hersh and her bands to help pay for studio time, and like thousands of other independent merchants, I discovered my products were being scraped and sold on fraud sites across the internet. Most merchants file DMCAs and move on... unfortunately, my head doesn't work like that. I have ASD and I just cannot let it go. I needed to do something... and luckily I found a practical way to make myself feel better about it.

What I discovered changed how I think about the fightback: the fraud networks are greedy and lazy... they are massive, automated, and completely blind. And that blindness is their fatal weakness.

If you're gonna picnic from my site, expect shit sandwiches!

ElRat Designs stolen content warning graphic live on fraud site

Shit sandwiches, served fresh
ElRat warning graphic live on a fraud site

📊 The Scale Is Staggering (And You're Probably Already Scraped)

The Numbers Are Almost Incomprehensible

This is what I learned recently...

A new phishing website emerges every 20 seconds. In just the first quarter of 2025, the Anti-Phishing Working Group identified over 1 million unique phishing attack sites. That's not total sites - that's new sites in three months.

Web scraping bots make up 46% of all web traffic. Nearly half of all internet activity is automated theft. Your products, your images, your descriptions - they're being scraped right now, as you read this.

What I found when I fell down the Rabbit Hole:

356,147 stolen products in ONE category on ONE fraud site
Millions of products per site, tens of millions across networks
Billions of fake listings created from scraping the entire internet

This isn't targeted theft. This is indiscriminate automated scraping that converts ANY image on the internet into a fake product listing. I've found WikiHow tutorial screenshots being sold as products for €60. New York Times recipe photos. Astrophotography images. If it's an image with text nearby, the algorithm turns it into a product - no human oversight, no logic checking, just scrape and publish.

It is my wholehearted belief that everyone has been scraped. Even if you haven't seen your products on fraud sites, odds are they're there. If you have images online, they've likely been scraped. The only question is whether you know it yet.

The Financial Devastation

The global losses are crazy:

$206 billion projected losses to online payment fraud by 2025
$48 billion lost annually by e-commerce companies to fraud
$442 billion in total consumer losses to scams in a single year (likely underreported)
£9.2 billion per year lost to IP theft in the UK alone

For small and medium enterprises like mine - and probably yours - the impact is devastating:

IP theft causes a 16% reduction in sales growth for SMEs (compared to just 2% for large businesses - eight times worse)
Over half of companies lose 6% of revenue to content scraping alone
For independent merchants, that's the difference between surviving and closing

Who Gets Hit Hardest

No one is immune, but some sectors are hit harder than others:

91% of UK higher education institutions experienced cyber breaches in the last 12 months
85% of further education colleges were similarly compromised
68% of educational institutions had their organisation impersonated online
One in three report experiencing attacks at least weekly

Even the British Museum - one of the world's most prestigious institutions - is being used as fraud infrastructure (more on that later). If they can be compromised, anyone can.

Why Traditional Enforcement Can't Keep Up

This is an automated scam designed to avoid traditional takedown methods, it moves faster than any enforcement mechanism:

Average time from vulnerability discovery to public exploit: 2.4 days
Fraud sites migrate domains every 24-48 hours to evade takedowns (I have seen them migrate even faster than this)
Exploiting unpatched software now accounts for 20% of all breaches

By the time you file a DMCA takedown, they've already moved to a new address. I've watched a fraud site migrate twice in 12 hours while searching for my stolen content. Traditional enforcement is playing a game it cannot win... in fact... judging by what happened when I tried to report this... law enforcement isn't even trying to play the game.

We need a different approach - one that exploits their structural weaknesses instead of chasing their endless domain rotations... and we need to do this for ourselves... because nobody is coming to do this for us.

That's what this blog post is about.

Why the big platforms won't save us

Meta Profits $16 Billion Annually From Scam Ads... And They Know It

A Reuters investigation published in November 2025 exposed the shocking scale of Meta's complicity in the global fraud economy. Internal company documents reveal that Meta knowingly profits from scammers while providing only theatrical enforcement.

The Numbers Don't Lie

Meta projected 10% of its 2024 revenue ($16 billion) would come from scam ads and banned goods
15 billion scam ads per day on Facebook, Instagram, and WhatsApp
An additional 22 billion organic scam attempts per day (free posts, Marketplace, messages)
37 billion total scam attempts shown to users every day
Meta earns $7 billion annually just from "higher risk" scam ads (the obviously fraudulent ones)

The "Enforcement" Theatre

Meta only bans advertisers if 95% certain they're committing fraud
Below that threshold? They charge scammers premium rates instead of blocking them
Small advertisers get 8 strikes before being banned
"High Value Accounts" (big spenders) can rack up 500+ strikes without being shut down
Meta ignored or rejected 96% of valid user scam reports
Their "improvement" goal? Only ignore 75% of reports

It's Not a Bug, It's the Business Model

The Business Strategy: Internal documents show Meta's leadership decided to "act only in response to impending regulatory action" rather than voluntarily protecting users. They've set revenue guardrails limiting how much money they're willing to lose fighting scams (0.15% of revenue, or about $135 million out of $90 billion in H1 2025).

