Atacadão S.A. successfully recovered two .site domains that paired their trademark with terms for ‘access’ and ‘card.’ The WIPO panel ordered the transfer, citing the Respondent’s bad faith and the high risk of customer impersonation in the Brazilian market.
Case Snapshot
| Case Number | D2026-1705 |
|---|---|
| Complainant | Atacadão S.A.Carrefour SA |
| Respondent | Jhonatan Santos da Silva, Dona Informatica LTDA |
| Disputed Domain | acessoatacadao.siteacessocartaoatacadao.site |
| Threat Tactic | Brand Plus Keyword |
| Decision Date | 2026-06-08 |
| Panelist | Reyes Campello Estebaranz |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-1705 |
Risk to Financial Service Integrity and Customer Trust
The registration of acessoatacadao.site and acessocartaoatacadao.site represents a targeted threat to the integrity of Atacadão’s financial services. By incorporating the Portuguese terms "acesso" (access) and "cartao" (card), the Respondent created a specific architecture for impersonating the Complainant’s credit card management portals. This brand-plus-keyword tactic is particularly dangerous in the retail sector where customers frequently seek online account access. Although the domains were in a state of passive holding at the time of the dispute, their inherent composition suggests a preparation for phishing or credential harvesting. For a brand like Atacadão, which has operated in Brazil since 1978, such domains can quickly erode decades of established consumer confidence if used to intercept sensitive financial data.
The geographical proximity of the Respondent to the Complainant’s headquarters in Brazil further underscores the risk of localized fraud. Given the undisputed fame of the ATACADÃO and CARTÃO ATACADÃO marks, the Panelist noted that accidental registration was implausible. This creates an ongoing operational burden for Carrefour SA and its subsidiaries, as they must monitor for these specific linguistic variations that exploit local language patterns to deceive domestic users. The threat is not merely theoretical; the existence of these domains forces the brand owner to divert resources toward defensive litigation to prevent the disruption of their primary digital gateways, such as atacadao.com.br and cartaoatacadao.com.br.
Furthermore, the use of the .site gTLD in conjunction with official-sounding Portuguese keywords increases the likelihood of initial interest confusion. Customers may perceive these URLs as legitimate alternative access points for mobile or secondary web services. If these domains were to be activated, the resulting reputational damage from a security breach could impact the broader Carrefour group, which reported revenues of approximately EUR 87.2 billion in 2024. By securing these domains through the UDRP process, the Complainant effectively mitigates a high-probability risk of corporate impersonation that could otherwise lead to direct financial loss for its cardholders and an increased volume of fraudulent activity reports for its customer support teams.
Legal Analysis: Brand-Plus-Keyword Tactics and the Impact of Regional Brand Fame
The Panel’s finding on confusing similarity centered on the full incorporation of the ATACADÃO and CARTÃO ATACADÃO marks within the disputed domains. The addition of the Portuguese terms ‘acesso’ (access) and ‘cartao’ (card) was found to heighten rather than diminish the risk of confusion, as these functional keywords directly reference the Complainant’s account management and financial services. By combining protected marks with terms that imply a specific utility, the Respondent created a high probability of initial interest confusion among Brazilian consumers seeking to manage their retail credit accounts, illustrating how brand-plus-keyword tactics can effectively impersonate corporate infrastructure.
Regarding rights and legitimate interests, the decision highlighted that the Respondent lacked any authorization or license to utilize the Complainant’s trademarks. The Panel noted that the Respondent was not commonly known by the disputed names and held no relevant trademark registrations of its own. Crucially, the specific composition of the domains was deemed inherently misleading. This finding emphasizes that when a domain name mimics a corporate login portal or service gateway through the use of descriptive suffixes, it cannot constitute a bona fide offering of goods or services or a legitimate non-commercial use, particularly when the marks are as distinctive as those held by Atacadão S.A.
The assessment of bad faith was heavily influenced by the geographical proximity of the Respondent to the Complainant’s headquarters and the ‘undisputed fame’ of the brand in Brazil. Given that Atacadão has maintained a presence in the local market since 1978, the Panel determined it was implausible for the Respondent to have registered the domains without knowledge of the Complainant’s prior rights. Furthermore, the Panel applied the doctrine of passive holding, ruling that the current inactivity of the domains—resolving only to browser error pages—did not preclude a finding of bad faith registration and use. This legal reasoning underscores that the inherent nature of the domains suggests an intent to either disrupt business operations or eventually facilitate credential harvesting targeting the brand’s financial service users.
