Investment scams continue to evolve in sophistication, with cybercriminals deploying increasingly complex methods to target potential victims. Recent research from DNS threat intelligence firm Infoblox, presented at the RSA Conference in San Francisco, has uncovered two threat actor groups – codenamed “Reckless Rabbit” and “Ruthless Rabbit” – that have been orchestrating elaborate investment scams through Facebook ads, registered domain generation algorithms, and advanced victim filtering techniques.
How These Investment Scams Work
These threat actors have developed a multi-stage approach to lure victims and maximize their success rate:
1. Facebook Ads with Celebrity Endorsements
The scammers create Facebook advertisements that lead to fake news articles featuring celebrity endorsements for fraudulent investment platforms. These ads are carefully crafted to appear legitimate while evading detection:
- They intersperse malicious ads with regular advertising content related to legitimate products
- The ads display decoy domains (e.g., “amazon.pl”) that differ from the actual destination domains (e.g., “tyxarai.org”)
- They use unrelated images to avoid automated detection systems
This technique isn’t entirely new – we’ve observed similar tactics in cryptocurrency recovery scams and other financial fraud schemes.
For example, recent campaigns identified by researchers show multiple sponsored posts from accounts like “Christopher J. Herndon” targeting users with non-English text. The ads typically display innocuous products like sneakers with text in different languages (such as Turkish phrases like “her zevke uygun üretim ayçapabileri” meaning “production capabilities suitable for every taste”), but clicking them leads to scam sites.
These ads typically operate for short periods (around 1-3 hours) before being taken down, only to be replaced by identical ads with new IDs. This rotation technique helps evade Facebook’s detection mechanisms.
2. Advanced Victim Filtering
What makes these operations particularly sophisticated is their victim filtering system:
- Web forms collect personal information including names, phone numbers, and email addresses
- The forms sometimes offer to auto-generate passwords, which are used as part of the validation process
- Backend systems perform HTTP GET requests to legitimate IP validation tools like ipinfo.io, ipgeolocation.io, or ipapi.co
- Traffic from countries the scammers aren’t interested in (like Afghanistan, Somalia, Liberia, and Madagascar) is filtered out
- Phone numbers and email addresses are verified for authenticity
- Advanced Traffic Distribution Systems (TDS) filter out security researchers’ systems, bot traffic, and honeypots
Only targets who pass these validation checks are routed through a traffic distribution system (TDS) to the actual scam platform. If deemed a “high-value” target, victims might receive personalized attention through fake investment representatives or call centers.
Source: Infoblox research
3. Registered Domain Generation Algorithms (RDGA)
Both groups employ registered domain generation algorithms to create domains for their fraudulent investment platforms. Unlike traditional domain generation algorithms (DGAs), RDGAs use secret algorithms to register domain names, making them harder to detect and block.
Reckless Rabbit has been creating these domains since at least April 2024, primarily targeting users in Russia, Romania, and Poland. Ruthless Rabbit, active since at least November 2022, runs its own cloaking service (“mcraftdb.tech”) for validation checks, focusing on Eastern European users. According to Infoblox researchers, Ruthless Rabbit appears to be linked to infrastructure in Russia.
According to the original Infoblox research, these RDGA domains play a critical role in the scam infrastructure. Unlike traditional DGAs used by malware for command and control communications, RDGAs are designed specifically for human interaction. The domains are carefully crafted to appear legitimate while allowing the threat actors to rapidly create new infrastructure when existing domains are blocked or blacklisted.
The DNS Infrastructure Behind the Scams
DNS (Domain Name System) plays a pivotal role in these scams. The threat actors leverage DNS in several sophisticated ways:
- Rapid infrastructure rotation – New domains are continuously registered using algorithmic patterns, allowing quick migration when domains are flagged
- DNS-based traffic filtering – DNS queries and responses help the scammers identify and filter visitors based on their geographic location and system characteristics
- Multi-stage redirection chains – Multiple DNS lookups are used in redirection chains to obscure the final destination and complicate tracking by security researchers
- Separate infrastructure for different scam phases – Different sets of domains handle initial contact, validation, and final conversion stages
Infoblox researchers identified these patterns by analyzing the DNS query patterns associated with the scam operations, revealing the sophisticated infrastructure used to evade traditional security controls.
4. Fraudulent Payment Platforms
Users who pass the validation filters are directed to sophisticated payment platforms designed to harvest financial details. These pages include:
- Professional-looking interfaces with security badges and encryption claims
- Multiple payment options including major credit cards (Visa, Mastercard)
- Secure payment indicators (locks, badges, etc.)
- Fine print disclaimers that actually reveal the fraudulent nature (but are easily overlooked)
The payment pages often contain deliberately obscured disclaimers in small text that actually reveal the fraudulent nature of the transaction. For example, some may include text stating that the service is “not for investment purposes” or that “this is a subscription to educational content only,” contradicting the investment promises made in earlier stages of the scam.
5. Call Centers for Personalized Scamming
Some campaigns take the deception further by incorporating call centers. After victims pass the validation process, they receive calls from “representatives” who provide detailed instructions on setting up accounts and transferring money to the fraudulent investment platforms.
