Executive Summary What This Report Covers: Pokémon Domain Threats Staged in 2026
Date: June 2026
Source: PreCrime™ Labs
Between November 2025 and May 2026, our PreCrime platform tracked over 701 suspicious domains impersonating the world’s largest oil, gas, and energy companies. This includes Chevron, ExxonMobil, Shell, and Bechtel.
These aren’t active attacks. They’re staged infrastructure: lookalike and typosquatted domains registered months in advance, waiting for the right trigger – an earnings announcement, a merger, an AI partnership – to be weaponized.
This report breaks down who’s being targeted, how attackers build this infrastructure, and what the domain patterns reveal about campaigns that haven’t launched yet.
What are lookalike domains targeting oil and gas companies?
Lookalike domains are fraudulent web addresses designed to impersonate legitimate energy brands like Chevron, ExxonMobil, and Shell. Threat actors use them to launch phishing attacks, business email compromise (BEC), credential harvesting, and supply chain fraud — often registering infrastructure months before activating a campaign.
PreCrime™ Preemptive Cybersecurity
Get complimentary access to the Gartner® report: Hype Cycle™ for Security Operations 2026
High-Level Metrics & Target Distribution
Threat actors disproportionately target a handful of supermajors and critical infrastructure providers, likely due to their immense financial footprint and vast vendor ecosystems.
Top 10 Most Impersonated Energy Entities
The following table outlines the distribution of sector-specific malicious lookalike domains:
Rank | Target Organization | Malicious Domain Count | % of Total Target-Specific Pool* |
|---|---|---|---|
1 | Chevron | 171 | 24.39% |
2 | ExxonMobil | 145 | 20.68% |
3 | Shell | 53 | 7.56% |
4 | Bechtel | 44 | 6.28% |
5 | Comstock | 32 | 4.56% |
6 | Motiva | 26 | 3.71% |
7 | Fluor | 23 | 3.28% |
8 | Sempra | 32 | 3.28% |
9 | Technip | 22 | 3.14% |
10 | Coterra | 22 | 3.14% |
Other impacted brands include: Phillips 66 (8, 1.14%), Diamondback Energy (19, 2.71%), Antero (12, 1.71%), Targa Resources (19, 2.71%), ONEOK (4, 0.57%), Hilcorp (6, 0.86%), ConocoPhillips (13, 1.85%), Occidental (9, 1.28%), Kinetik Holdings (7, 1.00%), Marathon Petroleum (7, 1.00%), Kinder Morgan (7, 1.00%), Devon (8, 1.14%), Murphy Oil (5, 0.71%), Colonial Pipeline (2, 0.29%), Ovintiv (4, 0.57%), Expand Energy (6, 0.86%), Cheniere Energy (3, 0.43%), and Western Midstream (1, 0.14%).
How Threat Actors Target Oil and Gas Companies: 5 Active Attack Vectors
An analysis of the domain permutations and registrar data reveals several distinct tactical patterns used by adversaries staging infrastructure:
1. The "HR & Procurement" Phishing Trap
Threat actors heavily favor typos and combos related to corporate workflows to facilitate BEC and fake invoice fraud.
Procurement Typos: Domains like chevron-procurement[.]com, vendor-chevron[.]com, vendor-exxonmobil[.]com, and exxonmobilcontracts[.]com are clearly designed to target the massive global supply chain of these energy firms.
HR & Career Scams: Permutations such as careerbechteljob[.]com, ngchevronrecruitment[.]com, and conocophillips-career[.]com aim to harvest credentials or personal details from job seekers or internal employees under the guise of talent acquisition.
2. Geopolitical and Project-Specific Target Strategy
Adversaries map infrastructure to specific corporate geographic regions and strategic joint ventures:
- Regional Squatting: Variations like indonesia-exxonmobil[.]com, chevronvenezuela[.]com, chevronafrica[.]co[.]za, and exxonuae[.]com show that attackers localize their campaigns to isolate regional business units.
- Asset/Project Targeting: The registration of gorgonchevronproject[.]com explicitly points to a highly focused target profile, in this case, Chevron’s massive Gorgon LNG project in Australia.
