Security company Group-IB discovered a massive network of investment fraudsters.

The fraudsters used more than 10,000 web domains to dupe victims and pretend to be investors. Victims deposit money through a web application, receive updates on ‘earnings’ and never see a return.


The fraudsters use web domains to host advertisements and web applications. The advertisements are written in various languages and distributed across Europe through Facebook and YouTube. The advertisements redirect to various web pages that resembles an investment websites, as shown below. Slogans such as “make money fast” and “get rich with Bitcoin” are common.

After filling out a form, a fraudster calls the victim. The fraudster asks for a €250 deposit. If the victim agrees, he or she is given access to a web application. The web application is disguised as an investment portal. Investment companies work with self-service dashboards that allow customers to manage and invest money. The fraudsters copy this design.

Victims see an overview of investments, including earnings and balance. Unbeknownst to the victim, all earnings are fake. Credit card details are stolen after the first deposit, but those don’t have to be abused if a victim willingly continues to deposit money. Most victims never see their money again.

Group-IB recorded a telephone conversation with a fraudster, which can be heard below.

Fraud Protection

Group-IB’s security teams tracked down 11,197 web domains for sites and apps. All domains were connected in a network. The fraudsters work as an organization. About 6,000 domains recently went offline. The remaining 5,000 are active at the time of writing.

Group-IB regularly investigates Internet fraud. Research results are processed in cybersecurity products, including ‘Fraud Protection’. The service is aimed at financial service providers. Several banks use the technology to protect their end users against digital fraud.

Tip: Group-IB leaves Russia, focuses on Europe