Security researchers have identified an extensive telecommunications fraud operation deploying deceptive verification techniques to deceive mobile phone users into sending premium-rate international text messages, generating substantial illegal revenue for criminals controlling the receiving phone numbers.
Cybersecurity firm Infoblox published comprehensive analysis revealing a telecommunications revenue-share fraud campaign involving elaborate social engineering tactics combined with malicious website traffic routing systems. The operation maintains documented activity spanning at least six years, using techniques including fake security verification prompts and browser manipulation methods.
The Fake CAPTCHA Fraud Mechanism
The scam initiates when users are directed to fraudulent websites through compromised traffic routing systems. These websites display what appears to be a legitimate security verification screen—a CAPTCHA prompt typically used to confirm that a human, rather than an automated bot, is accessing a service.
However, rather than simply requesting users to solve a puzzle, this deceptive CAPTCHA instructs victims to send a text message to “confirm you are human.” Once victims comply, their mobile devices automatically launch text messaging applications with phone numbers and message content pre-populated by the malicious website.
Security researchers David Brunsdon and Darby Wise documented the fraud mechanics in their analysis: “The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn’t charged for just a single message – they’re charged for sending SMSs to over 50 international destinations.”
The true severity of the exploitation becomes apparent when examining the financial impact. Following four sequential CAPTCHA verification steps, victims unknowingly send approximately 60 text messages to 15 distinct international phone numbers. These premium-rate international messages typically incur charges between $0.50 and $5 per message, potentially costing individual victims up to $30 or more from a single deceptive CAPTCHA interaction.
Financial Impact and Delayed Detection
A particularly insidious aspect of this fraud involves billing delays. International SMS charges typically appear on victims’ mobile phone bills weeks after the scam interaction occurs. By the time fraudulent charges materialize on billing statements, victims have forgotten the deceptive CAPTCHA experience, making it substantially more difficult to identify the scam’s origin and report fraudulent activity to telecommunications carriers.
Infoblox researchers noted: “This type of scam also benefits from delayed billing, as the ‘international SMS’ charges often appear on the victim’s bill weeks later and the experience with the fake CAPTCHA has been long forgotten.”
The scam operators have strategically selected international phone numbers based on regulatory environments and termination fee structures. Numbers have been observed in 17 distinct countries, including Azerbaijan, Kazakhstan, the Netherlands, Belgium, Poland, Spain, and Turkey—nations with notably high termination fees or relaxed regulatory oversight of premium-rate services.
Technical Infrastructure and Traffic Distribution Systems
What distinguishes this campaign from traditional SMS fraud is the convergence of international revenue-share fraud (IRSF) with malicious traffic distribution systems (TDSs). Traffic distribution systems traditionally function as sophisticated routing infrastructure for redirecting website visitors toward malware installations or phishing pages while evading security detection mechanisms.
In this operation, criminal actors have repurposed this infrastructure specifically for executing SMS scams at massive scale. This represents a novel adaptation of existing malicious infrastructure, transforming systems designed for malware distribution into specialized fraud execution platforms.
International revenue-share fraud typically operates through the following mechanism: fraudsters illegally acquire international premium-rate numbers or number ranges and artificially inflate call and message volumes to these numbers. The volume inflation generates revenue-sharing payments from telecommunications termination fees—inter-carrier charges that originating carriers must pay to completing carriers for incoming calls on their networks.
In this particular scheme, termination fees represent the charges that originating carriers must pay to receiving carriers for completing international text messages. Fraudsters exploit these payment mechanisms by directing massive volumes of SMS traffic toward high-cost destination numbers in collusion with local telecommunications providers, with both parties dividing the generated revenue.
The Multi-Stage Verification Trap
The fraudulent campaign employs sophisticated technical mechanisms to maximize victim engagement and prevent escape. The attack unfolds through several coordinated stages:
Initial Deception: Users encounter what appears to be a legitimate security verification page, typically displayed after clicking a malicious link distributed through commercial traffic routing systems.
