Cybersecurity experts have uncovered two major threat actor groups—Reckless Rabbit and Ruthless Rabbit—behind widespread investment scams via facebook ads. These actors use fake celebrity endorsements, traffic distribution systems (TDSes), and social media platforms to steal personal and financial data from unsuspecting victims.
How the Scams Work
The scams often start with sponsored ads on platforms like Facebook, claiming that celebrities endorse new investment opportunities—typically linked to cryptocurrency exchanges. Clicking on these ads redirects users to fake news articles, which then lead to scam platforms.
According to Infoblox researchers, Reckless Rabbit is especially active on Facebook. Their ads feature fabricated endorsements and direct users to fraudulent platforms that mimic legitimate financial services. These websites prompt users to fill out forms requesting names, emails, and phone numbers—sometimes even offering autogenerated passwords to make the process seem secure.
But before allowing victims to proceed, the scammers perform IP and data validation checks using legitimate services like ipinfo.io or ipapi.co. This ensures only users from targeted regions can move forward, while bots and researchers are filtered out. If the data passes these tests, victims are either sent to the scam site to invest or shown a screen prompting them to wait for a callback.
Many of these operations go further. Victims are contacted by fraudulent call centers that guide them step-by-step on how to deposit money into what they believe is a legitimate investment. In reality, it’s a well-disguised scam.
Advanced Tactics Behind the Scams
Both Reckless Rabbit and Ruthless Rabbit use advanced TDSes to manage traffic, hide malicious content, and evade detection. These systems allow scammers to cloak scam domains behind decoy URLs—often mimicking trusted brands like Amazon.
These cybercriminals also employ a registered domain generation algorithm (RDGA) to set up hundreds of scam sites. Unlike traditional domain generation methods, RDGAs are harder to trace because they use a secret algorithm to register and activate the domains.
Reckless Rabbit has been active since April 2024, mostly targeting users in Russia, Romania, and Poland, while excluding regions like Liberia, Somalia, and Madagascar. Ruthless Rabbit, on the other hand, has operated since November 2022. This group uses its own cloaking system called mcraftdb.tech to carry out validation processes before directing users to the scam platform.
More Scams Spotted on Facebook
These schemes are not limited to fake investments. Bitdefender has reported a sharp rise in so-called “mystery box” scams, which also use Facebook ads. Victims are lured with promises of clearance sales or Apple product giveaways for as little as $2. Once a user clicks the ad, they’re directed to a fake shop, complete a survey, and unknowingly sign up for recurring monthly payments.
Bitdefender researchers noted that scammers use multiple ad versions—most of which are harmless, but one leads to the scam site. Payment forms trick users into submitting their credit card details, enabling long-term theft through hidden subscriptions.
These scams are part of a much broader cybercrime ecosystem. In one of the most alarming developments, the U.S. Treasury sanctioned Myanmar’s Karen National Army (KNA) in connection with multi-billion-dollar scam compounds. The KNA provides land, utilities, and even security for scam operations, many of which rely on human trafficking to recruit workers.
Victims of these so-called romance baiting scams are manipulated over weeks or months by scammers who pretend to form emotional bonds. Eventually, they’re coaxed into investing in fake trading platforms controlled by these criminal networks.
Despite growing awareness and law enforcement crackdowns, the United Nations Office on Drugs and Crime (UNODC) reports these operations are still expanding, raking in an estimated $40 billion annually.
Stay Safe from Scam Campaigns
Security researchers urge users to remain cautious of too-good-to-be-true investment opportunities, especially those promoted through social media or featuring celebrity endorsements. Always verify the authenticity of the platform before sharing personal or financial data.
As Infoblox warned, “Threat actors like Reckless and Ruthless Rabbits are relentless. These scams will continue to grow in number and complexity.”