Meta anticipates up to $1 billion in regulatory fines - but that's nothing compared to the $3.5 billion they earn every six months just from high-risk scam ads. As one internal document noted: fines will be "much smaller than Meta's revenue from scam ads."

Real People, Real Losses

The article details a Canadian military recruiter whose hacked Facebook account was used to run crypto scams. Despite 100+ reports from dozens of people, Meta did nothing for a month. By the time they acted, four victims had been defrauded of $65,000+, with funds traced to Nigeria and deemed unrecoverable.

A former prosecutor stated: "I don't know I've ever seen something taken down as the result of a single user report."

Why This Matters to Independent Merchants

This investigation proves what small merchants already know: platforms profit from fraud and have no incentive to stop it. When Meta's own internal review admits "it is easier to advertise scams on Meta platforms than Google," that's not negligence - it's deliberate business strategy.

The fraud networks stealing products from independent merchants like ElRat Designs are part of this massive ecosystem. Meta makes billions enabling scammers while merchants are left to fight back alone.

Read the full Reuters investigation: Meta is earning a fortune on a deluge of fraudulent ads, documents show

Special thanks to Adam @ StoreLock for sharing this investigation.

Amazon, the Biggest Scrapers of Them All??

Just when you think you've seen the worst of e-commerce scraping, a trillion-dollar company decides to show everyone how it's really done.

In early 2025, Amazon quietly launched "Project Starfish" - an initiative to scrape over 200,000 independent online stores and map their entire product catalogues to Amazon's systems. By January 2026, merchants across Reddit and social media were discovering their Shopify stores had been scraped without consent, with products appearing in Amazon's "Shop Direct" and "Buy For Me" programs.

The Mechanics Are Identical to Fraud Networks

Amazon's approach uses the exact same methodology as the fraud scraper networks:

Automated scraping of publicly accessible product pages
Theft of product photography (your copyrighted images)
Theft of product descriptions (your creative writing)
Theft of pricing data to compete with you
AI-generated listings with frequent errors and inaccuracies
No consent required - opt-out model only

The only difference? Amazon has lawyers and calls it "innovation" instead of fraud.

The "Buy For Me" Proxy Scam

Amazon's "Buy For Me" feature is particularly insidious. When a customer finds your product on Amazon (via their scraped listing), Amazon acts as a proxy buyer - purchasing from your store at full retail price, then reselling to the customer while keeping the customer relationship and data. You fulfill the order, Amazon keeps the customer.

Amazon's own help documentation admits: "When you're redirected to a brand's website, we don't share any information about you with the brand." Translation: We keep your customer. You're just the warehouse.

The Evidence: Merchants Speak Out

In late December 2024, merchants began discovering their entire product catalogues appearing on Amazon without consent. Modern Retail documented multiple cases of brands - many of whom explicitly avoided selling on Amazon - finding their products listed through "Buy For Me."

The problems merchants reported:

AI-generated errors: A vinyl sticker listing displayed a photo of pants the merchant never sold
Out-of-stock products: Customers ordering items that no longer existed on the original website
Wholesale pricing exposed: Password-protected wholesale catalogues scraped and made public
Tax liability issues: Tax-exempt wholesale orders accessible to retail customers
Shell listings remain: Even after opt-out, jumbled SEO keyword listings stay live, diverting traffic
Strained business relationships: Wholesale partners accusing merchants of violating Amazon exclusion clauses
Entire catalogues scraped: One brand discovered 4,000 products listed without permission

One merchant's self-reporting survey received 145 responses from brands believing their products were listed without consent. Impacted brands include those using Shopify, WooCommerce, and Squarespace - Amazon scraped across multiple platforms.

As one merchant put it: "It's just another level of stress that none of us small businesses need. Amazon knows we have such little room to punch back on this."

Read the full investigation: Modern Retail - Brands are upset that 'Buy For Me' is featuring their products on Amazon without permission

The Ultimate Hypocrisy

In November 2024, Amazon sent a cease-and-desist letter to Perplexity AI over its browser that lets users find and buy items on Amazon, stating that third-party shopping agents should "operate openly and respect service provider decisions" on whether or not to participate.

Meanwhile, Amazon was actively scraping over 200,000 independent stores without consent, using the exact opt-out model they condemned when applied to their own marketplace.

Amazon's position is clear: scraping Amazon is theft. Amazon scraping you is "innovation."

