I looked at how counterfeit fashion sites are structured. Here's exactly where their data falls apart.
Over the past few months I've been asked by several brands to help them understand why they're losing visibility in AI-driven search to sites they know are selling counterfeit or unauthorised versions of their products. The brands knew the sites existed. They'd filed DMCA takedown requests. A few had sent cease and desist letters. But the visibility problem persisted.
So I started looking at the sites themselves. Not from a legal angle. I'm not a lawyer. From a data angle. I wanted to understand what these operations actually look like under the hood, specifically how their structured data and entity signals compare to the legitimate brands they're impersonating.
What I found wasn't surprising. But seeing it documented clearly was useful enough that I thought it was worth writing up.
A quick note on methodology: I used Screaming Frog to crawl a sample of PDPs from each site, ran their schema through validator.schema.org and Google's Rich Results Test, and cross-referenced any GTINs I could find against GS1's Verified by GS1. I also manually inspected their claimed social profiles and any Organisation schema data. I'm not naming specific sites for obvious reasons, but the patterns I'm describing were consistent across every operation I looked at.
The GTIN problem
Every legitimate fashion brand I work with has some version of the GTIN coverage gap I've written about previously. Coverage is rarely 100%, especially on newer SKUs. But the difference between a legitimate brand's GTIN data and what I found on these counterfeit sites isn't a matter of degree. It's a different category entirely.
Three patterns kept showing up.
The first was placeholder data. GTINs populated with strings like "0000000000000" or "1234567890123." Syntactically valid. Right length. Right format. So they don't get flagged by a basic schema validator. But run them through GS1's Verified by GS1 and they return nothing. An AI agent cross-referencing that GTIN against a product registry finds a blank.
The second was lifted GTINs. Some of the sites had real GTINs which were scraped directly from the legitimate brand's product pages or from aggregator data. These actually pass the GS1 check, which might look like a problem. But here's the thing: they resolve to the legitimate brand, not to the counterfeit operation. The GTIN says the product belongs to Brand X. The domain selling it isn't Brand X. For an AI agent trying to establish who the authorised seller is, that's a direct conflict in the data. Not proof of fraud in isolation, but an unresolved contradiction. AI agents treat unresolved contradictions as uncertainty. Uncertainty means they don't recommend you.
The third was no GTINs at all. Product schema with name, description, price and image all populated. GTIN, brand, manufacturer — absent. A product entity with no verifiable identity.
The Organisation layer
This is where the gap becomes stark.
None of the sites I analysed had a complete Organisation schema. A couple had partial entries such as a name, sometimes a URL but nothing that created a functional entity declaration. No sameAs properties pointing to verified profiles. No legal identifiers. No legalName field. In one case, Organisation schema existed on the homepage but was malformed. A missing closing bracket in the JSON-LD that caused the entire block to fail validation silently. Broken schema that looks present but does nothing.
The sameAs situation was particularly telling. Where sameAs entries existed at all, they pointed to one of three things: social profiles created recently with almost no posting history, profiles with usernames that didn't match the brand name on the domain, or URLs that 404'd entirely and accounts that had been suspended or deleted at some point.
This matters because sameAs is one of the primary ways an AI agent triangulates brand identity. A legitimate brand with sameAs entries pointing to a nine-year-old Instagram account with a consistent posting history is a completely different entity signal from a sameAs pointing to a four-month-old account with 31 posts. One is verifiable. The other is noise. An AI agent doesn't need to make a value judgement. The data tells it which one to trust.
None of the sites had any legal identifiers. No vatID, no leiCode, no company registration data of any kind. Not necessarily damning on its own as plenty of legitimate small brands haven't added this yet either. But combined with everything else, it adds to a picture of an entity with no verifiable real-world presence.
No humans anywhere in the data
I've written before about Person schema and human authority signals being the layer most ecommerce teams skip. On these sites, they didn't exist at all. Not partially implemented. Not broken. Simply absent.
No founders. No creative directors. No team pages linking to real people with verifiable professional histories. The content — product descriptions, whatever passed for editorial copy, the about pages was either scraped verbatim from the legitimate brand or generated without any authorship attribution whatsoever.
This matters more than it sounds. An AI agent evaluating two entities selling what appears to be the same product. One with a verifiable creative director whose LinkedIn profile corroborates their role going back eight years and authored content consistently published on the domain. The other one with no human presence anywhere in the data. Not a hard call?
One entity is real. The other is a data shell.
The review picture
Reviews on these sites split into two camps. Either there were none. Product pages with empty review sections and no Review schema. Or there were reviews that didn't hold up to any scrutiny.
The second type is worth a moment. Some sites had what looked like populated review sections. Decent star ratings, a reasonable volume of entries. But a few things were off. Reviewer profiles with no history outside that platform. Reviews using near-identical sentence structures across different products. No verified purchase signals in the schema. And in a couple of cases, aggregate ratings in the schema that were inconsistent with the individual reviews visible on the page. A declared aggregate of 4.6 from 280 reviews, with 14 reviews actually present. That kind of inconsistency is either incompetent data management or deliberate inflation, but either way it's a signal that fails any meaningful verification check.
What the gap looks like side by side
I want to make this concrete because I think it's easy to read all of the above as a list of individual issues rather than a cumulative picture.
A legitimate brand that has done this properly presents an entity that coheres at every level: GTINs that resolve to their brand in GS1, Organisation schema with sameAs entries pointing to profiles with years of consistent history, a legalName that matches their Merchant Center registration exactly, Person schema linking named individuals to the organisation, authored content published over time with consistent Author markup, and a review ecosystem built up through genuine customer transactions.
A counterfeit operation presents: placeholder or lifted GTINs, partial or broken Organisation schema with no legal identifiers, social profiles with minimal history, no human presence in the data, content with no authorship trail, and reviews that are either absent or don't survive scrutiny.
The gap isn't subtle. It's the difference between an entity that holds up at every verification point an AI agent can check and one that falls apart the moment you look past the surface.
Why this isn't fixable for them
The thing I keep coming back to when I look at this data is that the counterfeit operation's problem isn't solvable with effort or investment. It's not that they haven't gotten around to implementing Person schema or need to do a better GTIN audit. The entity a legitimate brand builds over years like the review depth, the authorship trail, the consistent legal and social identity, the human presence is inseparable from being a real business operating over time.
You can scrape product images. You can copy description copy. You can lift GTINs. What you can't manufacture is a decade of consistent brand presence, a creative director with a verifiable career, a review ecosystem built from real customers, and an Organisation entity that resolves correctly across every independent source an AI agent might check.
That's the gap. And it only widens the longer a legitimate brand keeps building.