Fake IRSF CAPTCHA Scam and 120 Keitaro Drive Global SMS Campaigns, Crypto Fraud

Cybersecurity researchers have uncovered details of a communications fraud campaign that uses fake CAPTCHA authentication tactics to trick unsuspecting users into sending international text messages with charges on their mobile phone bills, generating illegal income for threat actors who lease phone numbers.

According to a new report published by Infoblox, the project is believed to have been active since at least June 2020, using methods such as social engineering and hijacking the back button on web browsers. Up to 35 phone numbers from 17 countries have been identified as part of an international income share fraud (IRSF) operation.

“The fake CAPTCHA has many steps, and each message designed by the site is pre-programmed with more than a dozen phone numbers, which means that the victim is not charged for just one message – he is charged for sending SMS to more than 50 international destinations,” said researchers David Brunsdon and Darby Wise in the analysis.

“This type of scam also benefits from delayed payments, as ‘international SMS’ charges often appear on the victim’s bill a few weeks later and the fake CAPTCHA information is long forgotten.”

What makes the threat notable is the convergence of share fraud and malicious traffic distribution systems (TDSs), with the infrastructure being used — traditionally responsible for driving traffic to malware or phishing pages though a series of redirects to avoid detection — to run SMS scams at scale.

IRSF schemes involve fraudsters who illegally obtain premium rate numbers (IPRN) or number ranges and illegally increase the volume of international calls or messages to those numbers in order to receive a portion of the revenue generated by these calls from termination fees received by the number range owner for incoming traffic to the number range.

In this context, termination fee refers to the carrier charges paid by the telecommunications operator from the terminating operator to complete the call on its network. It is the exploitation of these “profit-sharing” agreements that drives the IRSF, as the outgoing carrier ends up paying termination fees to the local network for incoming calls in high-cost areas, part of which is split with fraudsters.

Infoblox said the observed campaign specifically registers phone numbers in countries with high contract termination costs or lax regulations, such as Azerbaijan, Kazakhstan, or certain premium number ranges in Europe, and is working with local phone providers to root out the scam.

The whole campaign plays out like this: the user is redirected to a fake web page using a TDS commercial, which offers a CAPTCHA that instructs them to send an SMS to “verify you’re human.” This, in turn, triggers a multi-stage “verification” chain, each step triggering a different SMS message to the numbers designated by the server with the numbers of the Android app and SMS programmatically initiated Android apps and SMS message.

In this program, up to 60 SMS messages are sent to 15 different numbers after four CAPTCHA steps, which can end up costing the user $30. While it may be a relatively small amount, threat intelligence firm DNS has warned that it can quickly add up to a threat actor if done at scale. The list of phone numbers includes 17 countries, such as Azerbaijan, the Netherlands, Belgium, Poland, Spain and Turkey.

The campaign relies heavily on cookies to track progress with a false verification flow, using values ​​stored in certain cookies (eg, “Success rate”) to determine the next course of action. If the user is deemed unsuitable for the campaign, the page is designed to redirect them to a completely different CAPTCHA page that may be part of a different campaign or controlled by a different actor.

Another novel technique discovered by scam operators is the use of back button hijacking, which relies on JavaScript to alter the browsing history so that any attempt made by a site visitor to navigate away from the CAPTCHA page by pressing the browser’s back button redirects the user to a fake page, effectively trapping them in a navigation loop without them fully exiting the browser.

Redirect chain leading to fake CAPTCHA page

“This functionality defrauds both individuals and telecommunications carriers at the same time. Individual victims face unexpected SMS charges on their bills and will have difficulty detecting and reporting fraud when it comes from such an unexpected source,” Infoblox concluded. “Telephone carriers pay a share of the money to wrongdoers while potentially suffering losses from customer disputes or chargebacks.”

How Players Threaten Keitaro TDS

The disclosure comes as the company, in collaboration with Confiant, published a three-part analysis that explains how Keitaro TDS (aka Keitaro Tracker) is being abused, in some cases by obtaining stolen or broken licenses (as in the case of TA2726), by a wide range of actors who threaten with malicious activities, including the delivery of malware, cryptocurrency theft and money laundering. (AI) to automate trading and promise huge returns.

The scam uses Facebook Ads to lure victims to fake AI-powered social networks, in some cases even resorting to creating celebrity endorsements pushed through fake news articles and fake videos to promote the investment scheme. The use of artificial videos is caused by a malicious actor called FaiKast.

“Keitaro is first and foremost an advertising performance tracker designed to move visitors in a conditional way using flow,” the companies said. “Creep actors are also targeting this process, turning the Keitaro server into an all-in-one tool that acts as a traffic distribution system, tracker, and blocking layer.”

Distribution of spam campaigns observed using Keitaro

In total, more than 120 separate campaigns abused Keitaro’s TDS for link delivery in a four-month period between October 2025 and January 2026. Infoblox noted that its clients recorded approximately 226,000 DNS queries targeting 13,500 domains associated with Keitaro-related activity during the time frame. After responsible disclosure, Keitaro intervened to cancel more than ten accounts linked to these activities.

“By combining the old but still very effective investment fraud theme with modern AI technology, actors have been able to launch larger, more persuasive online campaigns,” Infoblox and Confiant said. “Approximately 96% of the spam traffic linked to Keitaro promotes cryptocurrency wallet-pulling schemes, mainly through airdrop/gifts focused on AURA, SOL (Solana token), Phantom (wallet), and Jupiter (DEX/aggregator).”