Cybersecurity researchers have uncovered two threat actor groups, codenamed Reckless Rabbit and Ruthless Rabbit, orchestrating elaborate investment scams through fake celebrity endorsements and sophisticated traffic filtering systems.
According to DNS threat intelligence firm Infoblox, these scammers create fraudulent investment platforms, particularly cryptocurrency exchanges, which they promote through targeted social media advertising. The scam operation begins with Facebook ads that direct users to fake news articles featuring celebrity endorsements of investment opportunities.
The threat actors employ several technical measures to ensure they’re targeting suitable victims. They perform validation checks using legitimate IP validation tools to filter out traffic from countries they’re not interested in and verify the authenticity of submitted contact information. Once a victim passes these verification steps, they’re routed through a traffic distribution system (TDS) to either the scam platform directly or to a page instructing them to await contact from a “representative.”
Reckless Rabbit, operating since at least April 2024, primarily targets users in Russia, Romania, and Poland while specifically excluding traffic from countries like Afghanistan, Somalia, and Liberia. The group uses registered domain generation algorithms (RDGAs) to create domain names for their fraudulent platforms and employs deceptive tactics in their Facebook ads—displaying unrelated images and decoy domains that differ from the actual destination URLs.
Ruthless Rabbit, active since November 2022, focuses on Eastern European users and runs its own cloaking service for validation checks. Once victims clear these verifications, they’re directed to investment platforms requesting financial information.
As these investment scams continue to evolve in sophistication, security researchers warn they will “continue to grow rapidly—both in number and sophistication” due to their profitability.