‘Mystery Box’ scam steps up subscription scams online 

Sean Cao

6th May 2025

The mystery box scam is evolving as cybercriminals have found new ways to make it more convincing and even add more hidden recurring payments, according to Bitdefender researchers.

The goal of the mystery box scam is to collect personal and financial information by tricking victims into believing they have made a fantastic purchase.

As the traditional scheme lost its allure, scammers have devised new ways to make it more convincing, such as running ads on social media and adding small details like surveys ‘to ensure’ you are a real person and not a bot, the researchers explained.

They even put in more effort by running ads with impersonated content creators, making multiple versions of the ad to avoid automatic detection, and creating social media pages that look like the originals.

The researchers found that the mystery box ads pointed to various online shops selling a variety of products, from clothes and beauty products to electronic equipment.

The online shop appears to offer many subscription tiers with all kinds of perks, which makes the scheme more tempting as people believe that it will provide them with discounts across the entire website.

“Right before you agree to give them money and financial information, you also agree to a subscription model (written in a tiny font) that turns your current mystery shopping adventure into recurring payments,” the researchers said.

The payment page often references a website called naillr[.]com, where victims are promised to get a loyalty membership card that gives discounts and perks.

“The basic idea is to have a process as convoluted as possible, and to make it sound like a good idea at the same time. By the time the victim is actually paying a subscription, it already seems like an investment,” they added.

By following the URLs related by tracker ID, Bitdefender found more than 200 websites in this campaign, many of which are still online. Many of them are linked to a single address in Cyprus, likely home to an offshore company.

“While many of these frauds are seemingly linked to the same operators, a lot of other scammers also figure out that subscription is the new normal. 

“With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we’re bound to see these kinds of frauds inundate the online world,” the researchers concluded.