- 15,500 domains were actively used to offer hidden AI investment scams
- Cloaking ensures that harmful content is only shown to targeted victims
- Commercial tracking software allows cybercriminals to expand operations without building infrastructure
Cloaking has evolved from a supporting tactic to a core layer of cybercrime infrastructure, and commercial tools are now widely integrated into large-scale cybercrime operations.
A four-month analysis of malicious activity by Infoblox and Confiant identified approximately 15,500 domains linked to malicious tracker deployments.
These domains carried traffic from compromised websites, spam messages, social media, and online advertising ecosystems.
Article continues below
Malicious actors exploit commercial tracking software at scale
Rather than building custom systems, many threat actors rely on commercial tracking software that already provides filtering, routing, and campaign management functions at scale.
These domains do not simply host scams, but conceal them through cloaking techniques that display harmful content only to intended victims while displaying harmless pages to security scanners and others.
Cloaking works through traffic distribution systems that filter visitors using attributes such as location, device type, and referral source before determining what content to display.
This allows operators to bypass advertising restrictions while narrowing down the audience who will ultimately see the fraudulent content.
The study describes masking as “a fundamental element of modern cybercrime,” reflecting how deeply integrated it has become within these operations.
It also allows bad actors to protect infrastructure not only from defenders, but also from rival groups looking to hijack campaigns.
Investment scams accounted for the largest share of activity observed in these areas, with a clear focus on AI-themed narratives as the primary lure.
The pages frequently promote automated trading platforms using phrases such as “Intelligent AI Trading Technology” or “Intelligent Trading Solutions”, often coupled with claims of consistent and unusually high returns.
In many cases, deepfake images and fabricated media content are used to build credibility and create a sense of urgency.
Additionally, generative AI tools are used to produce large volumes of campaign materials programmatically.
This includes headlines, promotional copy, and visual elements that can be deployed across multiple domains with minimal variation.
The result is a scalable content pipeline that supports rapid expansion of campaigns across languages and regions without requiring significant manual effort.
Despite domain reports and account suspensions by researchers and tracker operators, activity shows no signs of slowing down.
Operators continue to rotate domains and reuse the same infrastructure with minimal changes, allowing campaigns to return quickly after an interruption.
Thousands of active domains in a short window indicate persistent, ongoing activity rather than isolated incidents.
Endpoint protection systems often have difficulty detecting these campaigns because hidden content is only revealed once specific conditions are met.
Firewall controls provide limited coverage when traffic is routed through legitimate advertising and web channels.
Malware removal efforts remain reactive because damage typically only occurs after victims have already been routed through these distribution channels.
These limitations mean that standard defenses cannot stop these attacks, and the risk of obfuscation and tracking abuse remains high.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.