CYBERCRIME Researchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign Criminals are using AI to clone professional websites at an industrial scale. A new report shows how one AI-powered network grew to 150+ domains by hiding behind Cloudflare and rotating IP ranges. By Kevin Townsend | February 5, 2026 (9:00 AM ET) Flipboard Reddit Whatsapp Email Cloned websites – If in doubt, check the depth. Sygnia has uncovered a live network of cloned, scam websites supposedly belonging to law firms. Business impersonation scams are nothing new, but this campaign, in total, comprises more than 150 related domains. Sygnia’s research started when a single law firm contacted them after discovering several websites impersonating its brand. Sygnia investigated and rapidly found the activity to be part of a coordinated campaign involving more than 60 websites. As the investigation continued, it connected more than 150 related domains. This network is not simply large but is also designed for persistence. “Infrastructure decisions favored evasion and durability over operational simplicity, consistent with a coordinated network rather than isolated or opportunistic impersonation activity,” states Sygnia’s report on its discoveries. The domains are registered through multiple registrars across different IP ranges; each site uses a distinct SSL/TLS certificate; and many are deployed behind Cloudflare, obscuring the servers, hiding their relationships and making takedowns more difficult. Each cloned website aims to appear as a single domain rather than being part of a wider campaign. The primary purpose of these clones appears to be a repeat victimization of subjects already victim to previous fraud. The lure is a cloned legal site offering to recover money already lost to prior fraud, noticeably stating that no payment will be required before the lost funds are recovered. ADVERTISEMENT. SCROLL TO CONTINUE READING. There is some indication of a relationship between this campaign and earlier fraud scams. For example, Sygnia found the phone number +354-42-12434 has been used over an eight year period within multiple scam campaigns, including a vehicle auction scam (vehicles paid for, but not delivered), and also asset recovery scams tied directly to Sygnia’s current investigation. A US phone number +1-347-871-7726 was used in a COVID-era panic buying e-commerce scam — and has again been found in asset recovery scams linked to the current investigation. On the surface, this could suggest that a single gang is behind multiple online scams over many years. Sygnia, however, is not able to claim this is the case. “The repeated appearance of the same phone number across multiple fraudulent domains suggests reused infrastructure within the campaign. However, as phone numbers can change ownership, this should be treated as an indicator rather than definitive evidence of a single actor,” says Amir Sadon, Sygnia’s director of IR research. One current puzzle with this campaign is how the threat actors intend to monetize their efforts. Assurances within the cloned legal sites that payment would be required only after funds are recovered adds apparent authenticity to the sites, but would likely raise an immediate red flag with the target as soon as there is any attempt to request money. Sadon has no definitive answer to this. “We cannot conclude at this point how the criminals monetize from this campaign since we haven’t deeply engaged with them,” he told SecurityWeek. “However, we suspect they may be tricking their victims into sharing information that can then be leveraged for profit.” AI-powered scam campaign So, what can we learn from this newly discovered but extensive and technically complex infrastructure involving 150 or so separate domains? Firstly, we will likely see more similarly large and sophisticated campaigns going forward. The ability for AI to assist in cloning websites at speed, scale and low cost will increasingly be used by criminals. “The use of AI and automation tools makes it easier for attackers to create these sites quickly and at scale while maintaining a convincing appearance. This increases the likelihood of similar campaigns,” suggests Sadon. “AI is likely to lower the barrier to entry for cybercrime while increasing its scale, speed, and personalization. It enables less-skilled actors to carry out more sophisticated attacks, particularly in areas like phishing, social engineering, fraud, malware development, and reconnaissance,” he continued. “At the same time, AI allows criminals to automate operations and adapt more quickly, meaning the overall volume and diversity of cybercrime is expected to grow – even if the number of highly skilled actors remains relatively stable.” The visible quality of the end product and the almost certain increase in online fraud will be a growing problem for business and users, neither of whom will have the forensic and investigative skill of firms like Sygnia. Both should consider taking some responsibility on themselves to prevent victimization. Firms could make occasional searches to see if they have been cloned – and Google’s image search could help in finding if their logo is being used elsewhere. “During our investigation, one of the techniques we used looked for the reuse of unique elements from the impersonation sites, including logos. This led us to additional domains using the same visual assets, which helped identify further impersonation sites,” said Sadon. Individual users should look further at any site that requests money for any reason. “Across the impersonation sites, the main landing pages were generally well-designed, but the sites themselves were relatively shallow,” he added. “Most consisted of a primary page and, at most, one or two additional pages such as a contact page. In some cases, navigation menus were present but non-functional or repetitive. Compared to legitimate law firm websites, these sites appeared thin rather than content rich.” None of this is conclusive to an untrained investigator, but a bit of self-help could go a long way. If in doubt, examine the depth. Related: Cyber Fraud Overtakes Ransomware as Top CEO Concern: WEF Related: Hacker Conversations: Alex Hall, One-Time Fraudster Related: Former Accenture Employee Charged Over Cybersecurity Fraud Related: Account Takeover Fraud Caused $262 Million in Losses in 2025: FBI WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Cyber Insights 2026: Cyberwar and Rising Nation State Threats Cyber Insights 2026: Malware and Cyberattacks in the Age of AI Aisy Launches Out of Stealth to Transform Vulnerability Management Cyber Insights 2026: Zero Trust and Following the Path Cyber Insights 2026: Offensive Security; Where It Is and Where It’s Going Rein Security Emerges From Stealth With $8M, Bringing Inside-Out AppSec Approach Cyber Insights 2026: Quantum Computing and the Potential Synergy With Advanced AI Cyber Insights 2026: Threat Hunting in an Age of Automation and AI Latest News Organizations Urged to Replace Discontinued Edge Devices Flickr Security Incident Tied to Third-Party Email System In Other News: Record DDoS, Epstein’s Hacker, ESET Product Vulnerabilities Living off the AI: The Next Evolution of Attacker Tradecraft Airrived Emerges From Stealth With $6.1 Million in Funding ‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks 5 Bills to Boost Energy Sector Cyber Defenses Clear House Panel Critical SmarterMail Vulnerability Exploited in Ransomware Attacks TRENDING Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit PEOPLE ON THE MOVE Pennsylvania has named Andy Ritter as CISO and Jim Sipe as executive deputy CIO. Hayete Gallot has rejoined Microsoft as Executive Vice President, Security. Torq has appointed industry veteran John White as Field CISO. More People On The Move EXPERT INSIGHTS Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Why Identity Security Must Move Beyond MFA By integrating identity threat detection with MFA, organizations can protect sensitive data, maintain operational continuity, and reduce risk exposure. (Torsten George) Forget Predictions: True 2026 Cybersecurity Priorities From Leaders Securi