The Protection Racket

To "protect" your brand from Amazon's own scraping programs, Amazon recommends:

Amazon Brand Registry - requires expensive trademark registration (£170+ UK, $350+ US per region)
Amazon Transparency Program - requires unique barcodes on every product
Selling on Amazon - giving them a cut of every sale

In other words: pay Amazon for protection from Amazon's scraping. Classic extortion model.

How to Opt Out (Because Apparently You Have To)

Unlike legitimate search engines that respect robots.txt and provide clear opt-out mechanisms, Amazon requires you to email them directly:

Email: branddirect@amazon.com
Subject: Formal Opt-Out from Amazon Project Starfish / Shop Direct / Buy For Me Programs
Include: Your domain name(s), brand name, and explicit opt-out request for all scraping programs

Demand written confirmation within 14 days. Document everything.

Why This Matters for Independent Merchants

Amazon's "Project Starfish" proves that scraping isn't just a problem with shady fraud networks operating from anonymous servers. The biggest threat to independent e-commerce can come from the most powerful companies in the world, wrapped in the language of "customer service" and "innovation."

When a trillion-dollar corporation uses the exact same tactics as the fraud networks - automated scraping, content theft, opt-out models, proxy purchasing - but faces no consequences because they have legal teams and call it a "test program," the message is clear: the system is designed to protect the powerful, not the independent creators.

This is why merchant-led resistance matters. Whether it's a Chinese fraud network or Amazon itself, the principle is the same: your creative work, your photography, your product descriptions are YOUR intellectual property. No one has the right to scrape it, use it, and compete with you - regardless of their market capitalisation.

What ElRat Designs Did

On 6th January 2026, I sent a formal opt-out email to Amazon covering both elratdesigns.co.uk and elratdesigns.com, explicitly refusing consent for all "Project Starfish" initiatives including Shop Direct, Buy For Me, and any AI-driven catalogue mapping.

I will not register my brand with Amazon. I will not pay for trademarks to "protect" myself from Amazon's scraping. I will not participate in their ecosystem.

I opted out. Every independent merchant should do the same.

🏛️ Even The British Museum is Unwittingly Part of the Fraud Infrastructure...

Because they didn't Patch a Known Vulnerability on their Website

In early January 2026, I discovered something that perfectly demonstrates how complacency enables fraud networks: the British Museum's website was being used as fraud infrastructure because they failed to patch a known vulnerability.

British Museum Krpano exploit redirecting to fraud site

British Museum's African Rock Art virtual tour exploited as referrer - January 2026

Here's what I found:

While doing one of my regular searches for stolen content, I discovered a referrer link on a compromised site, that even made me look twice, after everything I've seen. A Krpano redirect running from the British Museum's official website (britishmuseum.org), specifically, the African Rock Art virtual tour. When clicked, i was redirected to a fraud site selling stolen products.

This is the referrer/redirect system in action:

Google indexes the British Museum page (a legitimate, trusted domain)
The page contains hidden redirect code (exploiting a known vulnerability)
Users click what looks like a British Museum link in search results
They're immediately bounced to a fraud site selling stolen scraped content
The fraud site never appears in Google only the Museum's trusted domain does

The British Museum, facilitating art theft since 1759 - Krpano redirect in action

🎶 Throwing Muses - "Cherry Candy 2" instrumental, from the album Purgatory/Paradise

The vulnerability: The British Museum's website uses Krpano virtual tour software with a known, documented security flaw that allows attackers to inject redirect code. This vulnerability has been public knowledge for years, with patches available.

This is a failure on the part of the Museum. They failed to update their software, leaving a known security hole open for fraud networks to exploit.

You can read more about the exploit on The Hacker News

The Complacency Problem

This is a massive part of why fraud networks thrive: organisations - even prestigious institutions with significant resources - simply don't prioritise security updates. They treat patching known vulnerabilities as optional maintenance instead of critical infrastructure protection.

organisations know about the vulnerabilities and choose not to act *OR* they are simply not keeping up with the problem and running checks on their software

If the British Museum - with its resources, technical staff, and public responsibility - can't be bothered to patch known security holes, what hope do smaller organisations have?

But it's not about resources... It's about priorities.

The fraud networks cannot run without referrers

and if they are trusted institutions and websites, then all the better, because:

They rank higher in Google search results
Users trust them and click without hesitation
Google's algorithms give them credibility
They provide perfect cover for the actual fraud sites

And they can target them because those domains are full of unpatched vulnerabilities.

As of January 2026, this vulnerability is still active. The British Museum's website continues to serve as fraud infrastructure, funnelling traffic to scam sites, enabling criminals, damaging trust in online commerce.

