Sophisticated DNS Tricks Behind 7 Billion Investment Scam Surge Revealed

As investment scams sweep across the digital world with growing ferocity, new research has unveiled how cybercriminals are using highly advanced techniques to operate at scale and remain undetected. The Federal Trade Commission (FTC) recently disclosed that consumer losses from such schemes skyrocketed to $5.7 billion in just one year—a staggering 24% increase. Behind this rise are highly organized threat actors, including the groups now tracked as “Reckless Rabbit” and “Ruthless Rabbit,” who have turned digital fraud into an industrialized operation.

By manipulating DNS systems and leveraging sophisticated domain generation and traffic distribution strategies, these groups are reshaping the modern fraud landscape. Their campaigns extend beyond fake investment platforms, using automated systems, geolocation tracking, and dynamic redirects to trap victims while avoiding cybersecurity defenses. This deeper look into their inner workings offers a chilling view into how today’s scams are far more technically adept than simple phishing emails of the past.

Investment Scams Evolve: 30-Line Deep Dive into a Billion-Dollar Deception

The FTC reports that investment scams caused $5.7 billion in losses—a sharp 24% rise from the previous year. This explosive growth is being driven by cybercriminals deploying increasingly complex and evasive strategies.

Groups identified as “Reckless Rabbit” and “Ruthless Rabbit” are central players. These threat actors rely on DNS manipulation and automation to distribute fraudulent investment campaigns at a massive scale.

Scam formats now include text-message lures, social media ads, and fake cryptocurrency platforms, all appearing highly legitimate. Victims are tricked into entering their personal information into embedded web forms designed to validate data and geolocate the user in real time.

Scammers use this information to segment targets, filtering out bots, security researchers, and unqualified traffic. Verified victims are redirected to tailored scam pages or contacted by call centers for further manipulation.

These operations utilize Traffic Distribution Systems (TDS) to route users based on their IP location, with some being redirected to actual investment sites to avoid suspicion. This tactic also helps blend malicious activity with legitimate web traffic.

The DNS-based infrastructure is fortified by Registered Domain Generation Algorithms (RDGAs). These systems generate large numbers of plausible domain names across multiple TLDs, aiding in both evasion and credibility.

Each domain is customized with relevant branding, language, and fake financial dashboards, often changing rapidly to avoid blacklisting. DNS wildcards are used to make all subdomains resolve, overwhelming detection systems.

Reckless Rabbit heavily relies on Facebook ads, mixing scam links with normal promotional content. Meanwhile, Ruthless Rabbit targets Eastern Europe and runs campaigns using thousands of domains and dedicated infrastructure.

Ruthless Rabbit uses Namecheap for registrations and has developed its own API for validation and cloaking, generating fake emails and unique URLs per user. These sites return HTTP 404 errors to discourage domain probing.

Notably, scam operators exploit legitimate IP intelligence APIs for geolocation validation and traffic filtering—blurring the line between legal tools and illegal intent.

Cybersecurity firm Infoblox highlighted the importance of automated threat intelligence and DNS-focused analysis in combating these campaigns, as traditional defenses are no match for their scale and adaptability.

Domains tied to these operations often include bizarre or algorithmically generated names, many linked to fake cryptocurrency platforms.

These scam networks now operate like tech companies—scaling, optimizing, and analyzing their traffic while maintaining obfuscation layers that challenge even experienced security teams.

What Undercode Say:

The sheer technical sophistication of these scam operations marks a major evolution in cybercrime. Rather than relying solely on phishing emails or fake apps, groups like Reckless Rabbit and Ruthless Rabbit have built entire ecosystems—complete with geolocation-based targeting, user segmentation, and dynamic domain architectures.

Their strategic use of DNS as a weapon is particularly alarming. By exploiting wildcard DNS, RDGAs, and TDS, these criminals are flooding the internet with legitimate-looking domains faster than blacklists can adapt. This means every click on a suspicious ad could potentially lead to a new domain that hasn’t yet been flagged, giving scammers a crucial edge.

The use of legitimate services—like ipinfo.io—for data validation also adds a dangerous new layer to their deception. These APIs were created to help developers, yet they’re now core to verifying and optimizing scam campaigns in real time.

Reckless Rabbit’s blending of scam and non-scam content through Facebook ads is a masterclass in social engineering. By embedding malicious URLs among legitimate promotions, they reduce suspicion and bypass automated detection, turning the social media marketplace into a Trojan horse.

The Ruthless Rabbit group, targeting Eastern Europe, goes a step further by creating dedicated validation services and domain cloaking tools. Their self-hosted infrastructure and 404 deception tactics show just how determined they are to avoid researcher scrutiny and scale their scams indefinitely.

What’s most chilling is how methodically they test and optimize their attacks. Using behavioral and technical data, they fine-tune campaigns the same way a marketing team would for a product launch—except their product is a financial trap.

The rotating domain names, fake profit dashboards, and dynamic content updates reveal just how industrialized these scams have become. Victims aren’t just falling for a one-off hoax; they’re being funneled through a system that has been engineered with precision.

For defenders, this means static blacklists and reactive tactics won’t cut it anymore. Only real-time, behavior-driven detection systems focused on DNS and domain reputation analysis stand a chance at catching these campaigns before they go viral.

The most effective response now lies in machine-speed analysis of domain registration patterns, DNS queries, and user behavior to flag suspicious infrastructure before it’s weaponized.

Investment scams are no longer low-effort cons. They are high-tech operations fueled by AI, data analytics, and deceptive design, operating with the efficiency of startups and the secrecy of nation-state hackers.

Cybersecurity teams must rethink their defensive playbooks to deal with this new threat level. Simply put, we are witnessing the corporate-style industrialization of online fraud.

Fact Checker Results:

FTC confirms a $5.7 billion loss in 2023 due to investment scams.
Infoblox and other cybersecurity experts validate DNS abuse and RDGA tactics.
Threat actor aliases “Reckless Rabbit” and “Ruthless Rabbit” have been observed using dynamic, evasive infrastructure to avoid detection.

Prediction:

Given the current trajectory, DNS-based evasion and automation will continue to dominate scam operations. The line between legitimate ad tech and scam tech will blur further, making detection harder. As generative AI and synthetic content become mainstream, future investment scams may not only impersonate platforms but entire identities—using voice, video, and biometrics to build trust before the attack even begins. Without proactive DNS threat intelligence and tighter platform regulation, the next wave of investment scams could exceed $7 billion in global losses.