3. Exploitation of "Corporate Operations" and IT Keywords
Attackers register domains that mimic legitimate internal corporate tools, cloud migrations, and single sign-on (SSO) portals:
- Keywords such as -alightworklife[.]online (Phillips 66), -vip[.]top (ConocoPhillips), cloud-bechtel[.]com, and semprasso[.]com indicate intent to construct highly convincing credential-harvesting landing pages that mirror employee portals.
Domain Infrastructure Analysis: How Attackers Stage Energy Sector Phishing
A deep dive into the underlying registration properties highlights how adversaries choose their staging platforms:
Privacy Redaction as a Baseline: Over 85% of the analyzed infrastructure utilizes privacy proxy services (e.g., NameBrightPrivacy, Fundacion Privacy Services LTD) to mask the true geographic location and identity of the registrant.
Mostly undetected and unacted: only 5.6% of the infrastructures reported “domain not registered” by the time of the publication of this report, evidencing that most of these IOCs are not being actively removed by the brands.
Short-Term Staging Lifespans: The vast majority of these suspicious domains are registered with strict 1-year expiration windows, a classic indicator of disposable, campaign-specific infrastructure.
The use of .tel registrations in the industry: Our research uncovered 14 “.tel” domains incorporating corporate trademarks from the sector. The majority (12 of 14) appear to be defensive registrations, evidenced by the use of corporate brand-protection registrars or by deliberately neutralized DNS configuration (null MX and a hard-fail SPF record) indicating a name held but disabled for mail. Two domains (motiva[.]tel, technipcorporateservices[.]tel) fall outside that pattern and warrant further review. Why would attackers (and therefore defenders) seek .tel at all? The TLD was designed to store contact information such as phone numbers and email addresses directly in DNS and present it as a contact page (rendered automatically, if opted by the registration owner). That contact-directory capability is what makes it attractive for vendor- and procurement-themed lures: typically, a victim is invited via a phishing or smishing message to open the page and “call to validate an invoice,” with the trusted brand name lending the request credibility.
Bulk Drop-Catching & Cheap TLDs: Attackers mix trusted legacy top-level domains (“.com”, “.net”) with highly affordable or disposable generic TLDs (“.cfd”, “.sbs”, “.xyz”, “.top”, “.online”) to spin up vast variations of infrastructure at a negligible cost. These findings are in-line with the recent Interisle report “Malicious Registrations in the Domain Name Market: An Analysis of 2025 gTLD Registrations and Cybercriminal Demand” showing many of these domains as top destinations for malicious domains.
By correlating domain strings, infrastructure fingerprints, and behavioural signals, PreCrime can identify these as high‑risk before they are integrated into phishing emails or bogus vendor workflows, allowing customers to add them to secure email gateways and transaction‑monitoring rules in advance.
Geographic and Regulatory Spread
Domains reference multiple geographies and regulatory footprints:
There’s a large portion of country registration information missing (55.2%), not reported in DNS. These do not include private or redacted registrations (29.3%) and domains no longer registered (5.6%), mentioned in the previous section.
Country or region tags: “.de”, “.pl”, “.ar”, “.br”, “.cz”, “.co.ke”, “.co.za”, “.kz”, “.uk”, “.ee”, “.my.id”, “.biz.id” and combinations like “exxonmobil-brazil[.]com[.]br”, “chevronafrica[.]co[.]za”, “shellnorway[.]com”, “exxonuae[.]com”, “chevronunited[.]co[.]ke”.
This indicates threat actors are not just targeting US or EU markets but also emerging markets with weaker consumer protections and potentially less mature cyber controls.
PreCrime Predicts: As threat actors continue to weaponize trusted energy-sector brands, future campaigns are expected to become more geographically targeted and event-driven. Early identification of staged infrastructure provides defenders with a valuable opportunity to anticipate where brand abuse may emerge next and implement region-specific mitigation strategies before campaigns scale.
