Recent Cryptocurrency Investment Scam Campaigns: Cloaking, AI Themes, and the Industrialization of Fraud

Executive Summary

Over the past year, cryptocurrency investment scams (CIS) have continued to evolve, expanding in scale, adopting new lures, and incorporating more advanced evasion techniques. Netcraft’s takedown telemetry shows a sustained surge in this activity across thousands of domains and a growing convergence of traditional social engineering with modern automation and cloaking methods.

Since launching our CIS takedown operations in March 2020, Netcraft has removed more than 1.36 million cryptocurrency investment scam sites, including 72,535 in the past 12 months. These operations continue to represent one of the most prevalent forms of digital financial fraud in circulation.

Campaign Entry Points: Malvertising and Cloaked Infrastructure

Nearly every campaign begins with malvertising, fraudulent advertisements on major social media platforms. These ads typically feature clickbait images and fabricated endorsements from public figures, claiming that politicians, celebrities, business leaders, or broadcasters have backed a “revolutionary” investment platform.

From the user’s perspective, the ads lead to polished landing pages that imitate news outlets such as the BBC, CBC, or ABC. Behind the scenes, cloaking ensures that investigators, search engines, and automated scanners are served benign placeholder pages while genuine users see the fraudulent investment content.

This layered approach allows the campaigns to remain active for longer and to propagate across social networks without immediate detection.

Infrastructure and Distribution

Netcraft’s telemetry highlights the industrial scale of these campaigns. Attackers deploy large clusters of domains and URLs, often sharing templates and backend infrastructure but localized for different regions or currencies. Examples include:

• “The Official App Website 2025 [UPDATED]” campaign: 11,482 URLs across 5,390 domains blocked since May 2025.

Figure 1. A "BITCOIN ERA" CIS signup site with the title "The Official App Website 2025[UPDATED]."

• “Official Website Platform” campaign: 13,091 URLs across 7,528 domains blocked since May 2025.

Figure 2. A "Trade Chenix 18X" CIS signup site with the title "Official Website Platform."

• AI-themed investment scams such as AI Arbitrix, AI Arbitrage, and Billera: nearly 900 URLs across 466 domains in the past year.

Figure 3. A German fake news site promoting the Billera CIS.

• Impersonation of global media outlets:

  • CBC News / Quantum AI: 813 URLs across 454 domains.

Figure 4. A fake news site impersonating CBC News to promote the Quantum AI CIS using the likeness of Mark Carney, prime minister of Canada, Doug Ford, premier of Ontario, and Pierre Poilievre, leader of the Official Opposition in Canada.

• ABC News: 86 URLs across 84 domains.

Figure 5. A fake news site impersonating ABC News to promote the Quantum AI CIS claiming to be endorsed by Anthony Albanese, prime minister of Australia, and Gina Rinehart, a prominent Australian magnate.

• Channel News Asia: 3,124 URLs across 1,328 domains.

Figure 6. A fake news site impersonating Channel News Asia to promote a CIS using the likeness of Lawrence Wong, prime minister of Singapore.

Each represents a distributed campaign infrastructure built for scale and automation using domain generation, bulk registration, and traffic redirection to evade disruption.

Tactics and Evolution

While the social engineering component remains constant, exploiting curiosity and trust, recent CIS campaigns show notable evolution in two areas:

1. Cloaking sophistication
   Attackers increasingly use adaptive cloaking, redirecting based on geolocation, referrer headers, or device fingerprinting. The placeholder content observed on these sites often appears legitimate to external scanners but resolves to active scam pages when accessed through targeted social channels.

Figure 7. A placeholder site used to cloak CIS.

2. The AI credibility layer
   Campaigns increasingly borrow language and branding from artificial intelligence and fintech. Terms like “AI arbitrage,” “Quantum AI,” or “automated trading intelligence” are used to create a veneer of technical legitimacy. In several cases, attackers have even reused legitimate licence numbers, such as eToro’s Australian Financial Services Licence (AFSL), to appear compliant with financial regulation.

Figure 8. A fake news article promoting CIS that uses eToro's AFSL.

Victim Funnel and Secondary Exploitation

Initial contact usually drives the victim toward off-platform communications via WhatsApp, Telegram, or smaller social networks. There, “investment advisors” guide victims into transferring funds to fraudulent platforms or installing remote access software disguised as trading tools.

Once installed, these tools allow full system compromise — opening the door to secondary attacks, including credential theft and financial account takeovers.

Indicators and Detection Insights

Netcraft analysts observe recurring infrastructure indicators across many campaigns:

• Consistent templating across distinct domain clusters, suggesting shared kits or affiliate distribution models.

• Use of compromised legitimate domains for redirectors, allowing the scam to inherit trust signals.

• Dynamic DNS and CDN hosting to obfuscate geographic origin and facilitate rapid rotation.

• Media impersonation kits replicating high-traffic outlets (BBC, ABC, CBC, Channel News Asia), often updated to localize currency symbols and news anchors for specific regions.

The combination of scalable infrastructure, regional tailoring, and evasion through cloaking makes these campaigns remarkably durable compared to earlier CIS activity.

Cryptocurrency Scams – Future Outlook

Cryptocurrency investment scams have transitioned from opportunistic fraud to persistent, industrialized operations. The blending of malvertising, AI-driven narratives, and infrastructure agility suggests a mature ecosystem that is likely to persist into 2026.

As public awareness of traditional “get-rich-quick” schemes increases, attackers are adapting, positioning their scams within emerging narratives around AI, fintech, and automation.

Continuous monitoring, proactive takedown, and infrastructure-level intelligence remain essential to disrupting these networks.

Attribution Note

All data in this report is derived from Netcraft’s internal telemetry and takedown statistics as of October 2025.