8 Fake Domains, 1,950 Compromised Systems: How We Uncovered an Ongoing Albania e-Visa Scam Campaign
In April 2026, the Albanian Ministry for Europe and Foreign Affairs warned the public about a fraudulent website imitating the official e-Visa application service. The advisory named one domain.
Our research found eight.
Four of them are operational at the time of publication. They carry the official branding, the government color scheme, the double-headed eagle. They ask for your passport number, your visa number, your payment details. And they are built well enough that most applicants would never notice the difference.
.jpg)
Why the Albanian e-Visa portal is a target
The official portal at e-visa.al serves a large, geographically diverse population. Albania's visa exemption policy means travelers holding Schengen, US, UK, and several other visa types interact with the system, alongside applicants from dozens of countries who need an electronic visa before arrival.
A government service used by foreigners unfamiliar with Albanian domains, processing identity documents and payments, is close to an ideal target for impersonation. The attackers clearly agree.
What we found
Through certificate transparency log monitoring and new domain registration tracking, we identified a cluster of domains registered between October 2025 and June 2026, all built around the "evisa" and "albania" keyword patterns that travelers type into search engines.
Four sites deserve particular attention.
e-visa-al.live is the most complete clone we observed. The homepage replicates the official branding, the visa exemption information, and the application workflow, including working Log In and Register functions. The domain itself is the trap: e-visa-al.live versus the legitimate e-visa.al, with the difference placed exactly where almost nobody looks.
e-visa-albania.com runs a "visa verification" page in French, a strong signal that the operators are deliberately targeting Francophone travelers, one of Albania's largest visitor demographics. The form requests a tracking number, visa number, and passport number. Those three fields together are enough to build a convincing fake identity profile around a real Albanian visa.
A related site poses as an instant visa document verification registry, complete with QR code scanning. This one is aimed not only at travelers but at the people who check their documents: employers and border personnel who might scan a QR code and receive a reassuring "valid" result from a website that has no connection to the Albanian government.
evisa-albania.efcgf.la appeared on June 8 and was harvesting credentials within days through a verification form at its /verify.php endpoint. The obscure TLD is a deliberate evasion tactic against monitoring tools that focus on common domain endings. Newest infrastructure, same playbook.
A fifth site, evisalbania.com, appears to be a third-party visa facilitation service rather than an outright phishing operation. It is professionally built and charges applicant fees, but it carries no official disclaimer and collects passport data. We are monitoring it, and travelers should know it is not the official government portal.
1,954 exposed systems
Alongside the domain investigation, we queried infostealer intelligence databases for credentials associated with the legitimate e-visa.al portal. The result: 1,954 infostealer-exposed systems with credentials linked to the domain.
To be precise about what this means: these are devices infected with credential-stealing malware (families observed include Lumma and Nexus) where saved logins or session data for the e-Visa portal were found in the stolen data. It does not mean the government portal itself was breached. It means a substantial number of applicants are applying for visas from already-compromised devices, or were phished along the way, and their travel document data is circulating in criminal datasets.
For the people behind those credentials, the distinction matters very little. Passport data is passport data.
Who is behind this
The evidence points to multiple independent actors exploiting the same opportunity rather than one coordinated group: different hosting choices, different languages, different levels of sophistication, all converging on the same victim pool. Part of the active infrastructure was found running on a network node belonging to a US university's autonomous system, a common pattern in which legitimate infrastructure is compromised and quietly repurposed.
The registration timeline tells its own story. New domains kept appearing through June 2026, weeks after the government's public advisory. Takedowns are removing yesterday's infrastructure while today's is already collecting passports.
If you are applying for an Albanian e-Visa
There is exactly one official portal: https://e-visa.al. The .al ending is the country-code domain of Albania, and it is the only address the government uses for this service.
Type it directly into your browser. Do not reach it through links in emails, social media posts, or search ads. Check the address bar before entering anything. No third-party website is authorized to verify Albanian visas, so never enter your passport or visa number into a "verification" site you found through a link.
If you have already submitted personal or payment information to any domain on the list above, treat it as compromised: change your passwords, watch your bank statements, and consider a fraud alert with your bank. And run a reputable security scan on the device you used, since infostealer infections are exactly how those 1,954 systems ended up in criminal databases.
For security teams
Block the domains listed above across your network controls and threat intelligence platforms. Monitor certificate transparency logs for new registrations combining "evisa" with "albania" or "e-visa-al" patterns, because this campaign is still producing infrastructure. If your organization has employees who travel to Albania, a short reminder to use only the official portal costs nothing and may save someone's identity.
The complete report, including the full IOC set, registration details, and our recommendations for the Albanian CERT, is available below.
