Online investment scams are becoming more deceptive and technologically advanced, as cybersecurity researchers uncover two coordinated threat groups—nicknamed Reckless Rabbit and Ruthless Rabbit—operating elaborate schemes that combine fake celebrity endorsements, Facebook ad cloaking, and clever IP validation.
These threat actors don’t just push fraudulent cryptocurrency platforms. They’ve developed a multi-layered operation that filters out unwanted traffic, hides scam sites from detection, and custom-tailors each attack to lure real users into giving up personal and financial information.
How the Scam Works: From Facebook Ads to Fake Platforms
Reckless Rabbit typically kicks things off with Facebook ads disguised as articles, featuring celebrities supposedly endorsing a new investment platform. Once a user clicks, they’re redirected to a fake article and then funneled toward a scam site—complete with a registration form.
The form doesn’t just ask for your name and email. It sometimes generates a password automatically to “secure” your account, masking the fact that you’re being led into the next stage of the scam: a validation check.
Behind the scenes, the attackers use IP validation tools like ipinfo.io and ipgeolocation.io to determine if the visitor is a real target. They also verify phone numbers and email authenticity. If you pass the test, the system sends you through a traffic distribution system (TDS) that either opens the fake investment platform or tells you to wait for a call from a “representative.”
That call? It usually comes from a call center set up by the threat actors to walk victims through setting up an account—and wiring money directly into the fraudsters’ hands.
RDGA Domains and Geographic Filtering Add Sophistication
One of the most advanced features of these operations is the use of registered domain generation algorithms (RDGAs). Unlike regular DGAs that simply generate domain names, RDGAs use a secret algorithm to pre-register these domains, making takedowns harder and campaigns harder to trace.
Reckless Rabbit has been building out its domain infrastructure since April 2024, targeting users in countries like Russia, Romania, and Poland. At the same time, they deliberately exclude traffic from countries such as Afghanistan, Liberia, and Somalia—showing just how selective and strategic these campaigns are.
Meanwhile, Ruthless Rabbit uses a separate cloaking system hosted on its own server (mcraftdb[.]tech) to perform even more advanced verification checks before routing users to the final scam platform.
Cloaked Ads, Mystery Boxes, and Subscription Traps
It’s not just investment scams that are exploding in complexity. Bitdefender researchers recently revealed that cybercriminals are also leveraging Facebook ads to push “mystery box” subscription scams.
These ads often claim to offer clearance sales or cheap Apple products for as little as $2. But behind the flashy promise lies a hidden subscription model. Users unknowingly enter their payment details and are automatically signed up for recurring charges.
To stay under the radar, scammers create several ad versions—only one of which is malicious. Others display generic product images to avoid detection by automated systems.
Bitdefender says the grift is evolving. Scammers are expanding beyond mystery boxes to push fake investment platforms, bogus supplements, and imitation products—all using the same Facebook ad infrastructure.
Real-World Impact and Global Crackdowns
Authorities are beginning to respond. Just last month, six individuals in Spain were arrested for running a large-scale crypto investment scam using AI-generated deepfake ads of public figures.
In Myanmar, the U.S. Treasury has sanctioned the Karen National Army (KNA) for helping organized crime groups run massive scam compounds. These operations, often tied to human trafficking and cross-border smuggling, reportedly rake in an estimated $40 billion annually. Victims include not only those tricked into investing, but also trafficked workers forced to run the scams.
Researchers say there’s little chance these campaigns will slow down soon. “Threat actors like Reckless and Ruthless Rabbits will be relentless in their attempts to trick as many users as possible,” said the team at Infoblox. As long as the schemes remain profitable, expect them to scale in both volume and technical complexity.
