Get complimentary access to the Gartner® report: Hype Cycle™ for Security Operations 2026

With individual Pokémon cards often trading for thousands of dollars, threat actors build fake market infrastructure to exploit collectors and investors. Domains such as pokemoncarddealer[.]com, buypokemoncardsonlines[.]com, and cartespokemon[.]shop attempt to mimic authentic card marketplaces or card-grading services to execute payment card fraud or steal rare inventory through escrow scams.

Adversaries leverage individual Pokémon names to bypass standard automated spam filters and connect directly with target users. Infrastructure like pikapikachu[.]cards, pikachugacor[.]click, mewtwokingpass[.]net, and mewtwolabs[.]com use high-profile legendary or mascot names to establish rapid community trust, facilitating malware distribution or crypto-drainer link clicks.

The global success of mobile titles like Pokémon GO makes mobile users highly vulnerable to malicious mobile distribution infrastructure. Staged domains like pokemon-go-hack[.]nl, pokemongomaltamap[.\com, and the pokemonchampionx7game[.]site are configured to look like legitimate community maps, code updates, or custom cheat overlays, but are instead optimized to serve credential-stealing packages or spyware to mobile operating systems.

The Pokémon Trading Card Game (TCG) market has experienced extraordinary value inflation, with single cards reaching tens of thousands of dollars at auction. This high-value collector market has attracted a sophisticated counterfeit and fraud ecosystem where over 62 TCG-focused domains were identified, spanning counterfeit card shops, wholesale fraud operations, resale arbitrage tools, and fake regional Pokémon TCG associations.

Pokémon GO, despite being nearly a decade old, remains one of the world’s most-played mobile games with over 80 million monthly active users. 34 Pokémon GO-specific domains were identified, including spoofing tools (pokemongospoofer[.]com, pokemongospoofer[.]net, pokemon-go-hack[.]nl), coordinate-sharing platforms (pokemongocoordinate[.]online, pokemongodata[.]com, pokemongodpu[.]com), and redirect operations (pokemongo-redirect[.]top). The pokemongo[.]app domain is particularly concerning as it occupies a short, authoritative domain name that could facilitate app store confusion or official API impersonation.

Seven domains exploit Pokémon character names in the cryptocurrency and meme coin space, a category that, while numerically small, represents a high-risk emerging threat given the volatility and fraud prevalence in crypto markets.

The Solana cluster (solanacharizard.com, squirtlesolana.com, pokedexsolana.fun) suggests a coordinated operation targeting the Solana ecosystem’s meme coin community, which is known for high-velocity, low-scrutiny token launches. Pokémon character names provide instant brand recognition to bootstrap token communities before exit scams.

Five “.lat” domains form a tight thematic cluster around the Mewtwo character were observed: mewtwoepicwatch[.]lat, mewtwosagaunleash[.]lat, mewtwoepicatlas[.]lat, mewtworiver[.]lat, and snorlaxrushsaiyan[.]lat. The “.lat” TLD is designated for Latin American use. The narrative-themed naming (‘Saga Unleash’, ‘Epic Watch’, ‘Epic Atlas’, ‘Rush Saiyan’) suggests coordinated content or media operation potentially indicating a streaming piracy network, fan fiction monetisation scheme, or coordinated SEO spam targeting Spanish-language Pokémon audiences in Latin America.

The domain pokemonlegenden[.]exposed is a unique entry where the “.exposed” TLD is explicitly designed for publication of damaging or controversial content. The ‘legenden’ naming (German/Scandinavian for ‘legends’) suggests a site designed to attack the reputation that should be monitored for activation.

Six domains share a distinctive a1- prefix pattern: a1-charmander[.]com, a1-mewtwo[.]com, a1-pikachupg[.]com, a1-snorlax[.]com, a1-squirtle[.]com, and a1-mewtwo[.]com. All are registered via Alibaba Cloud (Aliyun) WHOIS, with Hong Kong listed as a registrant country. The systematic character-name coverage and shared hosting infrastructure likely targets online platform branding (the ‘pg’ suffix in a1-pikachupg.com references PG Soft, a prominent Asian online slot game provider).

Three domains gigantamaxpikachu[.]vip, gigantamaxcharizard[.]vip, and gigantamaxsnorlax[.]vip combine in-game Pokémon mechanics and Gigantamax (a battle transformation from Sword/Shield) with “.vip” TLD gambling infrastructure. This shows deep game knowledge from the threat actors and their target consumers who understand Pokémon game mechanics. By using aspirational in-game status signals to attract gamblers, this indicates a strategic brand exploitation over unsophisticated brand abuse.

Further investigation identified multiple recently created cryptocurrency tokens leveraging the Squirtle character name and imagery across different coin names. The observed tokens were launched within a relatively short timeframe, suggesting sustained interest in Pokémon-inspired branding due to their growing popularity for their 30th anniversary.

These two examples fit particularly relevant to the Pokémon 30th Anniversary (2026) threat landscape because they capitalize on renewed interest in collectible cards, reprints, and anniversary sets. Domains pokemoncarddealer[.]com and pokemontradingcard[.]com impersonates a legitimate Pokémon card marketplace, presenting itself as a premium dealer. Several persuasion techniques for the buyers are visible creating a FOMO impact such as scarcity messaging, discount indicators, and collector-focused branding.

Such platforms are maybe used for harvesting payment card information, personal information, and selling non-existent inventory. Especially in the fast-spreading popularity around Pokemon’s 30th anniversary, such domains can collect advance-payment fraud. Interestingly, the use of Mega Evolution branding is particularly notable given community speculation and increased attention surrounding legacy Pokémon mechanics and anniversary-themed releases.

In this interesting chained example, a sports-themed article, used for unrelated advertisements, deceptive alerts and potentially unwanted software promotion, was placed as a final redirection after victims click on the initial lure pokemonromhacks[.]com. At the final destination site, a prominent pop-up claiming “Online Protection Disabled” and urging users to renew a security license. Multiple unrelated advertisements are also embedded within the article content. Users are prompted to click advertisements, install software, enable browser notifications, or follow additional redirects.

The observed redirection chain ultimately transitions away from the Pokémon-themed lure and lands on a browser notification scam / fake antivirus renewal ecosystem. To summarize, this multi-step malvertising campaign starts with Pokémon infrastructure to acquire a target audience (collectors, children, gamers, or anniversary enthusiasts), where it waits for potential victims to interact with the fake advertisements, keeping suspicious users away.

Historically, cybercriminals have followed consumer attention, global events, and media coverage around popular incidents. As Pokémon enters its 30th Anniversary cycle, the combination of nostalgia, enthusiasm, new launch of collectibles, and digital assets presents an attractive environment for threat actors. The current domain landscape predicts early signs of infrastructure that could fuel campaigns where Pokémon-themed branding is used not only for phishing and counterfeit sales, but also for financial exploitation disguised as fandom participation.