This complacency toward security, is exactly why fraud networks operate at the scale they do. If organisations just acted on known exploits as a matter of course, if they treated security updates as critical rather than optional, this wouldn't be the problem it is, on the scale that it is.

The Ripple Effect

When the British Museum's website becomes fraud infrastructure:

Customers get scammed
Merchants lose sales
Trust in online commerce erodes
Fraud networks profit

Real people, lose real money when they buy from these places

The Krpano/Panorama Viewer Example (Not a Krpano‑Only Problem)

Many of the referrer sites involved in these scams are legitimate websites that have been quietly compromised through known exploits. One very common example I’ve encountered recently involves Krpano panorama / virtual tour software, where vulnerabilities allow attackers to inject hidden outbound redirect links into otherwise trustworthy sites.

To be clear: this is not a “Krpano problem” specifically.
Krpano is simply a high‑visibility example of a broader issue... attackers abusing neglected or forgotten components on real websites to launder trust and push scam traffic through Google.

Think of it this way: These scammers didn't build their own roads; they hacked the back doors of legitimate small businesses and institutions (like cafes/museums/universities/local government websites with 360° virtual tours) and used those doors to sneak their scam links onto Google.

If you run a website with panorama viewers, virtual tours, or 360° photography:

Check if you're running the latest security patches for Krpano or similar software
Search your site for unexpected outbound links
Monitor your site for unauthorised changes
If you discover you've been compromised, you're a victim too - patch immediately and report

If you run ANY website (This is far bigger than Krpano):

Keep all plugins and themes updated
Regularly audit for unauthorised code injection
Use security monitoring tools

Use the "Black Light" test:

Randomly use a site search to check for breaches:site:[mysite-url] "keyword"
("signed" works well for this - a bunch of random results means you are breached). Just as a black light shows hidden stains, this search shows the hidden "stains" left by hackers... regardless of which exploit they used.

Some referrer sites are complicit, but most are just poorly-maintained websites that got hacked. If you're a site owner reading this because your domain appeared in fraud networks, you need to patch your vulnerabilities.

University of Edinburgh Krpano redirect in Google search results

Another Krpano redirect, this time on the University of Edinburgh website. Here it is showing a stolen ElRat Designs Product, My Be the Strange T-Shirt.

ElRat Designs stolen content warning graphic on fraud site via Edinburgh redirect

This is the page being redirected to, it was already showing my stolen content warning graphic when I discovered it through the referrer/redirect.

⚠️NOTE: Krpano is by no means the only exploit, there are many that I have seen, this one is just extremely common

How I Found Mine and discovered a way to fight back.

I make regular searches for stolen content. So, during one of my regular searches I found a couple of links that were on really odd urls, one was a polish rescue centre, one was a Taiwanese site. Both linked to separate fraud sites with my stolen content... So I started making some random searches, and I discovered a tonne of random addresses being used as referrer/redirects for scam websites. I fell down this huge Rabbit Hole.

Google search results showing University of Tasmania and Singapore Management University as fraud referrers

Redirect domains visible in Google search - my products should not be on these domains
University of Tasmania and Singapore Management University being exploited to redirect to fraud sites selling ElRat Designs products

Google search results showing Andrews University and Hotel Intercontinental Warszawa as fraud referrers

More compromised referrer sites in search results
Andrews University and Hotel Intercontinental Warszawa - my products should not be appearing on these domains

Once you have a redirect domain, THEN you can search: site:[redirect-url] "keyword"

But to find your own content requires patience and some unusual search terms that are unique to your brand. Most merchants won't find their stuff this way unless they have unique items, branding... or get lucky.

Try it yourself: If you find a weird URL in your search results that redirects to a shop, copy that original weird URL and search Google for: site:weird-url.com "Your keyword/brand". This often reveals other scraped content.

Oh... the cheeky bastards are hotlinking...

This was a big moment, when I actually realised not only are these my images... but they are literally my images... my images, on my site, being served to these scam sites.

Inspect element showing hotlinked image from ElRat Designs CDN

Inspect element revealing the hotlink - they're serving my CDN files directly
The fraud site is loading images straight from cdn.shopify.com/s/files/1/0791/7751/5337/ - my store's CDN

Close-up of inspect element showing hotlinked CDN URL

Close-up of the hotlink in action
Same CDN URL, still pulling directly from my Shopify store

Well... fuck that... I'll just swap them then... and that's what I did, to see what happened... and what happened was, they started displaying my stolen content warning, not only that, when they migrated, they took it with them... AND... I started finding sites that I had never seen before, already displaying my stolen content warnings.