Progressive Message Bombardment: Rather than requesting a single message, the fake CAPTCHA progresses through multiple stages, each stage triggering automated transmission of additional pre-crafted messages to attacker-designated phone numbers.
Cookie-Based Tracking: The malicious website employs cookie-based mechanisms to track individual user progression through the verification stages. Certain cookies store values indicating completion percentages (“successRate”), determining whether victims are encouraged to continue through additional stages or redirected to alternative scam campaigns.
Browser Navigation Hijacking: Perhaps most notably, the scam incorporates back-button hijacking—a technique using JavaScript to manipulate browser history. This prevents users from navigating away from the malicious CAPTCHA page by clicking the browser’s back button. Any such attempt redirects users back to the fake page, creating a navigation loop that effectively traps victims unless they completely close the browser application.
Selective Victim Targeting: Users deemed unsuitable for the campaign are redirected to entirely different CAPTCHA pages, likely representing either separate fraud campaigns or operations controlled by different criminal actors, suggesting a broader ecosystem of coordinated fraud operations.
Impact on Multiple Stakeholders
The fraud operation simultaneously victimizes both individual consumers and telecommunications service providers:
Individual Victim Impact: Consumers face unexpected premium-rate international SMS charges appearing on their mobile bills weeks after the scam interaction. The delayed billing timeline and forgotten context make identifying the fraud’s origin substantially more difficult, hindering efforts to report fraudulent activity or dispute charges.
Carrier Impact: Telecommunications carriers absorb substantial losses through multiple mechanisms. They pay revenue-sharing compensation to perpetrators for the fraudulent traffic, simultaneously process customer dispute resolutions, and manage chargebacks for fraudulent charges—effectively subsidizing the criminal operation while losing revenue.
Coordinated Keitaro TDS Abuse Campaign
Infoblox, in collaboration with Confiant, published additional analysis revealing how the Keitaro traffic distribution system (also designated as Keitaro Tracker) has been weaponized by approximately 120 distinct threat actor groups for malicious purposes over a four-month period spanning October 2025 through January 2026.
Keitaro, originally designed as self-hosted advertising performance tracking software, includes conditional visitor routing capabilities based on predefined traffic distribution flows. Criminal actors have systematically repurposed this legitimate business tool, transforming Keitaro deployments into unified malicious infrastructure combining traffic distribution, visitor tracking, and cloaking layers designed to evade security detection.
The abuse of Keitaro infrastructure has facilitated multiple attack categories:
Malware Distribution: Criminal operators have leveraged Keitaro systems to distribute banking trojans, credential-stealing malware, and other information-stealing applications to unwitting victims.
Cryptocurrency Theft: Extensive campaigns have abused Keitaro to distribute cryptocurrency wallet-draining malware, particularly through fabricated cryptocurrency airdrop and giveaway schemes targeting users of popular blockchain platforms including Solana, Phantom wallet, Jupiter DEX, and AURA tokens.
Investment Fraud: Sophisticated scammers have weaponized Keitaro to promote fake investment platforms claiming to employ artificial intelligence for automated cryptocurrency trading. These schemes promise unrealistic returns and rely on celebrity endorsements—some genuine but surreptitiously leveraged, others completely fabricated through deepfake video technology.
AI-Enhanced Investment Scams
A particularly advanced variant of the Keitaro-facilitated fraud involves coordinated investment scams leveraging artificial intelligence technology. These operations create fraudulent investment platforms claiming to offer AI-powered cryptocurrency trading automation.
The fraud relies heavily on promotional tactics including:
Social Media Advertising: Campaigns deploy paid Facebook advertisements to direct victims toward fraudulent investment platforms, exploiting Facebook’s sophisticated targeting capabilities to identify financially-motivated audiences.
Celebrity Endorsements: Scammers leverage real celebrity social media accounts through account compromise or, more commonly, fabricate entirely fictional endorsements through deepfake video creation technology. Threat actors attributed to FaiKast have specifically been identified creating synthetic video content featuring false celebrity endorsements.
