25 June, 2026

Atacadão Secures Customer Access Domains Against Brazilian Bad Faith Registration

UDRP Cases

Atacadão S.A. successfully recovered two .site domains that paired their trademark with terms for ‘access’ and ‘card.’ The WIPO panel ordered the transfer, citing the Respondent’s bad faith and the high risk of customer impersonation in the Brazilian market.

Case Snapshot

Case Number D2026-1705
Complainant Atacadão S.A.Carrefour SA
Respondent Jhonatan Santos da Silva, Dona Informatica LTDA
Disputed Domain
acessoatacadao.siteacessocartaoatacadao.site
Threat Tactic Brand Plus Keyword
Decision Date 2026-06-08
Panelist Reyes Campello Estebaranz
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-1705

Risk to Financial Service Integrity and Customer Trust

The registration of acessoatacadao.site and acessocartaoatacadao.site represents a targeted threat to the integrity of Atacadão’s financial services. By incorporating the Portuguese terms "acesso" (access) and "cartao" (card), the Respondent created a specific architecture for impersonating the Complainant’s credit card management portals. This brand-plus-keyword tactic is particularly dangerous in the retail sector where customers frequently seek online account access. Although the domains were in a state of passive holding at the time of the dispute, their inherent composition suggests a preparation for phishing or credential harvesting. For a brand like Atacadão, which has operated in Brazil since 1978, such domains can quickly erode decades of established consumer confidence if used to intercept sensitive financial data.

The geographical proximity of the Respondent to the Complainant’s headquarters in Brazil further underscores the risk of localized fraud. Given the undisputed fame of the ATACADÃO and CARTÃO ATACADÃO marks, the Panelist noted that accidental registration was implausible. This creates an ongoing operational burden for Carrefour SA and its subsidiaries, as they must monitor for these specific linguistic variations that exploit local language patterns to deceive domestic users. The threat is not merely theoretical; the existence of these domains forces the brand owner to divert resources toward defensive litigation to prevent the disruption of their primary digital gateways, such as atacadao.com.br and cartaoatacadao.com.br.

Furthermore, the use of the .site gTLD in conjunction with official-sounding Portuguese keywords increases the likelihood of initial interest confusion. Customers may perceive these URLs as legitimate alternative access points for mobile or secondary web services. If these domains were to be activated, the resulting reputational damage from a security breach could impact the broader Carrefour group, which reported revenues of approximately EUR 87.2 billion in 2024. By securing these domains through the UDRP process, the Complainant effectively mitigates a high-probability risk of corporate impersonation that could otherwise lead to direct financial loss for its cardholders and an increased volume of fraudulent activity reports for its customer support teams.

Strategic Alignment of Service Keywords and Domestic Brand Fame

The Complainant’s strategy effectively leveraged the linguistic composition of the disputed domains to demonstrate a high risk of corporate impersonation. By pairing the ATACADÃO and CARTÃO ATACADÃO trademarks with the Portuguese terms ‘acesso’ (access) and ‘cartao’ (card), the legal team illustrated that the domains were specifically engineered to mimic official credit card management portals. This tactical focus on functional keywords allowed the Complainant to prove that the domains were inherently misleading, as they suggested a level of service-oriented affiliation that could deceive customers seeking to access their financial accounts. The panel found this evidence persuasive, concluding that the addition of descriptive terms reinforced rather than diminished the confusing similarity to the established marks.

Furthermore, the Complainant successfully applied the doctrine of passive holding by emphasizing the geographical and commercial context of the registration. Given that the Respondent is based in Brazil, where the ATACADÃO brand has maintained a prominent presence since 1978, the strategy argued that any claim of accidental registration was implausible. The evidence of Carrefour SA’s substantial global scale, including EUR 87.2 billion in revenue, further supported the finding of undisputed fame within the retail sector. By establishing that the Respondent must have had the Complainant in mind at the time of registration, the strategy secured a finding of bad faith despite the domains resolving to inactive browser error pages, effectively neutralizing the lack of active content as a defense.

Practical Recommendations

  • Prioritize the enforcement of domain registrations that pair trademarks with functional, service-oriented keywords in native languages—such as ‘acesso’ (access) or ‘cartao’ (card)—as these are high-probability indicators of intent to deploy phishing or credential harvesting portals.
  • Utilize the ‘passive holding’ doctrine aggressively in complaints involving famous brands where the domain is currently inactive; panels are increasingly willing to find bad faith when the domain’s structure implies a specific fraudulent future use, such as a credit card login page.
  • Strengthen bad faith arguments by documenting and highlighting the geographical proximity between the respondent and the brand’s primary market, as panels consider it implausible for a local respondent to be unaware of a dominant domestic brand’s trademarks.
  • Monitor non-traditional gTLDs like ‘.site’ for functional keyword combinations, as the descriptive nature of the second-level domain (e.g., ‘acessoatacadao’) often overrides the obscurity of the extension in the eyes of customers seeking account access.
  • Establish a rapid-response workflow between customer support and IP teams to identify ‘access-themed’ domains before they are activated, allowing brand owners to seek a transfer based on the inherent risk of impersonation and the threat to customer trust.

Frequently Asked Questions (FAQ)

Why were the domains acessoatacadao.site and acessocartaoatacadao.site considered confusingly similar to the Complainant’s marks?

The WIPO Panel determined that the disputed domains fully incorporate the well-known ATACADÃO and CARTÃO ATACADÃO trademarks. The addition of common Portuguese descriptive terms like ‘acesso’ (access) and ‘cartao’ (card) was found to reinforce an implied affiliation with the brand’s financial services rather than creating a distinct identity.

How did the Panel establish bad faith given that the domains were inactive (passive holding)?

The Panel applied the doctrine of passive holding, noting that the Respondent’s failure to use the domains did not negate bad faith. Because the Complainant is a famous retailer in Brazil—where the Respondent is also located—it was deemed implausible that the Respondent registered these specific domains without knowledge of the brand, indicating a clear intent to eventually exploit the trademarks for illicit purposes.

What evidence did the Complainant provide to prove the Respondent lacked rights or legitimate interests?

The Complainant demonstrated that the Respondent had no trademark registrations for the terms in question, was not commonly known by the disputed names, and possessed no authorization or license from Atacadão S.A. to utilize their trademarks in any capacity.

What was the primary business risk associated with these specific domain registrations?

The domains posed a significant risk of ‘initial interest confusion,’ where customers might be misled into accessing what appeared to be legitimate portals for credit card management. This tactic creates an opening for potential credential harvesting and reputational damage by impersonating the Complainant’s financial service infrastructure.

Detecting Brand-Plus-Keyword Impersonation

Bad actors often combine your brand name with service terms like ‘access’ or ‘card’ to create deceptive login portals. Proactively monitor these variations to prevent customer confusion and protect your digital footprint before they are weaponized.

Assess brand threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.