Reckless Rabbit and Ruthless Rabbit cybercrime gangs linked to large-scale celebrity investment scam

Reckless Rabbit and Ruthless Rabbit cybercrime gangs linked to large-scale celebrity investment scam

Two sophisticated cybercrime groups, dubbed ‘Reckless Rabbit’ and ‘Ruthless Rabbit’, have been linked to large-scale investment scams that exploit fake celebrity endorsements and advanced traffic cloaking techniques.

Uncovered by DNS threat intelligence firm Infoblox, the groups operate through spoofed platforms advertised primarily on social media, including fake cryptocurrency exchanges. Victims are lured by ads linking to fraudulent news articles featuring fabricated celebrity support that lead to phishing pages that collect personal information through embedded web forms.

“These pages contain sign-up forms that gather personal data, sometimes even auto-generating passwords to advance victims to the next stage of the scam,” the researchers said.

The attackers filter victims through validation steps using services like ipinfo.io and ipgeolocation.io to exclude traffic from certain countries and verify the authenticity of submitted contact information. If deemed viable targets, victims are redirected via Traffic Distribution Systems (TDSes) to scam platforms or instructed to expect follow-up calls from fake investment advisors.

Campaigns often employ call centers to further manipulate victims into transferring funds. If the target fails verification, they are shown innocuous “thank you” pages to avoid raising suspicion.

Both groups leverage a registered domain generation algorithm (RDGA) to create misleading domain names, a method seen among other known actors like Prolific Puma and VexTrio Viper. Reckless Rabbit has been active since at least April 2024, mainly targeting users in Russia, Romania, and Poland while deliberately excluding regions such as Afghanistan and Somalia.

To evade detection, Facebook ads created by Reckless Rabbit include misleading visuals and decoy domains that redirect users to unrelated sites. Meanwhile, Ruthless Rabbit, operating since late 2022, runs a proprietary cloaking service to further shield its infrastructure and verify victims before exposing them to malicious content.

Back to the list

Latest Posts

Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Global network of DDoS-for-hire services dismantled in international police op

Global network of DDoS-for-hire services dismantled in international police op

The suspects are believed to have administered six now-defunct websites, which operated as stresser or booter services.
7 May 2025
NSO Group ordered to pay over $167M to WhatsApp over hacking

NSO Group ordered to pay over $167M to WhatsApp over hacking

WhatsApp accused NSO of exploiting a flaw in its audio-calling feature to install spyware on targeted devices.
7 May 2025