Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

Authors: Darby Wise, Piotr Glaska, Laura da Rocha

According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. This equates to a 24 percent increase from 2023 to 2024 in the amount of money lost—a total of US$5.7 billion¹. These threats take a variety of forms, including the so-called pig butchering scams, which generally start with generic text messages to ones advertised through social media. Sometimes human interaction is involved and sometimes it is not. We track several investment scam actors and we’ve previously published research on two of them, Savvy Seahorse and Horrid Hawk, who have distinctive DNS fingerprints.

This report expands on our previous publications to consider common techniques, tactics, and procedures (TTPs) of several investment scam actors who lure victims with fake platforms, including crypto exchanges. Fake websites referred to as “profit platforms” are designed to convince users they are dealing with a legitimate business. We’ve found that the actors often:

Register large numbers of domains algorithmically over time, a technique we refer to as registered domain generation algorithms (RDGAs)
Embed similar web forms to collect user data
Hide their activity through traffic distribution systems (TDS)
Leverage fake news often featuring spoofed government endorsements, a celebrity, or fake first-hand accounts of the investment program
Share website structure indicative of the use of a kit

We are often able to discover and track investment scams through DNS fingerprints. Two of the actors detailed in this paper, who we call Reckless Rabbit and Ruthless Rabbit, for example, are tracked through their use of RDGAs.

Embedded Web Forms

While the actors we investigated may use different means to distribute their campaigns, we found that all of them include, at some stage, an embedded web form, which we identified as the first and most notable TTP pattern. For example, Reckless Rabbit creates ads on Facebook that lead to fake news articles featuring a celebrity endorsement for the investment platform. The article includes a link to the scam platform which contains an embedded web form persuading the user to enter their personal information to “register” for the investment opportunity.

The form typically requires the user’s first and last name, email address, and phone number, which automatically formats the country code to match the user’s IP geolocation. Some forms also require the user to create a password and offer the option to auto-generate one for them. Figure 1 below shows an example from a February 2025 scam where we accessed the landing page using a U.S.-based IP address; Figure 2 shows the auto-generated password. The actor uses this information to progress to the next step in the scam—information validation checks.

Figure 1. Example of embedded web form in a February 2025 investment scam²

Figure 2. Embedded web form with an auto-generated password field³

Validation Checks

Once the user enters their personal details, most of the campaigns conduct validation checks on the user’s information and their IP address. The checks each actor performs can vary, but common ones include:

Validity of the user’s email and/or phone number
Duplication of emails and/or phone numbers
Multiple attempts to register using the same IP address within a specific timeframe
Missing information (name, phone number, etc.)

The scam actors often perform HTTP GET requests to legitimate IP validation tools, such as ipinfo[.]io, ipgeolocation[.]io, or ipapi[.]co. They use these validation checks to filter out traffic from specific countries, security researchers, and/or bots.

In many campaigns, if a user passes the validation, a TDS routes them either directly to the investment scam platform where they are encouraged to transfer money, or to a page that thanks them for registering and says a representative will contact them with additional information. Some campaigns use call centers to provide the victims with instructions on how to set up an account and transfer money into the fake investment platform. For users who do not pass the validation step, many campaigns will simply display a “thank you” landing page, as shown in Figure 3.

Figure 3. Ruthless Rabbit’s “thank you” page⁴

Traffic Distribution Systems

Some of the scam actors we’ve researched leverage their own TDSs to collect information about the victim and conditionally make decisions on which web content the user will be redirected to. This is the case for an active crypto scam actor we have been tracking that utilizes a TDS to route users from different countries to different fake investment platforms. Table 1 below shows this actor’s TDS redirections based on the geolocation of the user accessing the crypto scam page bitcoin-profit[.]org. This threat actor routes users from the United States to the legitimate platform eToro, possibly to evade detection from security researchers.

IP Geolocation	TDS Domain(s)	Investment Platform Domain
Switzerland⁵	mykryplogin[.]com -> murzasanny[.]com	trading[.]nexperts[.]pro
Canada⁶	powapi[.]net	primeassets[.]uk
Australia⁷	powapi[.]net –> camersyf[.]com	trading[.]xptraders[.]com
United States⁸	cryptoveteran[.]care	etoro[.]com (legitimate)
Table 1. TDS and redirection domains for a crypto scam campaign. Users accessing bitcoin-profit[.]org from Switzerland and Australia redirect to a secondary TDS domain.