Inspect element after image swap showing warning graphic being served

After the swap - same hotlink URL, different image
The fraud site is now serving my warning graphic instead of the product image - same CDN URL, swapped file

Fraud site before image swap showing stolen product

Before the swap
Fraud site displaying my stolen product image

Fraud site after image swap showing warning graphic

After the swap
Same fraud listing, now displaying my stolen content warning - protecting customers in real-time

That's when I started to think about what would happen if other merchants did this as well.... if 100s of us did this.... we could protect our own IP and protect our customers, and all it takes is a little time and effort.

🚨 Chrome Now Flags Some of These Sites as Phishing

In 2025, Chrome has started displaying full red warning screens for many of these fraud sites, specifically flagging them for phishing - "recently found phishing" according to Google Safe Browsing.

The warning states: "Phishing sites pretend to be other sites to trick you."

This is EXACTLY what these fraud networks do - they pretend to be legitimate merchants using stolen images and AI-rewritten product descriptions to trick customers into handing over money and personal information.

Chrome's red warning screen identifying fraud sites
Browser-level protection triggered by warning graphics and fraud patterns - 2025

What's Behind the Increased Detection

Several major security improvements have made these warnings more frequent and effective:

Real-Time Threat Detection (March 2024): Google upgraded Safe Browsing to work in real-time instead of relying on locally stored lists that updated every 30-60 minutes. Since the average malicious site exists for less than 10 minutes, this real-time checking has resulted in about 25% more phishing blocks.
AI-Powered Detection: Google has integrated AI into Safe Browsing to detect previously unknown threats and identify malicious patterns like tech support scams and fake warnings.
Core and Spam Updates: Throughout 2025, Google has rolled out updates designed to penalise websites using spammy practices like cloaking and misleading redirects.
Active Vulnerability Patching: Chrome has released multiple security updates addressing high-severity vulnerabilities being actively exploited.

It's Good... But It's not the Solution

The good news: Browser security is starting to catch up to what Google AI already knows. Some fraud networks are being actively flagged for impersonating legitimate merchants, and customers are getting protected before they even see the product listings.

The warning graphics strategy may be contributing to this detection. By embedding visible 'Scam Warning' labels directly into my product images, I'm feeding the scrapers' own AI. When their system scrapes my warning image, Google's AI sees that warning on the fraud site and may flag the entire domain for phishing even faster.

But... just because a site doesn't show a warning screen, that doesn't mean it's safe.

The detection isn't comprehensive:

Many fraud sites still slip through without warnings
Sites using cloaking techniques can evade detection
New domains aren't flagged until they're reported and reviewed
The fraud networks rotate domains faster than detection can keep up
Customers can still reach fraud sites that haven't been flagged yet

This is a beginning - an attempt to get on top of the problem - but it's not a complete solution. The combination of warning graphics + AI recognition + browser phishing detection creates a multi-layered defense, but fraud networks are still operating, still stealing content, and still scamming customers.

We can't rely on platforms to protect us. We have to be responsible for checking where we choose to buy... we have to protect ourselves... and it's not as difficult as you might think to make yourself safer when buying online

How the Automation Actually Works (And Why It's Vulnerable)

Here's what I worked out about how these fraud networks operate:

Algorithm scrapes images from anywhere on the internet
Grabs nearby text (page title, headings, descriptions) to use as product name and description
Auto-generates listing with random price (often showing a fake sale price), fake stock status, fake reviews (4.0-5.0 stars)
AI sometimes rewrites descriptions to evade simple plagiarism detection while keeping your key selling points
Publishes immediately with zero human oversight
Indexes through referrer network to hide from direct searches

There is no human checking what goes live. The algorithm doesn't understand WHAT it's scraping, just: image exists + text nearby = create product listing.

This is why WikiHow screenshots become products. This is why recipe photos become products....

This is why warning graphics work... they're not looking... they are scraping and listing and there is no possibility to manually check millions of products to see what's there... and they don't care what's there, so long as there are things that make them money.

The AI Rewrite Evolution

Recently, I discovered fraud sites using AI to rewrite my product descriptions. They're not just copying text anymore - they're running it through AI to paraphrase just enough to evade text-matching detection while keeping all my emotional hooks, brand story, and selling points.

I found one site with my 50 Foot Wave shirt that had rewritten my description but kept phrases like "hand-printed original by ElRat Designs," "creative collaboration between ElRat and Hersh," and even "Support Independent Artists" - while actively stealing from an independent artist. The cheeky fuckers.

But... even though the description is rewritten, and I have never seen that website before... they're still displaying my warning graphic... because the automation doesn't check. The AI rewrites prove that text-based honeypots (like hidden "this content is stolen" messages) are becoming less effective, but visual warnings remain powerful because they force the scraper's server to refresh and display the new image immediately.

It should be said, that not all scam sites hotlink images, but these massive scale scraper sites do, it's the only way that it can work at the scale it does... if they had to host those millions of images, the costs would be huge...

