- 15,500 Domains Actively Used to Conduct AI Undercover Investment Scams
- Cloaking ensures that harmful content is shown only to specific victims
- Trade tracking software allows cybercriminals to scale their operations without building infrastructure
Cloaking has moved from a supporting tactic to a core layer of cybercriminal infrastructure, and commercial tools are now widely integrated into cybercrime operations at scale.
A four-month analysis of malicious activity by Infoblox and Confiant identified approximately 15,500 domains linked to malicious tracker deployments.
These domains routed traffic from compromised websites, spam messages, social media channels, and online advertising ecosystems.
Article continues below.
Threat Actors Exploit Commercial Monitoring Software to Escalate
Instead of building custom systems, many threat actors rely on commercial tracking software that already performs filtering, routing, and campaign management functions at scale.
These domains don’t simply host scams, they hide them using cloaking techniques that display harmful content only to intended victims, while displaying benign pages to security scanners and others.
Cloaking operates through traffic distribution systems that filter visitors using attributes such as location, device type, and referral source before determining what content is displayed.
This allows operators to bypass advertising restrictions while also narrowing down the audience that ultimately sees the fraudulent content.
The research describes concealment as “a fundamental building block of modern cybercrime”, reflecting how deeply integrated it has become within these operations.
It also allows threat actors to protect infrastructure not only from defenders but also from rival groups seeking to hijack campaigns.
Investment scams accounted for the majority of activity observed in these domains, with a clear emphasis on AI-related narratives as the main draw.
The pages frequently promote automated trading platforms using phrases such as “intelligent AI trading technology” or “intelligent trading solutions,” often accompanied by claims of consistent and unusually high returns.
In several cases, deepfake images and fabricated media content are used to reinforce credibility and create a sense of urgency.
Additionally, generative artificial intelligence tools are being used to programmatically produce large volumes of campaign material.
This includes headlines, promotional copy, and visual assets that can be implemented across multiple domains with minimal variation.
The result is a scalable content pipeline that supports rapid campaign expansion across languages and regions without requiring substantial manual effort.
Despite reports of domination and account suspensions by researchers and tracker operators, the activity shows few signs of slowing down.
Operators continue to rotate domains and reuse the same infrastructure with minimal changes, allowing campaigns to return quickly after an interruption.
Thousands of active domains within a short period indicate persistent, ongoing activity rather than isolated incidents.
Endpoint protection systems often have difficulty detecting these campaigns because the cloaked content is only revealed after specific conditions are met.
Firewall The controls provide limited coverage when traffic is directed through advertising and legitimate web channels.
Malware removal efforts remain reactive, as damage typically occurs only after victims have already been funneled through these delivery routes.
These limitations mean that standard defenses cannot stop these attacks and the risk of tracker cloaking and abuse remains high.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
