Two sophisticated cybercrime groups, dubbed ‘Reckless Rabbit’ and ‘Ruthless Rabbit’, have been linked to large-scale investment scams that exploit fake celebrity endorsements and advanced traffic cloaking techniques.
Uncovered by DNS threat intelligence firm Infoblox, the groups operate through spoofed platforms advertised primarily on social media, including fake cryptocurrency exchanges. Victims are lured by ads linking to fraudulent news articles featuring fabricated celebrity support that lead to phishing pages that collect personal information through embedded web forms.
“These pages contain sign-up forms that gather personal data, sometimes even auto-generating passwords to advance victims to the next stage of the scam,” the researchers said.
The attackers filter victims through validation steps using services like ipinfo.io and ipgeolocation.io to exclude traffic from certain countries and verify the authenticity of submitted contact information. If deemed viable targets, victims are redirected via Traffic Distribution Systems (TDSes) to scam platforms or instructed to expect follow-up calls from fake investment advisors.
Campaigns often employ call centers to further manipulate victims into transferring funds. If the target fails verification, they are shown innocuous “thank you” pages to avoid raising suspicion.
Both groups leverage a registered domain generation algorithm (RDGA) to create misleading domain names, a method seen among other known actors like Prolific Puma and VexTrio Viper. Reckless Rabbit has been active since at least April 2024, mainly targeting users in Russia, Romania, and Poland while deliberately excluding regions such as Afghanistan and Somalia.
To evade detection, Facebook ads created by Reckless Rabbit include misleading visuals and decoy domains that redirect users to unrelated sites. Meanwhile, Ruthless Rabbit, operating since late 2022, runs a proprietary cloaking service to further shield its infrastructure and verify victims before exposing them to malicious content.