Mixed‑Use and “Grey” Domains Around Activism and Litigation
Some domains appear to be activist, litigation, or protest sites:
Examples include “chevronrefineryclassaction[.]com”, “chevronlawsuit[.]com”, “chevronthinkswerestupid[.]org”, “fuckchevron[.]org”, “stopexxonmobil[.]org” and similar.
These are not inherently malicious from a security perspective but:
They can be used as lures for fundraising scams, malware, or disinformation campaigns.
They complicate enforcement because free‑speech and legitimate activism need to be distinguished from fraud operations.
Infrastructure Reuse and “Franchise” Campaigns
Even from the labels alone, there are clear patterns of:
Reused templates across brands (e.g., brand + ltd, group, corp, energy, resources, corp, investments, global, consulting, groupengineer, etc.).
Repeated use of the same motifs across multiple companies (e.g., “-corp”, “-group”, -resourcesinc, “-energybids”, “-pipeline”, “-eng”).
Recent external research on power‑sector phishing shows attackers leveraging cloning tools (HTTrack etc.) and reusing infrastructure to rapidly spin up multiple brand‑impersonating domains across the same hosting footprints.
Possible Threat Use Cases
The observed domain ecosystem suggests that threat actors are preparing infrastructure ahead of key business and geopolitical events rather than deploying it immediately. Many of these domains appear positioned to take advantage of future opportunities such as earnings announcements, mergers, AI-related initiatives, and regional expansion activities when employee engagement and external communications are likely to increase.
Scenario | Threat Description | Trigger Event | Infrastructure Already Staged |
|---|---|---|---|
AI Partnership Announcement Exploitation | Fake AI venture, platform, or digital transformation initiative targeting employees of Chevron, ExxonMobil, Sempra, and other energy organizations. | Any major AI partnership announcement, digital transformation initiative, GenAI deployment, or enterprise AI rollout. | aichevron[.]com, sempra-ai[.]com, shellenergy[.]ai, comstockstrategicai[.]com |
Earnings Season BEC Campaign | Parked domains activated during earnings season to facilitate CFO spoofing, invoice manipulation, executive impersonation, and wire fraud. | Quarterly earnings releases, investor calls, annual reports, and high-profit quarters. | 140+ parked domains observed across major energy companies. |
Kazakhstan / Central Asia Supply Chain Fraud | Vendor-payment interception and procurement fraud targeting Tengizchevroil, KazMunayGas, contractors, and regional suppliers. | Tengiz expansion phases, OPEC+ production changes, regional procurement activity, and contractor onboarding. | chevronmunaigas[.]com, chevronmunaigaz[.]com |
Venezuela Operations Exploitation | Employee phishing, partner impersonation, and business communication fraud targeting organizations involved in Venezuelan energy operations. | PDVSA contract renewals, sanctions policy changes, regional expansion initiatives, and workforce onboarding. | chevronve[.]com, chevronvenezuela[.]com |
LNG Market Expansion Fraud | Procurement, contract, and vendor fraud targeting LNG operators, suppliers, and engineering stakeholders involved in LNG infrastructure projects. | LNG export terminal announcements, European LNG contracts, infrastructure investments, and international supply agreements. | cheniereenergi[.]com, cheniereengineering[.]com, sempralat[.]online, sempralat[.]store |
M&A Integration Phishing | Impersonation domains activated during acquisitions, mergers, asset purchases, and organizational restructuring to exploit confusion among employees and partners. | Major mergers, acquisitions, divestitures, corporate integrations, and asset transfers. | diamondbackgroupinc[.]com, diamondbackgroupus[.]com, coterra-agrobsnss[.]com |
Ransomware Pre-Positioning via IT Contractor Spoofs | Engineering contractor impersonation used to distribute malicious documents, gain initial access, and potentially facilitate ransomware deployment into enterprise and OT environments. | Major engineering projects, capital investments, subcontractor onboarding, infrastructure modernization, and EPC contract awards. | bechtel-engineering[.]sbs, bechtel-construct[.]cfd, technipfmc[.]store, technip-energies[.]xyz |
Active Phishing Campaigns Impersonating Energy Brands (2025–2026)
Brand Impersonation, Trademark Abuse, and Tradecraft Leveraging Industry Trust
From a tradecraft perspective, adversaries frequently exploit recognizable industry names, trademarks, and visual identities to establish immediate trust among targets. Rather than relying solely on typo-squatting, actors increasingly register domains that incorporate legitimate company names, subsidiaries, operational terminology, or sector-specific keywords such as terminals, energy, gas, pipeline, LNG, petroleum, infrastructure, or logistics. This approach enables malicious infrastructure to appear operationally legitimate while potentially supporting different malicious attacks such as BEC campaigns, vendor impersonation, investment frauds, recruitment and employment scams.