RDGAs and Dynamic Website Logos

In a previous blog we published in 2023, we introduced the concept of RDGAs:

Registered domain generation algorithms (RDGAs) are a programmatic mechanism that allows actors to create many domain names at once or over time to register for use in their infrastructure. These differ from traditional domain generation algorithms (DGAs) that have long been associated with malware in significant ways. In an RDGA, the algorithm is a secret kept by the actor, and they register all the domain names. In a traditional DGA, the malware contains an algorithm that can be discovered, and most of the domain names will not be registered. While DGAs are used exclusively for connection to a malware controller, malicious RDGAs are used for a wide range of malicious activity.⁹

Since then, we’ve observed over 3 million RDGA domains on the internet. These domains are commonly used in advertising, so seeing these investment scams intermingled with other product ads makes sense. In the actor-specific sections of this paper below, we will show the distinct RDGA patterns that Reckless and Ruthless Rabbits use to create large sets of domains for their campaigns.

Some actors use dictionary-based RDGAs to generate domain names that match dynamic website names and logos in their scam pages. Each website contains an embedded web form for the user to provide their information. As an example, Figure 4 below shows that the top left corners of the scam websites display the supposed logo of the investment platform/application, matching the domain name. The different pages displayed in Figure 4 have the same or very similar content, but the logo varies depending on the domain name. Scammers leverage the RDGAs to create large sets of domains, which they in turn use to automatically update the logo accordingly, to scale their campaigns.

vasezonix-app[.]trade vensotixapp-platform[.]store vasezonixapp[.]guru vensotixapp[.]click venzotexapp[.]cloud
aportunex-app[.]shop aportunex-app[.]trade aportunex-app[.]wiki aportunexapp[.]bond aportunexapp[.]help aportunexapp[.]trade aportunexapp[.]wiki
bitcoin-apex[.]guru bitcoin-apex[.]help bitcoin-apex[.]website bitcoinapex-platform[.]click bitcoinapex-platform[.]guru bitcoinapex-platform[.]top bitcoinapex[.]website
Figure 4: Unnamed investment scam actor using the same logo design, where the name on the logo matches the domain name. In this example, the actor creates domains in bulk with the same second-level domain (SLD) label but on several top-level domains (TLDs)^10,^11,¹²

Other patterns we have seen threat actors use in most of the investment scam campaigns include:

Distributing scam domains through malicious Facebook ads
Promising high returns if a user inputs a small amount of money during registration
Predominantly targeting users in Eastern European countries, such as Russia, Romania, Poland, etc.
Excluding traffic from certain countries

Investment Threat Actors

As we mentioned at the beginning of the paper, two of the more notable investment scam actors that we are tracking are Reckless and Ruthless Rabbits. They follow many of the common TTPs we’ve described above, but they also have their own distinguishing characteristics.

Reckless Rabbit

Reckless Rabbit lures victims into fake investment scams through malicious Facebook advertisements. They intersperse them among other content, most commonly items for sale on popular marketplace stores such as Amazon (see Figure 5). This technique of burying their investment scam ads among other, seemingly innocuous ads may be a trick they use to avoid policy enforcement from Facebook.

Figure 5: Reckless Rabbit’s Facebook ads for products on Amazon

The main scam advertisements take the user to either:

pages such as a full fake news story, which includes a link to the investment landing page (Figure 6), or
the investment platform itself (Figure 7).

Figure 6: Website with fake news about a Polish celebrity and the investment scam lure at the end of the article. These are both translated from the original page in Polish. The celebrity’s image and name have been redacted for the purpose of this paper.

Figure 7: Reckless Rabbit’s investment scam platform in Norwegian and the translation to English. The site contains a web form similar to other investment scam actors¹³ and a fake endorsement from a Norwegian billionaire businessman.

Reckless Rabbit has been creating domains since as early as April 2024, with new domains created on a near-daily basis. Table 2 shows examples of the two RDGA patterns they use to create these domains. The first involves random characters, a three-letter month abbreviation, an English word, and is in the .info TLD. The second pattern combines two or three English words, which may or may not be separated by a dash. The domains in this group are in the .com and .info TLDs.