Strategic Alignment of Service Keywords and Domestic Brand Fame
The Complainant’s strategy effectively leveraged the linguistic composition of the disputed domains to demonstrate a high risk of corporate impersonation. By pairing the ATACADÃO and CARTÃO ATACADÃO trademarks with the Portuguese terms ‘acesso’ (access) and ‘cartao’ (card), the legal team illustrated that the domains were specifically engineered to mimic official credit card management portals. This tactical focus on functional keywords allowed the Complainant to prove that the domains were inherently misleading, as they suggested a level of service-oriented affiliation that could deceive customers seeking to access their financial accounts. The panel found this evidence persuasive, concluding that the addition of descriptive terms reinforced rather than diminished the confusing similarity to the established marks.
Furthermore, the Complainant successfully applied the doctrine of passive holding by emphasizing the geographical and commercial context of the registration. Given that the Respondent is based in Brazil, where the ATACADÃO brand has maintained a prominent presence since 1978, the strategy argued that any claim of accidental registration was implausible. The evidence of Carrefour SA’s substantial global scale, including EUR 87.2 billion in revenue, further supported the finding of undisputed fame within the retail sector. By establishing that the Respondent must have had the Complainant in mind at the time of registration, the strategy secured a finding of bad faith despite the domains resolving to inactive browser error pages, effectively neutralizing the lack of active content as a defense.
Practical Recommendations
- Prioritize the enforcement of domain registrations that pair trademarks with functional, service-oriented keywords in native languages—such as ‘acesso’ (access) or ‘cartao’ (card)—as these are high-probability indicators of intent to deploy phishing or credential harvesting portals.
- Utilize the ‘passive holding’ doctrine aggressively in complaints involving famous brands where the domain is currently inactive; panels are increasingly willing to find bad faith when the domain’s structure implies a specific fraudulent future use, such as a credit card login page.
- Strengthen bad faith arguments by documenting and highlighting the geographical proximity between the respondent and the brand’s primary market, as panels consider it implausible for a local respondent to be unaware of a dominant domestic brand’s trademarks.
- Monitor non-traditional gTLDs like ‘.site’ for functional keyword combinations, as the descriptive nature of the second-level domain (e.g., ‘acessoatacadao’) often overrides the obscurity of the extension in the eyes of customers seeking account access.
- Establish a rapid-response workflow between customer support and IP teams to identify ‘access-themed’ domains before they are activated, allowing brand owners to seek a transfer based on the inherent risk of impersonation and the threat to customer trust.
Frequently Asked Questions (FAQ)
Why were the domains acessoatacadao.site and acessocartaoatacadao.site considered confusingly similar to the Complainant’s marks?
The WIPO Panel determined that the disputed domains fully incorporate the well-known ATACADÃO and CARTÃO ATACADÃO trademarks. The addition of common Portuguese descriptive terms like ‘acesso’ (access) and ‘cartao’ (card) was found to reinforce an implied affiliation with the brand’s financial services rather than creating a distinct identity.
How did the Panel establish bad faith given that the domains were inactive (passive holding)?
The Panel applied the doctrine of passive holding, noting that the Respondent’s failure to use the domains did not negate bad faith. Because the Complainant is a famous retailer in Brazil—where the Respondent is also located—it was deemed implausible that the Respondent registered these specific domains without knowledge of the brand, indicating a clear intent to eventually exploit the trademarks for illicit purposes.
What evidence did the Complainant provide to prove the Respondent lacked rights or legitimate interests?
The Complainant demonstrated that the Respondent had no trademark registrations for the terms in question, was not commonly known by the disputed names, and possessed no authorization or license from Atacadão S.A. to utilize their trademarks in any capacity.
What was the primary business risk associated with these specific domain registrations?
The domains posed a significant risk of ‘initial interest confusion,’ where customers might be misled into accessing what appeared to be legitimate portals for credit card management. This tactic creates an opening for potential credential harvesting and reputational damage by impersonating the Complainant’s financial service infrastructure.
Detecting Brand-Plus-Keyword Impersonation
Bad actors often combine your brand name with service terms like ‘access’ or ‘card’ to create deceptive login portals. Proactively monitor these variations to prevent customer confusion and protect your digital footprint before they are weaponized.
This case note is for informational purposes only and is not legal advice.