⚠️ IMPORTANT: Customer Protection Tips

There are a lot of scams on the internet, but there are some simple things you can do to protect yourself

Always check your links! Before you buy anything online:

Look at the URL you're clicking in search results
Check the URL of the page you actually land on
If they don't match - that site you landed on is possibly a scam

Legitimate sites don't need to hide behind redirects. If you clicked a link for one domain and landed on a completely different domain, close that tab and report it. jump to the reporting guide

Things that might point to the site being a scam

Difficulty searching for other items: Usually the internal site search doesn't work
Placeholder text left unchanged: Things like [insert your own text] or [Lorem Ipsum]

Fraud site showing placeholder text still saying 'Suggested text'

Red flag: Placeholder text left unchanged
This fraud site still shows "Suggested text" from the template - a clear sign of lazy automation

Unrelated product images: Most websites have a style that runs through the products and images, these sites scrape from everywhere, and if you're looking for it, you can probably see it
Mismatched watermarks on images: If you are on scamsite.shop and you see watermarks for legitimatesite.com that's a clear indicator of scraper sites

Original content on canadiangraphiti.com

Canadian Graphiti certificate on fraud site

Same images stolen and sold on fraud site gaer896
If you see watermarks that don't match the domain, check the original address. There can only be one of these - look at the certificate number. Price looks cheaper on the scam site, but you get nothing.
Thanks to Canadian Graphiti for letting me use these screenshots.

Mismatched web addresses or email addresses: Check the privacy policy's, about us pages... look for things that make no sense. These sites are lazy, they are cloned and move URLs constantly... often the addresses in the policy pages are left unchanged

Fraud site showing mismatched email domain and placeholder text

Red flag: Support email doesn't match the domain
Contact email uses a completely different domain than the store URL - plus more template placeholder text and random word strings

Fraud site showing random word strings and template artifacts

Red flag: Random word strings and template artifacts
Gibberish text and unfinished template sections - signs of automated scraping with no human oversight

Most Importantly, be vigilant: don't rush, look for problems before you click buy, and if you are unsure, contact the site and ask questions, see if they respond, and see if the response sounds human, and makes sense.

The Warning Graphics Strategy: A Virus of Endless Warnings

If the automation is blind, we can poison it with warning images:

I created warning graphics with my ElRat logo and text: "THIS SITE IS DISPLAYING CONTENT STOLEN FROM ELRATDESIGNS.CO.UK - DO NOT BUY - REPORT THIS SITE"

Then I systematically swapped my product images with these warning images. Initially just the ones I found stolen, then as the scale became apparent, I did all my best selling/best known products, I am now working on everything else. I will also be swapping out my blog post images. The fraud sites scraped them automatically and publish them without checking.

I also used this as an opportunity to add a watermark to all my replacement images, so that when they inevitable do get re-scraped, at least they advertise my site while I get around to swapping them again.

Eventually every one of my stolen product listings will be a giant warning telling people not to buy.

I think of it as a virus of endless warning images - not a traditional virus, but one that the fraud networks carry around with them. When they migrate to new web addresses, they take the warnings with them because the referrer redirects remain the same, and the cloned content on the stores remains the same.... They can't just disappear by changing domains.

Can't I just change the url and break the listing that way?

No, I tried this with a blank shirt image, and it didn't force the scam site cache to refresh, that blank image shirt was still displaying days later... but when you swap the image, the cache refreshes within a minute or so... you get to see your stolen product listing broken straight away... and it never gets old.

Proof It Works

Google AI now recognises my warning graphics as fraud indicators... when you show Google AI a fraud site with my graphics, it immediately identifies it as fraudulent, names elratdesigns.co.uk as the legitimate source, and recommends not buying
Google Lens becomes a whistle-blower: Google's Circle to Search and Google Lens in 2025 can read text inside images. If a customer uses Google Lens to find a cheaper version of your product and lands on a scam site, the AI will read the text in your warning graphic and identify it as a scam. This creates a loop where the scraper's primary discovery tool (visual search) becomes its own whistle-blower.
Chrome now flags many fraud sites for phishing with full red warning screens identifying them as sites that "pretend to be other sites to trick you"
Warning graphics propagate across the entire network - once scraped, they spread to multiple fraud sites automatically. I've found my warnings on sites I've never even seen before
Customers are protected in real-time - even with AI-rewritten descriptions, the warning graphic stops transactions
Over 900 warning images are now circulating - and I'm still adding more as I work through my entire catalogueue

Most Importantly: My IP is protected, and people won't be scammed on these sites using my name

How This Works on Shopify (Platform-Specific Reality)

I run my store on Shopify, and I've learned through conversations with Shopify technical support that image swapping is currently the only effective method available to Shopify merchants.

