How to Take Down a Cloned E-Commerce Site Committing Credit Card Fraud?

My friend owns an online shop on Shopify. Recently, he discovered that someone has created a fake version of his website to commit credit card fraud. The scammer built the fraudulent site using WordPress and is hiding behind Cloudflare's protection services.

The scam site contains all the same images, product descriptions, and even uses my friend's trademarked business name. My friend only found out about the issue when a customer questioned if the site was legitimate.

He's already tried to take action by sending a DMCA takedown request to Cloudflare, but received no meaningful response. He's also contacted Google, Bing, and the domain registrar, but the scammer's identity and hosting service are still unknown.

What additional steps can he take to solve this problem?