For example, although the observed domains do not directly impersonate Antero Energy’s official infrastructure, the presence of the keyword “Antero” within energy-sector branding introduces a potential trademark and reputation-monitoring concern. Similarly, for the domain kindermorganterminals[.]com appears to incorporate the well-established Kinder Morgan brand and may create confusion among customers, partners, suppliers.
Indicators of Malicious Infrastructure under Construction
At the time of analysis, both domains anteroresource[.]com and murphyoilcorporationltd[.]com appear inactive from an operational perspective, displaying either default hosting pages or generic “under construction” content. However, their naming conventions closely resemble established energy-sector organizations, including Antero Resources and Murphy Oil, creating a potential foundation for future impersonation activity. Dormant infrastructure frequently serves as a staging environment that allows operators to prepare future campaigns that could later be used for business Email Compromise (BEC), vendor fraud, energy-sector based supply chain attacks, etc.
E-Commerce Storefronts as a Scam
The domain phillips66vzla[.]com appears to operate as an online storefront, displaying the Phillips 66 brand identity, especially targeting visitors from Venezuela, where “vzla” is the keyword indicating the region. From a threat intelligence perspective, e-commerce websites remain operational for extended periods while appearing legitimate to customers, suppliers, and distributors unless multiple fraudulent reports are discovered.
Threat actors may advertise products using trusted oil and gas brands, sell counterfeit petroleum products, collect payment information, harvest customer data, or impersonate authorized distributors.
The sale of counterfeit items, that sell low quality substances, non-certified industrial fluids, or relabeled products can introduce operational and safety risks, particularly when such products are deployed within industrial environments.
Recruitment-Themed Malicious Domains
Several observed domains incorporate employment-related keywords alongside well-known energy-sector brands, including:
- hr-chevron[.]com
- conocophillips-career[.]com
At the time of analysis, these domains resolve to default registration pages. However this combination of keywords with default state of domains is still concerning since the email services can be fully operational. Threat actors often prioritize email functionality over website development because the primary objective is communication rather than web traffic where the typical setup may include parked or under-construction websites, Active MX records, and configured SPF/DKIM records.
This technique provides several operational advantages for threat actors such as low detection and takedown risk and natural aging of the domain to rank in search engines before being fully operational. Such campaigns can actively attempt to collect personally identifiable information (PII), harvest resumes and employment records, conduct advance-fee employment fraud, or distribute malware disguised as offer letters.
![Figure 5 - Wildberries-themed giveaway campaign observed redirecting users through the domain careerbechtel[.]com](https://bfore.ai/wp-content/uploads/2026/06/Figure-5-Wildberries-themed-giveaway-campaign-observed-redirecting-users-through-the-domain-careerbechtel.com_.jpeg)
The third example is particularly interesting because it demonstrates a common redirection and cloaking pattern often observed in scam ecosystems. In the screenshot, the user is presented with a Wildberries-themed giveaway page (a major Russian e-commerce platform) advertising prizes and cash rewards. This suggests potential abuse of a trusted corporate identity and serves as multi-purpose scam infrastructure, supporting traffic redirection, promotional fraud, credential harvesting, or future employment-themed social engineering campaigns.
Energy-Themed Infrastructure Leveraged for Gambling and Casino Lures
The domain shellgasstations[.]com was observed participating in a multi-stage redirection chain ultimately leading users to gambling-related infrastructure hosted on a separate domain. During analysis, the initial energy-themed domain redirected visitors toward the URL:
tu5g[.]lozwu1aaxat8zg[.]cc/wdzmr[.]php
which subsequently presented content associated with online gambling and betting platforms, including branding related to Bet365, Bwin, and other betting services.