Domain Pattern	Examples
<1-2 random characters><3 letter month><short English word>[.]info	kcfebdrill[.]info almarsilk[.]info iaprwall[.]info wmaycurr[.]info fjunmedi[.]info fjulswap[.]info faugswap[.]info ssepcoin[.]info koctice[.]info lnovchalk[.]info qpdecbid[.]info
<2-3 random English words separated by dashes or not>[.]<com, info>	well-groomedcanvas[.]com upkeep-vocal[.]com extra-largewrinkles[.]info port-rusty-time[.]com library-novel-axe[.]com acoustic-fund-rate[.]info temple-well-known[.]info roomyspeedboat[.]info longmarble[.]info sixcrowd[.]com mercifulknife[.]com
Table 2: Reckless Rabbit’s RDGA domain patterns and examples

When the victim accesses the fake news website, the actor collects information about the user, such as IP address and geolocation, to determine the language that will be displayed on the page. They use the metadata as input to make a call to an API endpoint they maintain (/api/v1/trigger/field/) to fetch and display the site content appropriately. Figure 8 shows a code snippet of one of the scripts called in the HTTP request chain and includes the API call.

Figure 8. Code snippet of scripts that make an API call to get the language and the page to which the user will get redirected^14,¹⁵

We’ve observed instances where Reckless Rabbit uses validation checks to filter out traffic from specific countries, including Afghanistan, Somalia, Liberia, Madagascar, and others. The code snippet in Figure 9 shows the full list of excluded countries.

Figure 9: Code snippet that shows a variable for countries to be excluded^16,¹⁷

Reckless Rabbit configures wildcard DNS responses to their domains, which means that a query to any subdomain (e.g., wildcardbdidbanpdla[.]brilliantwallaby[.]info) of their domains will return a response, as shown in Figure 10. Wildcarding generates noise in DNS because it means anyone can make a query to any subdomains for that SLD, and the subdomains will return responses. This makes it difficult to determine which subdomains are actively being used by an actor, and which subdomains are random queries triggered by, for example, security researchers. In this case, security tools may not add the SLD to their feeds and instead only add the subdomains that were confirmed to contain malicious content, thereby helping the actor to use their domains longer.

Figure 10. Wildcard response behavior to a random subdomain of an existent Reckless Rabbit domain

Reckless Rabbit uses several additional techniques to avoid detection, including:

Interspersing ads that redirect to the investment scam between ads for items supposedly being sold on popular marketplaces, such as Amazon (Figure 11)
Adding unrelated images to avoid detection based on image recognition (Figure 12)
Displaying (in the ad) a decoy domain that is different from the domain that the user will be redirected to once they click on the link (Figure 13)
Using a decoy page with non-suspicious content—such as a website for a restaurant—on the SLD, shielding the actual investment scam page hosted on the full URL (Figure 14)

Figure 11. Investment scam lure mixed with items being sold in marketplaces

Figure 12. Technique to prevent detection by image recognition-based security technology

Figure 13. Example of Facebook ad caption with decoy domain, amazon[.]pl. The ad redirects to a URL under tyxarai[.]org and is associated to wjulbucks[.]info^18,¹⁹

Figure 14. Decoy page with non-suspicious content on the SLD²⁰

Ruthless Rabbit

Ruthless Rabbit has been running investment scam campaigns since at least November 2022. These campaigns follow similar themes to those we have seen from Horrid Hawk and other Russian-hosted scam campaigns that primarily target users in Russia, Poland, Romania, and Kazakhstan, among other countries. Most current active campaigns are hosted on two dedicated IPs, but the actor has previously used at least eight different IPs hosted with Aeza, as well as a dedicated IP hosted with IROKO. Combined, these IPs host over 2,600 actor-owned domains. They use Namecheap for domain registration, name servers and mail servers.

In May 2024, Ruthless Rabbit began using a single RDGA pattern to create the large number of domains necessary to operate their scams (see Table 3).

