'A foundational block of modern cybercrime': The inside story of a 15,000+ website network using popular ad trackers to peddle AI investment scams

Date:
Thu, 07 May 2026 01:05:00 +0000

Description:
Researchers identified 15,500 domains using commercial trackers and cloaking to distribute AI-driven investment scams across global channels.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter 15,500 domains were actively used to deliver cloaked AI investment scams Cloaking ensures harmful content is shown only to targeted victims Commercial tracking software allows cybercriminals to scale operations without building infrastructure Cloaking has shifted from a supporting tactic into a central layer of cybercriminal infrastructure, and commercial tools are now widely embedded in cybercrime operations at scale.

A four-month analysis of malicious activity by Infoblox and Confiant identified roughly 15,500 domains linked to malicious tracker deployments. These domains routed traffic from compromised websites, spam messages, social media channels, and online advertising ecosystems. Article continues below
You may like This new cybercrime platform lets hackers run malicious Google Ads and hide from Google's screening process 'Cybercriminals are industrializing deception': new report reveals how major global cybercrime syndicates have infiltrated trusted domains with millions now at risk -
here's what you need to know Pushpaganda exploits Google Discover to spread malicious notifications Threat actors exploit commercial tracking software
for scale Rather than building bespoke systems, many threat actors rely on commercial tracking software that already performs filtering, routing, and campaign management functions at scale.

These domains do not simply host scams, but conceal them through cloaking techniques that display harmful content only to intended victims while displaying benign pages to security scanners and others.

Cloaking operates through traffic distribution systems that filter visitors using attributes such as location, device type, and referral source before determining what content is shown.

This allows operators to circumvent advertising restrictions while refining the audience that ultimately sees the scam content. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

The research describes cloaking as a foundational block of modern cybercrime, reflecting how deeply integrated it has become within these operations.

It also allows threat actors to shield infrastructure not only from defenders but also from rival groups seeking to hijack campaigns.

Investment scams accounted for the largest share of activity observed across these domains, with a clear emphasis on AI-themed narratives as the primary lure. What to read next Your marketing stack is an attack surface is
security watching? 'Social advertising is being used to defraud at scale across some of the largest platforms.': Nearly one in three Meta ads reportedly point to a scam, phishing or malware Generative AI has reduced fraud preparation time from 16 hours to under 5 minutes

Pages frequently promote automated trading platforms using phrases such as Smart AI Trading Technology or Intelligent Trading Solutions, often paired with claims of consistent and unusually high returns.

In several cases, deepfake imagery and fabricated media content are used to reinforce credibility and create a sense of urgency.

Also, generative AI tools are being used to produce large volumes of campaign material programmatically.

This includes headlines, promotional copy, and visual assets that can be deployed across multiple domains with minimal variation.

The result is a scalable content pipeline that supports rapid campaign expansion across languages and regions without requiring substantial manual effort.

Despite domain reporting and account suspensions by researchers and the trackers operators, the activity shows little sign of slowing.

Operators continue to rotate domains and reuse the same infrastructure with minimal changes, allowing campaigns to return quickly after disruption.

Thousands of active domains within a short window point to persistent and ongoing activity rather than isolated incidents.

Endpoint protection systems often struggle to detect these campaigns because cloaked content is only revealed after specific conditions are met.

Firewall controls provide limited coverage when traffic is routed through legitimate advertising and web channels.

Malware removal efforts remain reactive, as harm typically occurs only after victims have already been funneled through these delivery paths.

These limitations mean that standard defenses cannot stop these attacks, and the risk from cloaking and tracker abuse remains high. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



======================================================================
Link to news story: https://www.techradar.com/pro/a-foundational-block-of-modern-cybercrime-the-in side-story-of-a-15-000-website-network-using-popular-ad-trackers-to-peddle-ai- investment-scams


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)