In recent months an old enemy of savings has resurfaced: so-called high-performance investment programs or HYIP. At first sight they are presented as professional platforms, with polished designs and impeccable testimonies, and promise profits that seem impossible to reject. When someone assures you of extraordinary returns in very short time, it is appropriate to distrust: no legitimate investment scheme can hold unreal numbers without taking proportional risks.
A recent analysis by CTM360 detected thousands of sites dedicated to this type of fraud, and a volume of incidents that show that the activity is not timely but sustained. According to his report, more than 4,200 domains were identified promoting HYIP schemes over the past year, with monthly peaks reaching hundreds of detections; in December 2025 the firm accounted for more than 485 incidents, an average of about tens of daily alerts. You can review the full study on the CTM360 page: https: / / www.ctm360.com / reports / hyip-risk.
Behind marketing and screenshots that show lush "balance sheets," mechanics is known: many HYIP replicate the structure of a Ponzi scheme. Initial payments to early investors are used to generate confidence, and that trust is publicly fed to attract new deposits. When the entry of funds slows, excuses begin, delays in verifications and, finally, the closure or disappearance of the service with the accounts blocked and the money inaccessible.
CTM360 identifies two dominant formats in this wave: on the one hand, platforms that simulate trading with cryptomonedas; on the other, pages that appear to operate in forex or stock markets. Although the context changes - they appeal to the interest in the crypto or the apparent legitimacy of traditional markets - the strategy is the same: realistic interfaces, false graphics and figures invented to convince the depositor that his money is "giving up."
Dissemination plays a key role. These operators are not limited to a single channel: they mix paid ads on social networks, closed channels such as Telegram and messages by WhatsApp, as well as false profiles that recommend investments and show fabricated success stories. The campaigns are adapted to multiple languages, allowing them to target audiences in very different regions. The combination of paid advertising and virality in personal networks multiplies the scope of fraud.
To give a patina of credibility, HYIP sites often show stamps, "licenses" and records that are often distorted or recycled between tens - even hundreds - of portals. In some cases, the same address or registration number is repeated in hundreds of domains, which reveals a scam infrastructure designed to scale in a massive way. In addition, retreats and balance sheets are produced to feed the illusion of legitimacy.
One mechanism that accelerates the expansion of these schemes is the system of references: the first deceived are encouraged to bring family and friends in exchange for commissions or "bonds" that supposedly increase profitability. Thus, the victims end up becoming vectors of the spread of fraud, which makes it difficult to cut the chain and multiply the social damage.
As for the charges, although cryptomonedas are frequent because of their ease to move funds, it is not rare to find payment options with cards, local walkways and other methods that allow scammers to collect money from different sources. They often ask for documentation for a KYC process (meet your client) that is never completed: such verification becomes the perfect excuse to delay or deny repayments, and may also pose an additional risk of identity theft.
The end of the cycle is always similar: retreats block, no longer responding support, domains that expire or are deleted, and operators that disappear with the balance. Although the structure seems sophisticated, the signal sequence and outcome coincide with schemes investigated by authorities in multiple countries. To better understand the patterns and how these networks work, cyberintelligence teams like CTM360 draw maps of the fraud cycle that allow anticipating vectors and mitigation points.
If you are concerned about a dubious offer, several public authorities offer guides and complaints. In the United States, the Federal Trade Commission (FTC) maintains resources to recognize and report investment scams: Consumer. ftc.gov - Investment and fraud. The FBI also publishes guidance and records complaints related to online and financial fraud through IC3: https: / / www.ic3.gov. For investors looking for rules and how to avoid fraud, the SEC / Investor.gov website offers practical guidelines: Insurger.gov - How to avoid fraud. At European level, Europol collects trends on cybercrime and the use of cryptoactive in illicit activities in its cybercrime section: Europol - Cybercrime.
If you were already a victim, in addition to cutting off any communication with the platform, it is appropriate to collect evidence (screenshots of transactions, messages and payment vouchers) and to file complaints with the competent authorities and the complaints services of the social network or payment gateway used. Inform banks and payment providers as soon as possible to reduce the damage and, in some cases, allow for blocking or recovery measures.
In the business and cybersecurity field, early detection requires active monitoring of the external surface (domains, ads, false profiles) and intelligence sources to identify templates recycling patterns, repeated registration data or targeted paid campaigns. Specialized tools and public-private collaboration are key to anticipating and deactivating global networks.
The lesson is clear: in the face of promises that sound too good, prudence is the best defense. Verify the source, contrast information in official sources and distrust of the pressure to "take advantage of the offer" are indispensable steps. Maintaining a critical attitude and using the resources of independent authorities and analysts reduces the likelihood of falling into these well-disguised traps.
For those who work in digital security or simply want to deepen, the CTM360 report provides more technical details on tactics, infrastructure and recommended mitigation measures: https: / / www.ctm360.com / reports / hyip-risk. And if you need to report a fraud in the United States, the FTC has a portal for reports on reporting while complaints of international computer crimes can be channelled through IC3: https: / / www.ic3.gov.
Technology makes possible legitimate and useful investment platforms, but also facilitates the creation of increasingly polished scams. To inform and check before you trust are the best tools to protect your money and identity.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...