Scammers Use AI to Target TikTok Shoppers Worldwide

A sophisticated global scam campaign, dubbed FraudOnTok, is targeting TikTok Shop users using a combination of phishing, fake apps, and AI-generated content. Discovered by cybersecurity firm CTM360, the scam aims to steal money, credentials, and personal information through deceptively convincing replicas of TikTok Shop, Wholesale, and Mall platforms.

Fake Stores, Real Losses

Fraudsters are using lookalike domains—over 15,000 so far—designed to closely mimic legitimate TikTok URLs. Many are hosted on low-cost domains like .shop, .icu, and .top. These fake sites host phishing pages to steal login credentials and push users to download malicious apps that appear to be part of TikTok’s ecosystem.

Victims are lured in with flashy discounts and professional-looking AI-generated videos that mimic real influencers and brand ambassadors. These promotions are circulated via Facebook, TikTok ads, and even direct messages on WhatsApp and Telegram. Once a user clicks through, they’re either asked to enter login information or deposit cryptocurrency into fake wallets—both leading to theft.

Fig 1. The Fake TikTok promotions. Source: CTM360

Malicious Apps and Spyware

The second stage of the campaign involves tricking users into installing fake TikTok Shop apps. These apps often mimic older versions of the real TikTok app, giving users a false sense of legitimacy. However, they secretly install SparkKitty, a powerful spyware capable of stealing personal data, photos, crypto wallet credentials, and more.

SparkKitty behaves like a Trojan. Once installed, it connects to a command-and-control (C2) server hardcoded into the app. It sends user data—like device info, login tokens, and gallery images—to remote servers. If it finds sensitive data like screenshots of crypto wallet seed phrases, it sends them to attackers using encrypted communication. Some variants even create fake affiliate dashboards to trick users into making repeated crypto deposits, believing they’re earning commissions.

More than 5,000 unique malicious app download sites have been detected. These fake apps are designed to reject normal email logins on purpose. Instead, they push users to sign in using their Google account. This trick allows scammers to capture special login tokens that give them access to your account — without needing your password or email confirmation. It’s a sneaky way to bypass security checks and avoid being detected.

Fig 2. Downloading the fake TikTok app. Source: CTM360

The Financial Motive

CTM360’s analysis highlights that both consumers and affiliate participants are targets. Buyers are misled into paying for fake or discounted items that never arrive. Affiliates are duped into topping up wallets for commissions that are never paid. These untraceable payments—often made in cryptocurrency like USDT—make recovery nearly impossible.

The overarching goal is financial gain through stolen funds, credentials, and digital assets. The SparkKitty malware also enables persistent device compromise, allowing attackers to return later for further exploitation or resale of stolen information on the dark web.

TikTok Shop is officially available in just 17 countries, but the FraudOnTok campaign is global, exploiting TikTok’s brand trust wherever it has a strong user base. Whether you’re shopping or participating as an affiliate, be cautious of unsolicited messages, suspicious apps, and websites with unusual domain names.

How to Stay Safe

• Only access TikTok Shop through the official TikTok app or domain: tiktok.com
• Avoid clicking on TikTok Shop deals advertised through third-party platforms like Facebook or Telegram
• Never download apps from unofficial sources or QR codes sent by strangers
• Be wary of any site asking for crypto payments or promising unusually high commissions
• Use an app like Certo AntiSpy to help detect and remove malicious apps.

If a deal looks too good to be true—it probably is. Stay alert and double-check before you click.