Issue: Multiple Shopify store owners report their sites being completely cloned, including checkout processes. Changes made to original stores appear instantly on clones. Orders placed on cloned sites are received by legitimate store owners, while analytics show traffic from fraudulent domains.
Key Details:
Cloned sites hosted outside Shopify (often on DigitalOcean droplets)
Cloudflare added phishing warnings on some main pages, but not subpages
Actions Taken:
Reports filed with Google, Cloudflare, domain registrars (GoDaddy, Regtons), and hosting providers
Some success: one clone taken down by domain registrar
Google Search Console takedown requests submitted for ranking pages
Proposed Solutions:
JavaScript domain-checking script to detect and redirect/break clones (some users testing this approach)
Domain lookup to identify hosting providers and file complaints
Legal action for trademark infringement
Google Analytics domain view to monitor unauthorized code usage
Status: Takedowns progressing slowly; responses from providers vary. Users warn against breaking legitimate SEO while implementing protective scripts. Issue appears to be phishing scam or preparation for payment redirect fraud.
Summarized with AI on November 21.
AI used: claude-sonnet-4-5-20250929.
My complete Shopify store is cloned including checkout. If I make changes on my site it’s immediately available on the cloned site. The cloned site is not hosted on shopify so shopify can’t help me a lot.
If someone is on the cloned site I see it on my analytics and on the Shopify live view. When they place an order on the cloned site I also receive the order. Currently they didn’t change any of my banking details or my payment gateway.
Throughout the checkout the cloned store URL is showing so it looks like they cloned the complete checkout process of shopify and when the order is placed I receive the order.
The only thing that they changed on the cloned site is all the internal links and the email address. When I change my site URL in the contact details at the bottom of my page it show the incorrect email so it looks like they have an automatic script running.
I did report it to Google but they didn’t take any action yet (still showing on Google search).
I also reported it to CloudFlare and they added a phishing warning on the main URL but not on any sub URLs.
I’m also still waiting on feedback from the website hosting provider and the name registrar.
Is there anything I can do or code that I can enter into my theme to stop this?
How long did it take for this to get resolved? We are having the same problem with our Shopify store being cloned. Except ours is being cloned of four different domains! We’ve reported to Shopify (who can’t help), the domain regitrars (GoDaddy and Regtons), Google, and Cloudflare. It’s been a week, which I know isn’t that long, but it seems like forever waiting for something to happen.
For registrars|domain-names that’s more of a trademark issue, unless they are also hosting the cloned content, if the clones are infringing trademarks through a domain name lawyer up asap.
It can take awhile if ever for takedowns to happen. The time is always variable depending on who and how is going about it(DMCA, legal threat, court order, etc) , what country|platform the offending site is on , etc.
Shopify can only do things about such clones on their platform , if when and if they choose to based upon the info and resources available to them.
There are some immediate actions you can take such as checking whether the clone directly syncs to the real website when any change is made. In such a case then if it seems there’s also NO humans involved checking changes that go into the clone well then you can use javascript to start doing whatever you want with your property when it’s not on the proper domain.
Caveat obviously test thoroughly and monitor constantly to not interrupt the origin site, and such JS methods obviously don’t interrupt SEO duplication of the base content.
Thank you Paul. These sites are direct clones, and they are overseas. One of them did get taken down by the domain registrar already.
Two of them update instantly, so yes, I am toying with the idea of using a domain checking script and redirecting if it matches one of the targeted domain names. I wrote it and it works. At least well enough that it breaks the clones by sending them into an infinite loop. I just don’t want to mess anything up for when Google, GoDaddy, Cloudflare, etc. need to verify that the sites are clones. So I’m going to give it a little time. If it takes too long, though, I’ll have to put a script in to at least have some way of combatting this issue.
As for SEO, I’m pretty worried about that. We’ll just have to see how long it takes for these places to respond. Thank you for chiming in.
This happend a long time ago but this is what I remember.
First is to understand what is happening.
Someone is hosting a code that are cloning your website (Shopify can’t help). When you go to that domain name it connects securely to the computer hosting the code (that if why the SSL certificate will be valid). On this computer the code is programmed to replace your original domain name with the domain name of the cloned website and keep the person on the cloned website. The cloned website then connect to your website, that is why any changes will happen instantly on the cloned website. When someone checkout it will redirect to the secure shopify checkout so they will not be able to see any personal information and the order will go to your website. I beleive this is a type of phishing scam or when the clone rank high enough and get enough orders they can change the code and redirect to a different checkout (this will be a big problem).
You will need to do a lookup on the domain name and see who is hosting the code. When this happened to me and I did a lookup on the domain name it was registered at name cheap but pointed to an droplet hosted by digital ocean.
I contacted name cheap (couldn’t help to much according to them), CloudFlare (added a phishing warning on the main page but other pages was starting to rank very quickly on Google), Google (never heard anything from them) and digital ocean.
I explained everything to digital ocean what is happening including all the information that I had. They then shut the droplet. I can’t remember how long this took.
On Google search console I requested a takedown of all the pages that was ranking high after it was shut down. This took a while but everything was sorted after this.
What I also learned is to view the domain name on Google analytics so you can easily see if someone is using your tracking code on their website. The standard view is “/” but you can change it to “yourdomain.com/”
If I used this view I would have picked this up a lot earlier.
I’m currently having the same issue that someone cloned my store 100% by different domain name. My website is www.mesadiamondproducts.com and they got a domain as www.diamond.cn which is from China. I found out that their hostings are Cogentco and Sondercloud. I saw posts here about a code to add on theme.liquid that will prevent another domain to use my shop. It didn’t quite worked out yet but I see most of people mentioned it is working. Here is the code I used:
I unfortunately noticed that usually Google, Shopify or hostings are not doing anything about it. I have contacted them but no answer yet. So I’m pretty much worried and want to take an immediate action to solve this issue. The products I sell are generally expensive and this fake website is already ranked page #1 on Google search. I’m seeking immediate help.