![Figure 6 - Multi-stage redirection chain involving the energy-themed domain shellgasstations[.]com](https://bfore.ai/wp-content/uploads/2026/06/Figure-6-Multi-stage-redirection-chain-involving-the-energy-themed-domain-shellgasstations.com_.png)
Observed Redirection Chain
The domain incorporates the “Shell” trademark and fuel-station terminology. Creates an instant association with legitimacy associated with the energy sector. The domain on the website acts as a traffic forwarding mechanism, separating the lure domain from the final destination. The victim is further redirected to betting-related content and gambling advertisements.
Brand Trust Piggybacking
Rather than directly promoting gambling content from the start, the operators first utilize a domain that appears associated with a trusted energy-sector organization. Users may be more willing to interact with shellgasstations[.]com than an obviously suspicious gambling domain.
Such redirectors are often known to be associated with crypto investment lures, adult content, malware delivery, depending on geography, device type, or referral source. While the final payload appears unrelated to the energy sector, the incorporation of energy-industry branding creates reputational concerns.
Lottery-Themed Social Engineering Campaign
The observed infrastructure hosted on clubeshell[.]com appears to mimic a promotional rewards program associated with Shell. Rather than immediately requesting payment or personal information, the campaign employs a staged engagement process designed to increase user participation and perceived legitimacy.
Observed Campaign Flow
The campaign begins with promoting the landing page as a membership or rewards program, encouraging visitors to participate in a giveaway tied to fuel-related benefits and Shell-themed incentives. Following this, the users are directed to an interactive “Spin the Wheel” interface containing various reward outcomes.
Common psychological triggers for victims to instantly react to such campaigns include instant gratification, fear of missing out (FOMO), and reward anticipation. After interaction, the user is informed that they have won a substantial prize, staging the win as an exclusive offering, prompting them to act out of the sense of urgency.
Rather than immediately granting the promised reward, the user is informed that activation of the reward requires enrollment in the Club Shell membership program. This technique is commonly observed in “Spin-the-Wheel” and lottery based domains, where a small upfront payment is required to “unlock” a significantly larger reward.
The final stage requests personal details such as full name, email address, CPF number, mobile number, and payment information. The campaign transitions from engagement to data collection and monetization. Unlike traditional phishing campaigns that immediately request credentials, this campaign leverages a progressive commitment model. By the time payment information is requested, the user has already completed multiple interactions and may perceive the process as legitimate.
In addition to this, not all rewards-themed campaigns rely on multi-stage lottery mechanisms or gamified engagement. In some cases, threat actors establish domains that directly imitate legitimate loyalty and rewards programs while maintaining consistent branding throughout the user journey. The domain exxonmobilfuels[.]com demonstrates this approach by presenting a straightforward rewards-focused experience.
Energy-Sector Keywords Leveraged for Casino-Related Themes
The domain comstockcasino[.]org appears to combine the recognizable Comstock keyword with casino-themed content. While the website openly presents gambling-related content rather than attempting to impersonate an energy company directly, the incorporation of an energy-sector-associated keyword is an attempt to capitalize on existing brand recognition and search visibility.
Threat actors and affiliate operators frequently register domains containing industry and brand keywords to benefit from search engine visibility, brand familiarity, and user confusion. The use of industry-associated branding can still create trademark concerns, brand dilution, and unwanted association with gambling content.
Industrial Overlap as a Brand Abuse Technique
In some cases, the malicious domain named after oil and gas brands resolves to a page with banking and financial-services content. Rather than promoting fuel products, energy services, loyalty programs, or industrial offerings, the website advertises digital banking, financial transfers, and means of investment. This convergence between two sectors exploits cross-industry trust relationships by merging recognizable brands with services creating various malicious themes such as subsidiaries, rewards partner, financial affiliate, or corporate benefit program.
