14 May, 2026

WIPO Blocks Deceptive Copycat Domain Targeting Atacadão Wholesale Customers

UDRP Cases

Atacadão S.A. and Carrefour SA successfully recovered the disputed domain name atacadao.website through a WIPO UDRP decision. The respondent, Gabriel Admin, had configured the domain to resolve to an impersonation page that displayed the complainant’s real corporate name and CNPJ registration code alongside false contact details. Panelist Kiyoshi Tsuru ruled the registration was made in bad faith and ordered the domain transferred to the complainants.

Case Snapshot

Case Number D2026-1165
Complainant Atacadão S.A.Carrefour SA
Respondent Gabriel Admin
Disputed Domain
atacadao.website
Threat Tactic Corporate Impersonation
Decision Date 2026-05-06
Panelist Kiyoshi Tsuru
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-1165

Erosion of Customer Trust via Abuse of Official Corporate Identifiers

The registration of lookalike domains like atacadao.website presents a severe operational risk by exploiting highly specific corporate trust markers. In this instance, the respondent, Gabriel Admin, configured the disputed domain to resolve to a webpage displaying the complainant’s actual Brazilian company registration identifier (CNPJ) and corporate name, "Atacadao S.a.", but populated the page with false contact details. For B2B partners and wholesale customers who routinely verify corporate credentials to validate supplier legitimacy, the unauthorized integration of a government-issued regulatory number creates an exceptionally deceptive environment. This targeted manipulation of institutional identifiers directly threatens the integrity of Atacadão’s established commercial relations, particularly given the brand’s long-standing presence in Brazil dating back to its 1978 and 1979 trademark registrations.

Although the administrative record does not confirm that customers suffered actual financial losses or that active phishing emails were dispatched from the atacadao.website domain, the operational threat to Atacadão’s customer-facing teams is immediate. When fraudulent domains mimic legitimate wholesale portals, customer support and security operations must absorb the administrative burden of handling confusion, managing inquiries, and mitigating the fallout from misdirected communications. Distributing fake contact information under a verified corporate name diverts genuine customer traffic away from official channels—such as the legitimate atacadao.com.br domain operated since 1997—and forces brand owners to expend valuable resources correcting the record for misled business partners.

Ultimately, leaving highly deceptive domains unaddressed weakens the authority of a brand’s official digital touchpoints and erodes market confidence. For multinational enterprises like Carrefour SA and its subsidiary Atacadão S.A., proactive domain recovery is not merely about defensive trademark enforcement; it is a critical measure to protect the communication infrastructure. By utilizing the WIPO UDRP mechanism to swiftly transfer the domain before active fraud or data harvesting could occur, the complainants successfully defended their wholesale network from hostile digital mimicry and preserved the integrity of their corporate identity.

Strategy Breakdown: Leveraging Corporate Identifiers to Prove Bad Faith

The Complainants’ strategy succeeded by establishing an undeniable foundation of priority and local market recognition. By submitting trademark registrations for ATACADAO and ATACADÃO in Brazil dating back to 1978 and 1979, alongside their primary domain registration for atacadao.com.br from 1997, the Complainants built an insurmountable case of long-standing rights. This historical depth, combined with Atacadão S.A.’s scale as a major wholesale network acquired by Carrefour in 2007, made it impossible for the Respondent to plausibly claim lack of knowledge. This robust trademark portfolio immediately satisfied the first element of the UDRP and set a high bar of bad faith that the Respondent, Gabriel Admin, failed to rebut.

The most persuasive element of the Complainants’ evidentiary package was the documentation of the disputed domain’s active state before it became inactive. The Complainants captured evidence of the website resolving from atacadao.website, which displayed the corporate name ‘Atacadao S.a.’ and the Complainants’ actual Brazilian tax registry identifier (CNPJ) alongside fake contact details. For brand protection professionals, presenting this misuse of government-issued corporate identification is a highly effective tactic, as it provides concrete proof of an intent to mislead and impersonate. This level of deception directly threatens customer security and erodes marketplace trust, making it clear to the panelist that the registration was designed solely to exploit the wholesale brand’s reputation.

Practical Recommendations

  • Implement automated brand protection monitoring that specifically scans for the unauthorized publication of official national corporate registry identifiers (such as the Brazilian CNPJ) on external, third-party domains.
  • Execute proactive defensive registrations for key brand marks across high-risk generic top-level domains (gTLDs) like ‘.website’, ‘.store’, and ‘.shop’, particularly in core operating markets where the brand relies heavily on local ccTLDs like ‘.com.br’.
  • Maintain a clear, easily accessible ‘Official Digital Channels’ directory on primary wholesale web portals to help business partners and retail customers verify legitimate communication channels and avoid copycat platforms.
  • Establish structured legal workflows to immediately capture and archive evidence of active corporate impersonation—such as the misuse of official corporate names and tax IDs paired with fake contact info—before domain registrants transition deceptive sites to inactive states.
  • Train customer support and B2B account teams to document and report customer inquiries regarding suspicious lookalike domains, enabling the legal team to build robust UDRP complaints that demonstrate real-world consumer confusion.

Frequently Asked Questions (FAQ)

Why was the domain ‘atacadao.website’ considered confusingly similar to the Atacadão brand?

The domain ‘atacadao.website’ was deemed confusingly similar because it incorporated the ATACADAO mark in its entirety, which is the core identifier of the Complainants’ long-standing and well-known Brazilian wholesale trademark.

How did the respondent attempt to legitimize their impersonation of the Atacadão business?

The respondent mimicked the Complainants by displaying the official Brazilian corporate name (‘Atacadao S.a.’) and the genuine company identifier (CNPJ) on the website, while substituting the official contact details with their own to deceive unsuspecting users.

What evidence was used to prove the respondent acted in bad faith?

The panelist found bad faith based on the respondent’s unauthorized use of sensitive, government-issued corporate identifiers to create a false association, combined with the fact that the respondent could not credibly claim ignorance of the well-established ATACADÃO brand.

What was the tactical outcome of this UDRP filing for the business?

The WIPO panel ordered the transfer of ‘atacadao.website’ to the Complainants, effectively eliminating the deceptive digital touchpoint and preventing potential customer confusion or security risks associated with the fraudulent impersonation site.

Facing corporate impersonation through a domain?

Protect your customers and company reputation by identifying and recovering unauthorized sites that leverage your official corporate identifiers.

Assess impersonation threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.