Fake News Articles: Coordinated disinformation campaigns create fabricated news articles featuring celebrity endorsements and testimonials, lending false credibility to the fraudulent investment schemes.
Promised Returns: Victims are convinced that sophisticated AI trading systems can reliably generate returns of 50%, 100%, or even higher percentages through automated cryptocurrency trading.
The analysis of Keitaro infrastructure abuse revealed that approximately 96% of detected Keitaro-linked spam traffic promoted cryptocurrency wallet-draining schemes. The predominant targets included:
- AURA token distributions
- SOL (Solana network token)
- Phantom cryptocurrency wallet
- Jupiter (decentralized exchange and trading aggregator)
Scale of the Coordinated Campaign
The scope of Keitaro infrastructure abuse represents a substantial threat to internet users globally. During the four-month observation period, security researchers documented:
Campaign Volume: More than 120 distinct, coordinated threat campaigns weaponized Keitaro infrastructure for link distribution and malicious traffic routing.
DNS Query Activity: Infoblox monitoring systems recorded approximately 226,000 DNS queries across 13,500 unique internet domains directly associated with Keitaro-related malicious activity.
License Acquisition: Certain threat actors, including the group designated TA2726, obtained access to Keitaro infrastructure through acquisition of stolen or cracked software licenses, suggesting an underground market for compromised legitimate business software.
Platform Response: Following responsible disclosure communication, Keitaro administrators took action to revoke access for more than a dozen accounts linked to identified malicious activities.
Confluence of Legacy and Modern Attack Techniques
Security researchers emphasized the concerning convergence of established fraud methodologies with emerging technologies:
“By combining an older but still highly effective investment fraud theme with modern AI technologies, actors have been able to launch large‑scale, highly convincing cyber campaigns,” according to analysis from Infoblox and Confiant. “Approximately 96% of Keitaro‑linked spam traffic promoted cryptocurrency wallet‑drainer schemes, primarily via fake airdrop/giveaway lures centered on AURA, SOL (Solana token), Phantom (wallet), and Jupiter (DEX/aggregator).”
This combination proves particularly effective because traditional investment fraud techniques remain compelling to victims while modern technologies—particularly artificial intelligence and deepfake video creation—enhance the apparent legitimacy of fraudulent schemes.
Defensive Recommendations
Organizations and individual users should implement several protective measures:
For Individual Users:
- Treat unexpected CAPTCHA prompts requesting SMS messages with extreme suspicion
- Never follow automatic instructions to send text messages from alleged security verification pages
- Verify billing statements carefully for unexpected international SMS charges
- Report suspicious SMS charges to telecommunications carriers immediately
- Avoid clicking links in unsolicited emails or social media messages, particularly those promoting investment opportunities
- Maintain skepticism toward celebrity endorsements discovered through social media platforms
For Organizations:
- Implement email security solutions capable of detecting deepfake video content
- Deploy social media monitoring to identify compromised celebrity accounts or fabricated endorsements
- Monitor network traffic for suspicious traffic distribution system activity
- Educate employees regarding investment fraud schemes and AI-enhanced scam tactics
For Telecommunications Carriers:
- Implement advanced anomaly detection for unusual international SMS patterns
- Establish rapid dispute resolution procedures for fraud victims
- Collaborate with cybersecurity firms to identify IRSF infrastructure
- Monitor for suspicious international number registrations in high-termination-fee regions
Broader Implications
The coordination of multiple fraud campaigns across different attack vectors—SMS fraud, malware distribution, cryptocurrency theft, and investment scams—suggests an increasingly mature cybercriminal ecosystem capable of rapidly deploying diverse attack methodologies against target populations.
The convergence of IRSF operations with traffic distribution systems and cryptocurrency fraud demonstrates how legacy fraud techniques continue to thrive when integrated with modern malicious infrastructure. Furthermore, the apparent ease with which criminals can acquire legitimate business software licenses for malicious purposes suggests additional supply chain vulnerabilities requiring attention.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