The approach is particularly effective because many large enterprises already operate diverse subsidiaries, rewards programs, financial partnerships, and investment initiatives, making unusual service offerings appear possibly real.
Activism-Themed Sites Stirring a Negative Influencing Campaign
The domain antichevronday[.]org was observed hosting a campaign centered around opposition to Chevron and its global operations. The website promotes a multi-day event titled “Bay Area Anti-Chevron Week” openly presenting its objectives and messaging. The website contains extensive content criticizing Chevron’s environmental, geopolitical, and operational activities while encouraging visitors to participate in conferences, demonstrations, volunteer activities, and organized actions.
The domain also collects personal information and while the infrastructure does not exhibit classic data harvesting behavior, it demonstrates a narrative amplification pattern frequently observed in issue-driven campaigns. Rather than impersonating Chevron, the domain directly references the company in a negative context, creating reputation exposure, public relations concerns, and potential brand association risks.
PreCrime Strategic Assessment: What Energy Security Teams Should Do Now
The observed domain ecosystem highlights a diverse range of threats targeting the energy sector, extending beyond traditional phishing and malware delivery into broader areas of brand abuse, fraud, reputation manipulation, and infrastructure staging. Analysis of active domains revealed multiple campaign themes, including recruitment fraud, rewards and loyalty scams, e-commerce abuse, gambling monetization, financial-service impersonation, activist coordination platforms, and event-driven social engineering campaigns.
Threat actors frequently incorporated the names of major oil, gas, and energy organizations into domains that promoted unrelated services such as banking platforms, gambling websites, loyalty programs, recruitment portals, and online stores. In many cases, the objective appeared to be monetization through user trust rather than direct technical compromise.
Several active domains demonstrated sophisticated social engineering workflows designed to maximize user engagement. Examples included multi-stage reward campaigns, spin-the-wheel promotions, fuel voucher giveaways, and recruitment-themed infrastructure that progressively collected personal information before introducing payment requests or additional interactions.
The analysis also identified a notable volume of parked, inactive, and under-construction domains. While not immediately malicious, these assets represent potential future infrastructure that could be rapidly activated in response to business developments, geopolitical events, mergers and acquisitions, LNG expansion projects, earnings announcements, AI initiatives, or regional operational changes. This suggests that threat actors are increasingly adopting a pre-positioning strategy, registering and maintaining infrastructure well in advance of campaign deployment.
Taken together, these observations predict a growing ecosystem of domains capable of supporting fraud, credential harvesting, business email compromise, reputation attacks, activist coordination, gambling monetization, and future event-driven operations. The extent of campaigns observed activity underscores the importance of continuous monitoring for both active and dormant infrastructure, as today’s parked or seemingly benign domain may become tomorrow’s operational campaign asset.
Frequently Asked Questions
Which oil and gas companies are most targeted by lookalike domains?
Chevron (171 domains, 24.4%) and ExxonMobil (145 domains, 20.7%) are the most impersonated, followed by Shell (53), Bechtel (44), and Comstock (32), based on BforeAI’s analysis of 701 suspicious domains tracked from November 2025 to May 2026.
What is a PreCrime approach to domain monitoring?
PreCrime threat intelligence identifies malicious domain infrastructure during the Weaponization and Staging phases of the Cyber Kill Chain – before phishing emails are sent or attacks are launched. This allows security teams to block threats proactively rather than reactively.
How do threat actors use lookalike domains in the energy sector?
Attackers register domains mimicking energy brands to conduct BEC campaigns, fake invoice fraud, HR and recruitment scams, vendor impersonation, and credential harvesting. Many domains remain dormant until a trigger event, such as earnings announcements or M&A activity, activates them.
What TLDs do attackers use most in energy sector phishing?
.com dominates, but attackers increasingly use cheap disposable TLDs including .xyz, .top, .online, .sbs, and .cfd to spin up high volumes of lookalike infrastructure at minimal cost.
How can energy companies detect lookalike domain threats early?
Continuous monitoring of new domain registrations for brand name variations, typos, and keyword combinations, combined with WHOIS analysis and DNS behavioral signals, enables early detection before campaigns go live.
