'A foundational block of modern cybercrime': The inside story of a 15,000+ website network using popular ad trackers to peddle AI investment scams

Date:
Thu, 07 May 2026 01:05:00 +0000

Researchers identified 15,500 domains using commercial trackers and cloaking to distribute AI-driven investment scams across global channels. Cloaking
has shifted from a supporting tactic into a central layer of cybercriminal infrastructure, and commercial tools are now widely embedded in cybercrime operations at scale.

A four-month analysis of malicious activity by Infoblox and Confiant identified roughly 15,500 domains linked to malicious tracker deployments. These domains routed traffic from compromised websites, spam messages, social media channels, and online advertising ecosystems.

Threat actors exploit commercial tracking software for scale

Rather than building bespoke systems, many threat actors rely on
commercial tracking software that already performs filtering, routing, and campaign management functions at scale.

These domains do not simply host scams, but conceal them through cloaking techniques that display harmful content only to intended victims while displaying benign pages to security scanners and others.

Cloaking operates through traffic distribution systems that filter visitors using attributes such as location, device type, and referral source before determining what content is shown.

This allows operators to circumvent advertising restrictions while refining the audience that ultimately sees the scam content.

The research describes cloaking as a foundational block of modern cybercrime, reflecting how deeply integrated it has become within these operations.

It also allows threat actors to shield infrastructure not only from defenders but also from rival groups seeking to hijack campaigns.

Investment scams accounted for the largest share of activity observed across these domains, with a clear emphasis on AI-themed narratives as the primary lure.

Pages frequently promote automated trading platforms using phrases such as Smart AI Trading Technology or Intelligent Trading Solutions, often paired with claims of consistent and unusually high returns.

In several cases, deepfake imagery and fabricated media content are used to reinforce credibility and create a sense of urgency.

Also, generative AI tools are being used to produce large volumes of campaign material programmatically.

This includes headlines, promotional copy, and visual assets that can be deployed across multiple domains with minimal variation.

The result is a scalable content pipeline that supports rapid campaign expansion across languages and regions without requiring substantial manual effort.

Despite domain reporting and account suspensions by researchers and the trackers operators, the activity shows little sign of slowing.

Operators continue to rotate domains and reuse the same infrastructure with minimal changes, allowing campaigns to return quickly after disruption.

Thousands of active domains within a short window point to persistent and ongoing activity rather than isolated incidents.

Endpoint protection systems often struggle to detect these campaigns because cloaked content is only revealed after specific conditions are met.

Firewall controls provide limited coverage when traffic is routed through legitimate advertising and web channels.

Malware removal efforts remain reactive, as harm typically occurs only after victims have already been funneled through these delivery paths.

These limitations mean that standard defenses cannot stop these attacks, and the risk from cloaking and tracker abuse remains high.

Link to news story: https://www.techradar.com/pro/a-foundational-block-of-modern-cybercrime-the-in side-story-of-a-15-000-website-network-using-popular-ad-trackers-to-peddle-ai- investment-scams

$$
--- MultiMail/DOS
* Origin: Capitol City Hub (1:2320/105)