We do not have access to CDN logs:

No server log access: Shopify merchants cannot see where hotlinking is happening or track referrer sources
No .htaccess access: We can't implement server-side redirects or traditional hotlink protection
Image swapping forces immediate refresh: I tested changing image URLs to break listings, but the scraper's server didn't refresh and continued displaying the original image. Only swapping the actual image file forces their server to refresh immediately. Scrapers often cache the URL link. When you swap the image at the source URL, you're effectively overwriting their cache - forcing them to display your warning graphic instead of their cached version.
Shopify is working on it: I spoke to Shopify technical support who confirmed they're looking at offering merchants hotlink protection tools, but there's no timescale. Until then, image swapping is our only option.

Bandwidth concerns are irrelevant - the bandwidth is consumed whether you swap the images or not. The scrapers are hotlinking either way, so you might as well make that bandwidth serve a warning instead of helping them scam people.

If they're going to steal your electricity (bandwidth), make it power a neon sign that says they're thieves.

It's Not Actually That Time-Consuming

I know what you're thinking: "This sounds like a lot of work." But once you get the hang of it, it's systematic and gets faster with practice:

Create your warning graphic once
Swap images in batches using your product management system
Start with your best-sellers or most-scraped products
Do a few products at a time when you have 10-15 minutes
I've swapped over 900 images and I'm still going - it becomes routine

The key is: you're not fighting individual fraud sites, you're poisoning the entire automated pipeline. Every image you swap propagates across multiple fraud sites automatically. It's them carrying stolen content images like a virus...

and honestly, what other options do we have at this point? Ignore it?? Let them just steal from us and our customers? When we have this power to just swap the images and stop it in it's tracks? Fuck that!

The Endgame: Critical Mass

Why this matters and why other merchants should join:

If enough merchants poison their product catalogueues, the fraud networks collapse. They exist at this scale, purely because of hotlinking.... and they hide through referrer/redirects

Fraud networks scrape thousands of stores
If I can send 900 warning images into circulation, 10 merchants could send thousands
100 merchants could send tens of thousands
If 10% of stores use warning graphics, 10% of fraud listings become warnings
If 50% of stores do this, fraud sites become unusable using this mass scrape and hotlink method
Customers see warnings everywhere and stop buying
Browser security and AI detection get stronger with more data
More sites get flagged for phishing as the pattern becomes clearer
The operation becomes unprofitable

The networks have to find another solution... one that will be more expensive and won't be able to run at the scale it does now.

And... if enough referrer sites fix their exploits... then they won't be able to hide anymore... whether they're hotlinking or not...

No referrer network = fraud sites appear directly in Google search results
Direct visibility makes them easier to identify and report
Google can flag and remove them faster without trusted referrer domains providing cover
Customers can see the suspicious .shop/.click domains before clicking
The cloaking strategy collapses entirely

This isn't about individual revenge, though actually there is a bit of that, because my ASD brain just can't let it go. This is about making automated scraping unprofitable through collective action. Eventually, the entire hotlinking model has to fail... because the hotlinking becomes the virus they can't get away from.

Step-by-Step: How to Poison Your Product catalogueue

Step 1: Create Your Warning Graphic

Your warning graphic should include:

Your logo or brand identifier
Clear text: "STOLEN FROM [YOUR DOMAIN]"
"DO NOT BUY"
"REPORT THIS SITE"
High contrast colors (so it's visible in thumbnails)
Large, readable text

I don't believe there is anything legally ambiguous about this. I can prove the content is stolen, and the message is factual. If the fraud networks want to take me to court for calling out their theft, let them try.

Step 2: Identify Which Products to Swap

In order of importance... start with:

Your best-selling products (most likely to sell on the scam site)
Products you've confirmed are on fraud sites
Be methodical, work through the catalogueue

Step 3: Swap Your Product Images

In your e-commerce platform: For each product

Save your original product images as backup
Create new watermarked versions of your product images, if they aren't already watermarked.
Add copyright EXIF data is possible
Change the alt text on the old images to "This content is stolen from [my url]"
Remove the old images from your product (this means you won't display your own stolen content warnings)
upload your new watermarked images to your product and save changes
Go into your files section, and swap the old images (The ones you put the stolen content alt text on) for your new stolen content warning image

That's it, Done

Important: Make sure you change your images on your product so that legitimate customers won't see the warning graphic. Adding a watermark, and EXIF copyright data to your new images at the same time helps for future scrapes, you can also use the opportunity to improve SEO on your alt text if needed.

Step 4: Verify It Worked

If you have been lucky/unlucky enough to actually find one of your images linked, you can watch this happen in real time, because swapping the image on your server will force a refresh on the scam server, and you will immediately (or within a few minutes) be able to refresh the page and see your shiny new warning graphic.