Domain Pattern	Examples
<random English word or 3-7 random characters><bik, job, mot, lin, tyt, byk, bot, fat, pit, kot, etc.>[.]pro	topsmot[.]pro sitemot[.]pro viserbik[.]pro goaljob[.]pro somajob[.]pro wasakot[.]pro
Table 3. Ruthless Rabbit RDGA pattern and examples

Campaign Themes

In February 2023, Ruthless Rabbit started hosting Baltic Pipe financial scam pages, a common theme used in investment scams targeting Eastern European users. Over time, they diversified the themes of their landing pages, to include scams spoofing WhatsApp, Google Finance, and Meta. The most prevalent campaign theme since May 2024 is a news article spoofing the Russian-language news website “Channel One” that claims users who sign up for the “GazInvest” platform will earn up to 300,000 Russian rubles. This page (see Figure 15), shares the common TTP patterns we mentioned above, including lures of high returns, an embedded web form, and IP geolocation tools for conducting validation checks.

Figure 15. Landing page for the Russian GazInvest scam²¹

The actor hosts their scam landing pages on specific URL paths that change per campaign theme. They use a concealment technique of giving users who attempt to access the SLD alone rather than a URL—a typical move for security researchers—an HTTP 404 Not Found error. Table 4 shows examples of the URL paths for some of the most prevalent campaigns. We’ve broken out the SLDs and the URL paths because the latter are what the actor changes every couple of months.

Campaign Theme	SLD	URL Path
January 2025 – GazInvest Platform²²	brudamot[.]pro	/4YJ3LH?MPC_3=16k3ua14tff7k
September 2024 – GazInvest Platform²³	dropbik[.]pro	/lander/gazinvestgaz_4301/
March 2025 – Spoofed Google Finance Page²⁴	easyjob[.]pro	/google_finance_79/
December 2024 – Fake Russian News Site²⁵	kinabik[.]pro	/JF5vNK?MPC_3=2pgkm0e57koso
Table 4. Examples of URL paths for different SLDs and campaigns

What’s interesting about Ruthless Rabbit is that they operate their own cloaking service to perform validation checks; the cloaking service domain (mcraftdb[.]tech) hosts publicly available documentation for their API titled “Mcraft MediaCraft Tech API.” The documentation (Figure 16) provides insight into some of the actor’s validation checks on “leads,” or users, who enter personal information into the forms embedded in the investment scam pages. The cloaking service looks for users entering duplicate information or attempting to access the investment platform multiple times within the previous 20 minutes using the same IP address. Users who do not pass the checks will be redirected to either a 404 Not Found error page or to another page on the SLD titled thanks.html, which states someone will contact them for additional information. Figure 17 shows the form script the actor uses for this API call.

Figure 16. API documentation for the actor’s validation API²⁶

$('form').submit(function (event){
    $(this).submit(false);
    event.preventDefault();
    event.stopPropagation();
    event.stopImmediatePropagation();
    if($('.iti__selected-dial-code').length){
        var prefix = $('.iti__selected-dial-code').html().slice(1)
        $(this).append(`<input type="hidden" name="prefix" value="${prefix}" /> `)
    }
    var host = `&host=${$(location).attr('hostname')}`
    var url=`&url=${$(location).attr('href')}`
    var so=`&so=Google Finance`
    var args = host + url + so
    var search = location.search.substring(1);
    
    $.ajax({
            type: "POST",
            url: 'https://mcraftdb[.]tech/api/v1/submit/a6111ace-7304-4d9b-8dfe-9aafb7e9638e/' + "?" + search,
            data: $(this).serialize() + args,
            headers: $(this).headers,
            dataType: 'json',
            crossDomain: true,
            success: function (response) {
                if (response.status === true) {
                    document.location.replace(response.data);
                } else {
                    document.location.href = location.protocol + '//' + location.host + location.pathname.substring(0, location.pathname.lastIndexOf('/') + 1) + 'thanks.html';
                }
            },
        })

    var btn = $(this).find(':submit')
    
    btn.prop('disabled', true)
    setTimeout(function () {
        btn.prop('disabled', false)

    },30000)
})

Figure 17. API call used by Ruthless Rabbit to perform validation checks on the user²⁷

Interestingly, none of the forms in these campaigns have a field to enter an email address, but the response examples in Figure 16 indicate an email is required. We discovered that embedded into the HTML code is a script with a function generateRandomEmail(), (see Figure 18), that generates a new email address in the hidden form field every time the page is refreshed. This indicates that the actor may not actually use the phone number and email address to contact the user but instead uses them only to perform the validation checks. Most of the campaigns do, however, perform checks on the user’s IP geolocation via ipgeolocation[.]io and ipinfo[.]io, two legitimate geolocation lookup tools.

