Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat actors in investment scams, which, according to the Federal Trade Commission (FTC), resulted in a record-breaking loss of US$5.7 billion in 2024-a 24% surge from the previous year.
These scams, often disguised as legitimate opportunities such as cryptocurrency exchanges, leverage advanced technological mechanisms to deceive victims.
Researchers have identified actors like Reckless Rabbit and Ruthless Rabbit, who exploit Registered Domain Generation Algorithms (RDGAs) to programmatically create vast numbers of domains, enabling them to scale operations and evade detection.
.png
)
Unlike traditional Domain Generation Algorithms (DGAs) used in malware, RDGAs remain a closely guarded secret of the actors, with domains preemptively registered for malicious use, often intermingled with legitimate advertising content.
DNS Exploitation as a Core Strategy
A critical finding from the research highlights the abuse of Domain Name System (DNS) infrastructure as a backbone of these scams.
Threat actors employ Traffic Distribution Systems (TDSs) to funnel victims to fake investment platforms based on geolocation, while routing security researchers or bots to benign sites like eToro to mask their activities.
For instance, Reckless Rabbit uses wildcard DNS responses to generate noise, complicating efforts to pinpoint active malicious subdomains.
Additionally, embedded web forms on scam sites harvest personal data, often auto-formatting fields like country codes based on IP geolocation, while validation checks-using legitimate tools like ipinfo[.]io-filter out unwanted traffic.
Ruthless Rabbit, active since November 2022, operates a custom cloaking service with public API documentation, using hidden scripts to generate random email addresses for validation rather than direct victim contact.
Their campaigns, targeting Eastern European users with themes like fake GazInvest platforms promising high returns, further showcase URL path manipulation to conceal malicious content from direct access to second-level domains (SLDs).
The research underscores the sophistication of these actors in deploying deceptive tactics, such as Reckless Rabbit’s blending of scam ads with legitimate marketplace content on platforms like Facebook, or using decoy domains and unrelated images to bypass image-recognition security tools.
Ruthless Rabbit, meanwhile, hosts over 2,600 domains across dedicated IPs, primarily with Aeza and IROKO, registering via Namecheap to sustain long-term campaigns.
Both actors rely heavily on RDGAs to dynamically adapt website logos matching domain names, enhancing the illusion of authenticity.
The sheer volume of RDGA domains-over 3 million observed-renders manual tracking infeasible, emphasizing the need for automated DNS-based detection to disrupt these scams at scale before redirection chains complete.
As investment scams grow in profitability and complexity, researchers warn that actors will continue refining these techniques, urging heightened vigilance and advanced countermeasures to curb this escalating threat.
Indicators of Compromise (IOCs)
| Indicator Type | Examples |
|---|---|
| Reckless Rabbit Domains | brilliantwallaby[.]info, upkeep-vocal[.]com |
| Ruthless Rabbit Domains | topsmot[.]pro, goaljob[.]pro |
| Unnamed Actor Domains | bitcoin-eprex[.]com, quantumflash[.]org |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 employed by threat actors in investment scams.){kind=link}