Tip: Check your 'Broken Link' reports or '404' logs if you have a way to see them. Look for hits on an image that doesn't exist anymore—those are the scrapers. Give them something to look at. (we unfortunately cannot do this on shopify)

Step 5: Spread the Word

Share your results:

Post screenshots showing warnings live on fraud sites
Tag other merchants who might be affected
Share this guide
Report your success so we can track collective impact

Why This Works Better Than DMCAs

I know the standard advice is "file a DMCA." Here's why warning graphics are more effective against this kind of mass scrape scam:

DMCA Takedowns	Warning Graphics
Exposes your personal information to scammers	No personal info shared
Takes down one listing at a time, if you're lucky	Poisons entire automated pipeline
New fraud sites pop up immediately	Warnings propagate to new sites automatically
URLs switch rapidly - game of whack-a-mole	Warnings follow them through referrer network
Platforms often don't act	You control your own images
Reactive (after damage done)	Proactive (prevents transactions)
Does nothing to protect you	Protects your IP and stops customers from being scammed
Can't reach hidden referrer networks	Works regardless of how they hide
Doesn't train AI/browser security	Contributes to AI recognition and phishing detection

The problem with DMCAs is that the URLs switch too quickly for anyone to act on it, and all you're really doing is giving your details to massive fraud networks for no results. Filing a DMCA against a site that uses a redirect-hider is futile - they have no intention of engaging with the legal process, and even if they wanted to honour a takedown notice, the whole thing is too automated to work. They are not gonna go and remove odd items when the whole store will be on another URL in a matter of hours... it's completely pointless IMO

Alternative: Report Spam Networks

Instead of filing individual DMCAs, use Google's specialised reporting tools to flag entire networks of sites. While results aren't immediate, these reports help Google's algorithm teams identify patterns of spammy behavior during core and spam updates, which has a much larger impact on their overall search visibility.

Search Quality Issues: Use the Google Search Quality User Report to flag sites using deceptive tactics, thin content, or scraped content that provides no original value.
Paid Link Networks: If you find sites manipulating rankings by buying or selling links, report them via the Paid Links Report.
Malicious & Phishing Sites: For scam sites trying to steal passwords or spread malware, use the Report Phishing or Report Malicious Software portals to trigger browser-level warnings.
Rich Snippet Abuse: If a network is using fake reviews or misleading schema to "game" search results, use the Spam Report Form and select "Spammy Content" to flag the structural abuse.

Tip for 2026: Google places high weight on E-E-A-T (Experience, Expertise, Authoritativeness, and Trustworthiness). When reporting scrapers, mention in the "Comments" section that the site is an automated "made-for-advertising" (MFA) network with no original expertise. This helps Google's quality team categorise it correctly during manual reviews.

Join the Fightback

I can work to protect my own IP, and my own customers... but that is a drop in the ocean. We can make real inroads into the whole scraper hotlinking scam site system if enough merchants participate... and its easy for you to get involved... you just have to decide to protect yourself:

Implement warning graphics on your own products
Share this guide with other merchants in your network
Post your results on social media with screenshots
If you're a site owner who discovered you're being used as a referrer - patch your vulnerabilities and report the compromise
If you are a customer, as a matter of course, please check your urls, look at the url that you are clicking and make sure its the same url as the page you land on. Look around the site before you buy, make sure nothing looks off.

Tools like StoreLock are exploring new approaches to help merchants identify and combat fraud networks. If you're a developer building anti-fraud solutions... reach out and let us know what you have.

Why I'm Doing This

I'm an independent artist with ASD. I cannot sit back and do nothing while my work is stolen - it would literally drive me mad. This isn't about SEO benefit or personal gain. It's about not allowing these fuckers to steal my IP without doing everything inmy power to stop it.

Just because a solution might not work forever, doesn't mean it's not worth doing. Every disruption matters. Every warning image circulating makes their operation a little less profitable. Every merchant who joins makes the virus spread faster. Every customer who learns how to spot these sites makes themselves safer...

and honestly... every time those warning graphics go live on a scam site, it's a small win... because its one less chance for someone to get scammed using my name... one more product theft turned against them. So, I will keep trying to protect my IP and my customers... even if I'm the only one doing it

Your experience, your frustration, your refusal to accept this - it all matters. Turn that anger into action.

Questions?

I'm documenting this journey as it unfolds. If you have questions, want to share your results, or need help implementing this strategy, reach out through the contact page and I will do what I can to help you.

Together, we can make automated scraping unprofitable.

By all means, come and picnic on my website, but don't be surprised if all you find are shit sandwiches.

- El / ElRat Designs

Back to blog

Country/region

Navigation