Figure 18. HTML code showing the generateRandomEmail() function

Users who pass the validation checks will be routed to some sort of investment platform where they will be prompted to enter their financial information to complete the registration for the investment program. After numerous tests, however, we were unable to successfully reach that final step. Despite passing the validation checks for all personal details, including the IP geolocation and phone number, we still received a failed response stating, “Cant register lead, no more fallbacks available;”. Oddly enough, there was no information on this type of response in the actor’s API documentation.

The Importance of DNS

Threat actors operating these large-scale and increasingly sophisticated scams exploit DNS to help build and maintain their infrastructure. Over the years, actor abuse of DNS mechanisms, such as RDGAs and TDSs, has been underreported in the security community, despite being crucial to malicious campaigns.

Some investment scam actors capitalize on malicious TDSs to operate their campaigns. A TDS enables threat actors to strengthen their infrastructure, making it more resilient by providing the ability to hide malicious content from security researchers and bots. For example, one actor we’ve been tracking uses an HTTP-based TDS to shield their malicious scam landing pages. We show an instance of a redirection chain in their campaign in Figure 19. Only by tracking these TDSs through DNS are we able to detect and block the infrastructure at scale, before the redirections even occur.

Figure 19. Redirection chain for an investment scam actor’s TDS²⁸

Actors also take advantage of RDGAs to create large numbers of domains to use in their campaigns, which enables them to hide in plain sight and change out domains often. As we wrote last summer:

“Scammers use RDGAs for the same reasons that other threat actors use them: their domains are frequently blocked or taken down by service providers. Consequently, it’s advantageous for them to have a steady stream of new domains with which to execute their scams.”

Conclusion

There are so many RDGA domains created every day that it is impossible for human researchers to find and assess them all. Through the lens of DNS, we are able to leverage automated detection and correlate these investment scam domains at scale. Threat actors like Reckless and Ruthless Rabbits will be relentless in their attempts to trick as many users as possible. Because these types of scams have proven to be highly profitable for them, they will continue to grow rapidly—both in number and sophistication.

Indicators of Activity

Indicator	Note
middle.sturdypants[.]com brilliantwallaby[.]info encouragingtax[.]info tyxarai[.]org upkeep-vocal[.]com extra-largewrinkles[.]info port-rusty-time[.]com library-novel-axe[.]com acoustic-fund-rate[.]info temple-well-known[.]info roomyspeedboat[.]info longmarble[.]info sixcrowd[.]com mercifulknife[.]com wjulbucks[.]info kcfebdrill[.]info almarsilk[.]info iaprwall[.]info wmaycurr[.]info bmaypost[.]info fjunmedi[.]info fjulswap[.]info faugswap[.]info ssepcoin[.]info koctice[.]info lnovchalk[.]info qpdecbid[.]info	Indicators used by Reckless Rabbit in investment scam campaigns
bortjob[.]pro topsmot[.]pro sitemot[.]pro viserbik[.]pro goaljob[.]pro somajob[.]pro wasakot[.]pro brudamot[.]pro dropbik[.]pro easyjob[.]pro kinabik[.]pro	Domains used by Ruthless Rabbit in investment scam campaigns
bitcoineverestai[.]app bitcoin-eprex[.]com echelonyieldai[.]app eco-terra[.]app everix-edge[.]org gptifexai[.]com immediatebitwave[.]app immediateluminary[.]com immediatemomentum[.]site quantumflash[.]org solidreturn[.]app	Sample of domains used by an unnamed actor for investment scams
vensotixapp-platform[.]store vasezonixapp[.]guru vensotixapp[.]click venzotexapp[.]cloud aportunex[.]app aportunex-app[.]shop aportunex-app[.]trade aportunex-app[.]wiki aportunexapp[.]top aportunexapp[.]bond aportunexapp[.]help aportunexapp[.]trade aportunexapp[.]wiki bitcoin-apex[.]guru bitcoin-apex[.]help bitcoin-apex[.]website bitcoinapex-platform[.]click bitcoinapex-platform[.]guru bitcoinapex-platform[.]top bitcoinapex[.]website	Sample of RDGA and registered DDGA domains used by an unnamed actor for investment scams