"The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn't charged for just a single message – they're charged for sending SMSs to over 50 international destinations," researchers David Brunsdon and Darby Wise wrote in their analysis.
How the fake CAPTCHA IRSF scam works
Infoblox researchers describe a multi-stage fraud that combines classic international revenue share fraud (IRSF) with modern traffic distribution systems (TDSs). Victims are routed, via commercial TDS infrastructure, to bogus web pages that present a CAPTCHA requiring the user to "confirm you are human" by sending an SMS. That interaction programmatically launches native SMS apps on Android and iOS devices with phone numbers and message text pre-filled; multiple steps of the fake verification trigger separate SMS messages to server-designated numbers.
IRSF operates by exploiting revenue-share arrangements tied to international premium rate numbers (IPRN) or number ranges: originating carriers end up paying termination fees to the terminating network, and fraudsters receive a share of those fees. Infoblox reported that operators behind the campaign register numbers in countries with high termination fees or lax regulation—examples cited include Azerbaijan and Kazakhstan, as well as some premium-rate ranges in Europe—and collude with local telecom providers to monetize inbound traffic.
Keitaro TDS abuse: 120 campaigns and crypto wallet drainers
Infoblox, working with Confiant, documented extensive abuse of the Keitaro TDS (also called Keitaro Tracker). Between October 2025 and January 2026, the companies observed more than 120 distinct campaigns that repurposed Keitaro servers into all‑in‑one traffic distribution, tracking, and cloaking platforms. Infoblox customers logged roughly 226,000 DNS queries tied to about 13,500 domains associated with Keitaro‑linked activity during that period.
The abuse extended beyond SMS revenue fraud. Approximately 96% of Keitaro‑linked spam traffic promoted cryptocurrency wallet‑drainer schemes, commonly using fake airdrop or giveaway lures centered on AURA, SOL (Solana token), Phantom (wallet), and Jupiter (DEX/aggregator). Operators used Facebook Ads to seed victims into fraudulent AI‑powered investment platforms, sometimes fabricating celebrity endorsements with fake news articles and deepfake videos—synthetic-video usage attributed in the report to an actor labeled FaiKast. Following responsible disclosure, Keitaro canceled over a dozen accounts linked to the activity; some threat actors had obtained stolen or cracked Keitaro licenses, the analysis says, citing TA2726 as a case of a cracked license in use.
Technical tricks: cookies, back‑button hijacking, and multi‑SMS flows
The campaign uses several technical mechanisms to maximize conversions and evade detection. Cookies track progression through the fake verification flow; Infoblox notes use of cookie values such as "successRate" to decide the next step. If a visitor is assessed as unsuitable for the campaign, the page may redirect them to a different CAPTCHA likely controlled by another actor or campaign.
Another ploy is back‑button hijacking: JavaScript is used to alter browser history so that attempts to navigate away by pressing the browser back button return the user to the fraudulent page, effectively trapping the user unless they completely exit the browser. The multi-stage flow can cause as many as 60 SMS messages to be sent to 15 unique numbers after four CAPTCHA steps, creating charges that can appear weeks later on a user's bill.
Scale, geographic footprint, and measurable indicators
Infoblox's analysis traces the operation to at least June 2020 and documents as many as 35 phone numbers across 17 countries being used to terminate SMS traffic. The list of countries observed includes Azerbaijan, the Netherlands, Belgium, Poland, Spain, and Turkey, among others. While a single victim's loss may be modest—Infoblox cites examples where approximately 60 messages could cost about $30—the researchers warned the model scales readily when combined with TDS-driven distribution.
Observable signals identified in the report include large clusters of DNS queries tied to Keitaro domains, rapid redirection chains from ad traffic, cookie artifacts like "successRate," and pre-filled SMS launches on Android and iOS. Infoblox and Confiant recorded elevated DNS activity across thousands of domains during the documented Keitaro abuse window.
What this means for individual victims, telecom carriers, and ad platforms
- Individual victims: Users face unexpected premium SMS charges that may appear weeks after the browsing event, complicating detection and dispute. The fake‑CAPTCHA flow is deliberately persistent and engineered to trap users until they either send multiple messages or exit the browser entirely.
- Telecom carriers: Carriers both originate and terminate traffic in this scheme; originating carriers pay termination fees to the destination network and can be on the hook for revenue share to perpetrators, while also absorbing losses from customer disputes and chargebacks, Infoblox concluded.
- Ad platforms and trackers (Keitaro): The Keitaro Tracker was repurposed into a TDS, enabling wide distribution of IRSF and crypto fraud. Keitaro's removal of a dozen accounts following disclosure shows some remediation, but Infoblox and Confiant's metrics (226,000 DNS queries, 13,500 domains) indicate the abuse was widespread during the observed window.
Infoblox's findings connect two well‑known abuse models—IRSF and TDS/cloaking—into a single operational play that monetizes both human gullibility and telecom billing systems. Keitaro account cancellations and collaborative disclosure were partial countermeasures, but the report makes plain that the underlying incentives—high termination fees, lax regulation in some markets, and scalable ad distribution—remain the engine of the scheme.