This human interaction adds credibility to the scam and helps overcome any hesitation the victim might have. It’s similar to tactics we’ve documented in email-based scams where criminals establish a personal connection to build trust.
Technical Indicators of Compromise
Security researchers have identified several technical indicators that can help identify these scam operations:
| Indicator Type | Details |
|---|---|
| Domain Patterns | Random-looking domains with RDGA patterns, often registered recently |
| Validation Services | Connections to ipinfo.io, ipgeolocation.io, ipapi.co from landing pages |
| Traffic Distribution | Multiple redirects through intermediary domains |
| Facebook Ad Content | Mismatched domain displays (shown vs. actual destination); consistent use of specific names like “Christopher J. Herndon” |
| Cloaking Infrastructure | For Ruthless Rabbit: connections to “mcraftdb.tech” |
| Ad Patterns | Short ad lifetimes (1-3 hours); multiple identical ads with different library IDs |
Tactics, Techniques, and Procedures (TTPs)
The Infoblox Threat Intelligence team has documented specific TTPs that distinguish these scam operations:
- Use of HTTPS encryption – Nearly all scam domains use valid SSL certificates to appear legitimate and avoid detection by security tools that can’t inspect encrypted traffic
- Domain naming patterns – Domains often incorporate financial or crypto-related terms combined with random elements, such as “investing-profit-group[.]com”
- Algorithmic domain registration – New domains follow predictable patterns but with sufficient variation to evade simple blocklisting
- Uniform hosting infrastructure – Similar IP ranges and hosting providers are used across campaigns
- User-agent and behavior filtering – Advanced scripts detect automated security tools based on browser fingerprinting and user behavior analysis
- Geofencing capabilities – Traffic is filtered based on IP geolocation, with each campaign targeting specific geographic regions
These indicators can help security teams identify and block these fraudulent operations before users fall victim to them. The Infoblox research suggests implementing DNS-layer security measures that can detect suspicious domain patterns and block connections to newly registered domains with patterns matching known scam infrastructure.
How to Protect Yourself from Investment Scams
To avoid falling victim to these increasingly sophisticated investment scams:
- Be skeptical of investment opportunities advertised on social media – Legitimate investment firms rarely advertise high-return opportunities through Facebook ads
- Verify celebrity endorsements – Check official channels to confirm if a celebrity is actually associated with an investment platform
- Research investment platforms thoroughly – Look for reviews from reputable sources, check regulatory registrations, and verify company information
- Be wary of pressure tactics – Scammers often create a false sense of urgency to prevent you from doing proper research
- Never share financial or personal information with unverified platforms – Legitimate investment services have proper security measures and transparency
- Inspect payment pages carefully – Read all fine print before entering card details, and look for disclaimers that contradict investment promises
- Be suspicious of foreign-language ads targeting English speakers – Scammers often use mixed languages to bypass detection systems
- Use comprehensive security software that can detect and block connections to malicious domains
Technical Protection Measures
The Infoblox research highlights several technical measures that can provide additional protection against these scams:
- DNS-layer security – Implement protective DNS services that can detect and block connections to suspicious or newly registered domains
- Domain age verification – Be cautious of investment platforms using domains registered in the last 30 days
- Network traffic monitoring – Watch for connections to IP geolocation services followed by redirects to unfamiliar domains
- Ad blockers – Use reliable ad-blocking extensions to reduce exposure to malicious advertisements
- Multi-factor authentication – Enable MFA on all financial accounts to prevent unauthorized access even if credentials are compromised
These scams share many characteristics with other online fraud schemes we’ve analyzed, including Facebook scams and Instagram fraud. The common thread is exploiting trust in familiar platforms to lend credibility to the scam.
For Windows users concerned about potential infection from clicking on suspicious links, Gridinsoft Anti-Malware can help scan your system for signs of malware and remove any threats. The browser reset feature is particularly useful if you suspect your browser has been compromised by scam websites.
The Growing Threat of Investment Scams
According to Infoblox researchers, these types of scams have proven highly profitable and will continue to grow rapidly in both number and sophistication. The financial motivation ensures these threats will persist and evolve.
The findings about Reckless Rabbit and Ruthless Rabbit were first reported in April 2025 at the RSA Conference in San Francisco, as covered by SC Magazine UK. Similar schemes have been documented by other security firms. In December 2024, ESET exposed a comparable operation called Nomani that used social media malvertising, company-branded posts, and AI-powered video testimonials featuring famous personalities.
More recently, Spanish authorities arrested six individuals aged between 34 and 57 for allegedly running a large-scale cryptocurrency investment scam that used AI tools to generate deepfake ads featuring popular public figures.
As these scams continue to evolve, staying informed about the latest tactics is crucial for protecting yourself. For more information on recognizing and avoiding online scams, check our guides on identifying scam websites and what to do if you’ve been scammed.
Conclusion
Investment scams using Facebook ads, registered domain generation algorithms, and sophisticated victim filtering represent an evolution in online fraud. By understanding how these scams operate and implementing proper security measures, you can significantly reduce your risk of falling victim to them.
Remember that legitimate investment opportunities don’t require urgent action, guarantee high returns with no risk, or come through unsolicited social media advertisements. Always research thoroughly, verify information independently, and be skeptical of opportunities that seem too good to be true.
