Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Fuel Global SMS and Crypto Fraud
Cybersecurity researchers have unveiled a sophisticated telecommunications fraud campaign leveraging fake CAPTCHA verification techniques. This scheme deceives users into sending international text messages that result in unexpected charges on their mobile bills, generating illicit revenue for the perpetrators who lease the involved phone numbers.
Overview of the Fraud Campaign
A report from Infoblox indicates that this operation has been active since at least June 2020. It employs tactics such as social engineering and back button hijacking to manipulate users. The campaign has been linked to 35 phone numbers across 17 countries, indicating a widespread international revenue share fraud (IRSF) initiative.
The researchers, David Brunsdon and Darby Wise, highlighted that the fake CAPTCHA consists of multiple steps. Each crafted message is preconfigured with over a dozen phone numbers, meaning victims are charged not just for a single message, but for sending SMSs to over 50 international destinations. This multi-faceted approach significantly amplifies the financial impact on unsuspecting users.
Mechanics of the Scam
The fraudulent scheme benefits from delayed billing, as charges for international SMS messages often appear weeks later, allowing the experience with the fake CAPTCHA to fade from memory. The integration of revenue share fraud with traffic distribution systems (TDS) is particularly noteworthy. These systems, typically used to route traffic to malware or phishing pages, are now being exploited to facilitate SMS scams on a large scale.
IRSF schemes involve fraudsters acquiring international premium rate numbers (IPRN) or number ranges, artificially inflating the volume of international calls or messages to these numbers. This manipulation allows them to receive a share of the revenue generated from termination charges paid by telecom operators for inbound traffic.
Termination fees are the inter-carrier charges that an originating telecom operator pays to a terminating operator for completing a call on their network. The exploitation of these revenue-sharing agreements is what drives IRSF, as originating carriers end up paying substantial fees to destination networks for incoming calls, a portion of which is siphoned off by the fraudsters.
Infoblox has identified that the campaign registers phone numbers in countries with high termination fees or lax regulations, such as Azerbaijan and Kazakhstan, and collaborates with local telecom providers to execute the scam.
User Experience and Technical Exploits
The campaign unfolds as follows: users are redirected to a fraudulent web page using a commercial TDS, which presents a CAPTCHA instructing them to send an SMS to “confirm you are human.” This action triggers a multi-stage verification process, programmatically launching SMS applications on both Android and iOS devices, pre-filling the phone numbers and message content.
In total, users may send as many as 60 SMS messages to 15 unique numbers after navigating through four CAPTCHA steps, potentially costing them around $30. While this may seem minor, the cumulative effect can be significant when scaled across numerous victims. The list of targeted phone numbers spans countries including the Netherlands, Belgium, Poland, Spain, and Turkey.
The campaign also employs cookies to track user progression through the fake verification flow, utilizing stored values to determine subsequent actions. If a user is deemed unsuitable for the campaign, they are redirected to a different CAPTCHA page, likely part of another scam.
Another innovative tactic is back button hijacking, which uses JavaScript to manipulate the browsing history. This technique ensures that any attempt to navigate away from the CAPTCHA page redirects users back to the fraudulent page, effectively trapping them in a loop unless they exit the browser entirely.
Implications for Individuals and Telecom Carriers
This operation simultaneously defrauds both individual users and telecommunications carriers. Victims face unexpected premium SMS charges, complicating their ability to identify and report the fraud, especially when it originates from unexpected sources. Telecom carriers, on the other hand, pay revenue shares to the perpetrators while likely absorbing the losses from customer disputes or chargebacks.
The Role of Keitaro TDS in Cybercrime
The findings coincide with a broader analysis by Infoblox and Confiant, detailing how Keitaro TDS (also known as Keitaro Tracker) is being misused. This tool, originally designed for advertising performance tracking, has been repurposed by various threat actors for malicious activities, including malware delivery and cryptocurrency theft.
The scam utilizes Facebook Ads to lure victims to fraudulent AI-powered platforms, sometimes fabricating celebrity endorsements through fake news articles and deepfake videos to promote investment schemes. The use of synthetic videos has been linked to a threat actor known as FaiKast.
Keitaro’s functionality allows it to serve as an all-in-one tool that acts as a traffic distribution system, tracker, and cloaking layer. Over a four-month period from October 2025 to January 2026, more than 120 distinct campaigns have exploited Keitaro’s TDS for link delivery. Infoblox reported approximately 226,000 DNS queries across 13,500 domains associated with Keitaro-related activities during this timeframe. Following responsible disclosure, Keitaro has terminated over a dozen accounts linked to these fraudulent activities.
By merging traditional investment fraud themes with modern technologies, cybercriminals have launched large-scale, convincing campaigns. Approximately 96% of Keitaro-linked spam traffic has promoted cryptocurrency wallet-draining schemes, primarily through fake airdrop and giveaway lures centered on various tokens and wallets.
For further details, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
