Massive investment fraud campaign leverages 17,000 fraudulent news sites

Scam sites are impersonating legitimate news websites, using native languages, major brands, and regional public figures to promote fake investment opportunities.

A massive network of 17,000 fraudulent websites has been unveiled by researchers from CTM360. The fraudsters behind the sites direct victims to fake platforms, where they collect payments and sensitive data.

“The platform shows fake profit dashboards and fabricated returns, convincing users to invest

more, even though no real trading takes place,” the report warns.

This massive campaign targets users across 50 countries, with localized “baiting news sites” (BNSes) for each market.

Scammers have targeted every niche. Baiting news sites mimic trusted global media outlets such as CNN, BBC, CNBC, News24, and ABC News. A faux Le Monde alternative is available in France, and the Indian Express will lure victims in Asia.

Most baiting sites have been launched in the Middle East (10,500) and Asia Pacific (3,400). However, thousands of sites also target Oceania, Europe, and the Americas.

It’s practically impossible for internet users to completely avoid these sites, as they’re frequently advertised by abusing fake ads on Google Ads, Meta Ads, and other social media. The ads promise huge returns and feature local celebrities or officials.

“Baiting news sites are used as a distribution technique. Scammers use them to initiate contact, build credibility, and direct users toward fraudulent platforms designed to steal funds,” the report reads.

The researchers shed light on how the scam works:

• Scammers buy ads on Google, Facebook, and elsewhere, often using headlines like “You wonʼt believe what the [central bank governor] just revealed about making money from home,ˮ paired with official photos or national symbols to increase credibility.
• Ads are often bought using accounts with no history, zero followers, and minimal profile details, exclusively to host sponsored advertisements.
• Clicking on the ad leads to a fake news site. To create a fraudulent news site, the threat actor uses free or low-cost top-level domains, such as .xyz, .shop, and .click. Many sites were also found on compromised legitimate domains hosting a malicious implant, making detection and takedown challenging.
• The article will resemble legitimate media outlets but endorse fraudulent investment platforms, such as Solara Vynex or Eclipse Earn, a supposed automated crypto investment system.
• When victims sign up, they are prompted to make a small initial deposit of around $240. Their data and money are stolen. The platform only shows fake profit dashboards, convincing users to invest even more. No actual trading takes place.
• Scammers pose as friendly advisors or experts who push to transfer the deposit to activate the account.
• When attempting to withdraw the “profits,” fraudsters attempt to squeeze the last dollar by telling victims to complete additional verifications, pay unlock fees, or meet new “minimum balancesˮ before the funds can be released.
• The scammers often abuse crypto wallets or mule accounts to secure the transfers.

“During the call, the agent requests sensitive personal details, including full name, phone number, email address, national ID, and banking information, under the pretext of verifying the user's identity and preparing the account,” the researchers explain.

The researchers warn that KYC-style information, such as ID numbers, bank details, and contact lists, will be sold on the dark web and used in future phishing, social engineering, and credit fraud campaigns.

The threat actor behind this campaign profits from both the personal data collection and any deposits the victims make.