If you thought the only “rabbit hole” worth worrying about was the one in Alice in Wonderland, think again. In 2025, it’s Reckless Rabbit and Ruthless Rabbit hopping through the Domain Name System (DNS), leaving behind a digital trail of fake investment platforms, cloaking tools, and record-breaking financial loss.
According to the FTC, $5.7 billion vanished into the cyber-ether in 2024 thanks to these scams—up 24% from the year before. That’s not a rabbit hole—that’s a financial black hole.
Welcome to the Scam Casino: How It Works
These aren’t your run-of-the-mill “Nigerian Prince” emails. These investment scams come in slick disguises, mimicking legitimate crypto exchanges and platforms so well you’d think they had stock tickers and compliance officers.
Here’s the magic trick:
- The victim clicks an ad (yes, even on Facebook or Amazon-style listings)
- They’re redirected based on geolocation
- They land on a fake investment page that looks almost too good to be true (and is)
- Personal data is harvested via sleek web forms
- The cybercrooks profit, and the victim vanishes into silence—richer in experience, poorer in savings
“Cybercrime joke of the day: Why don’t scammers ever invest in their own platforms? Because even they know it’s a Ponzi scheme.”
The Secret Sauce: RDGA + DNS Abuse
You’ve heard of Domain Generation Algorithms (DGA) used by malware? These guys leveled up with Registered DGA (RDGA)—a secret recipe for pre-registering millions of domains ready to deploy, deceive, and disappear.
Some spicy DNS tricks used:
- Traffic Distribution Systems (TDS): Routes you to fake sites, routes bots and analysts to eToro. Like a scam bouncer with a guest list.
- Wildcard DNS responses: Create DNS “noise” to hide the real bad guys.
- URL path manipulation: Hides malicious intent from security scanners.
This isn’t some kid in a basement—it’s Malware-as-a-Mafia.
Meet the Rabbits: Scam Artists in a Tuxedo
🐰 Reckless Rabbit
Active on Facebook ads, blending real Amazon-style content with scammy crypto bait. Uses DNS tricks to mask intentions and auto-formats forms based on your location. Because hey, if you’re going to scam someone, may as well be polite and add their country code.
🐇 Ruthless Rabbit
Running since 2022 with:
- 2,600+ domains (hosted mostly with Aeza and IROKO)
- Cloaking-as-a-Service
- Fake GazInvest schemes targeting Eastern Europe
- Public APIs for validation scripts (because why not go full SaaS?)
Their logos even auto-match the domain name. They’re basically branding consultants with a criminal twist.
“DNS is like dating apps—just because the profile looks legit doesn’t mean you won’t get phished.”
Why Manual Defense Won’t Cut It Anymore
With over 3 million RDGA domains floating around, trying to manually hunt these down is like playing cybersecurity Whac-A-Mole—blindfolded. The only real solution?
✅ Automated DNS-based detection
✅ Smarter redirection chain tracking
✅ Ad fraud monitoring
✅ Real-time threat intel
Final Thought: Don’t Take the Baited Carrot
As long as there’s money to be made and trust to be exploited, these scam artists will keep refining their tech, cloaking their URLs, and hopping domains faster than most SOCs can blink.
The lesson? If someone promises high returns and a low barrier to entry, they’re probably not offering an investment opportunity—they’re offering a lesson.