Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS and Crypto Fraud

Dual-Threat Fraud Campaign Exploits Fake CAPTCHAs and Traffic Distribution Systems

Cybersecurity researchers David Brunsdon and Darby Wise at Infoblox, in collaboration with Confiant, have disclosed details of a sophisticated dual-threat fraud campaign operating since at least June 2020. The operation combines International Revenue Share Fraud (IRSF) via fake CAPTCHA pages with 120+ cryptocurrency wallet-drainer campaigns abusing the Keitaro Traffic Distribution System (TDS).

The campaign simultaneously defrauds individual victims through unexpected premium SMS charges and targets cryptocurrency users with AI-powered fake investment platforms.

How the IRSF CAPTCHA Scam Works

The Fake CAPTCHA Trick

Victims are redirected — often through ad networks or malicious links — to webpages displaying a convincing multi-step CAPTCHA verification screen. Each CAPTCHA "step" secretly triggers the victim's device to send SMS messages to attacker-controlled international premium-rate numbers.

The mechanics are deliberately designed to maximize revenue:

• Each CAPTCHA step targets over a dozen international numbers
• A typical 4-step CAPTCHA can result in 50+ SMS messages sent across up to 17 countries
• Targeted countries include Azerbaijan, Netherlands, Belgium, Poland, Spain, and Turkey
• Each victim session can rack up approximately $30 in SMS charges

JavaScript Back-Button Hijacking

The fake CAPTCHA pages employ JavaScript history manipulation to trap victims. When a user attempts to navigate away using the browser back button, the page intercepts the action and loops the user back into the CAPTCHA flow — maximizing the number of premium SMS messages sent before the victim can escape.

Delayed Billing Conceals the Fraud

Charges from international premium-rate SMS typically appear on mobile bills weeks after the incident, making it difficult for victims to identify the source or report it in a timely fashion. By the time users notice unexplained charges, the fraud is complete.

What is IRSF?

International Revenue Share Fraud (IRSF) is a telecommunications fraud scheme where fraudsters:

1. Obtain or lease premium-rate international phone numbers that generate revenue per incoming SMS or call
2. Trick victims into sending messages to these numbers — in this case via the fake CAPTCHA
3. Collect a revenue share from the telecommunications carrier that terminates the messages

Both the individual victim (unexpected bills) and the telecom carrier (revenue share payments and chargeback liability) are defrauded simultaneously. IRSF has historically been associated with bot-driven SMS pumping, but this campaign moves the attack to a consumer web interaction model.

120 Keitaro Campaigns Driving Crypto Fraud

Keitaro TDS Abuse

Between October 2025 and January 2026, researchers tracked 120+ distinct campaigns abusing the Keitaro Traffic Distribution System — a legitimate commercial tool used by marketers to route web traffic. The threat actor TA2726 obtained stolen or cracked Keitaro licenses to operate these campaigns.

The scale of the infrastructure was significant:

• Over 226,000 DNS queries generated across the tracked period
• 13,500+ domains involved in the campaign network

Cryptocurrency Wallet Drainers

96% of Keitaro-linked spam traffic promoted cryptocurrency wallet-drainer schemes, targeting:

• AURA token holders
• Solana (SOL) users
• Phantom Wallet users
• Jupiter (DEX) users

The campaigns used fake airdrop and token giveaway lures. Victims connecting their wallets to the fraudulent platforms had their assets drained automatically.

FaiKast: AI-Powered Deepfake Endorsements

A sub-actor within the campaign, attributed to FaiKast, deployed Facebook Ads funneling victims to fraudulent AI-powered investment platforms. These platforms featured deepfake celebrity endorsements — AI-generated videos of well-known figures falsely promoting the investment schemes — to lend credibility to the fraud.

Campaign Attribution and Timeline

Responsible Disclosure and Takedowns

Following Infoblox and Confiant's responsible disclosure, Keitaro canceled over a dozen malicious accounts associated with the fraudulent campaigns. However, given the six-year operational history and the low barrier to re-registering new accounts, the underlying threat actor infrastructure is likely to resurface under new accounts.

Recommendations

For Individual Users

1. Never complete a CAPTCHA that asks you to click through multiple rounds — standard CAPTCHAs are single-step; multi-step "verification" is a red flag
2. Check your mobile bill for unexpected international premium-rate charges — these will appear as international SMS fees
3. Never connect a cryptocurrency wallet to an investment platform promoted via social media ads or celebrity endorsements you did not seek out independently
4. Verify airdrops through official project channels only — legitimate airdrops never require wallet connections to unknown sites

For Telecom Carriers

1. Implement IRSF detection on SMS termination — flag sudden spikes in messages to premium-rate international numbers from a single subscriber
2. Apply fraud scoring to international SMS traffic — unusual patterns (many destinations in a short window) should trigger friction or blocking

For Security Teams

1. Block Keitaro TDS domains associated with TA2726 campaigns using threat intelligence feeds
2. Monitor for deepfake investment platform ads in employee security awareness training
3. Report suspicious CAPTCHA-triggering pages to ad network abuse teams

Key Takeaways

• A dual-threat fraud campaign active since 2020 combines IRSF via fake CAPTCHA (costing victims ~$30/session in premium SMS charges) with 120+ Keitaro crypto wallet-drainer campaigns targeting Solana, Phantom, and AURA users
• TA2726 abused cracked Keitaro licenses to operate a 13,500-domain traffic distribution network generating 226,000+ DNS queries between October 2025 and January 2026
• FaiKast deployed AI-generated deepfake celebrity endorsements via Facebook Ads to drive victims to fraudulent investment platforms
• Both fraud types run simultaneously from the same threat actor ecosystem — telecom fraud provides steady revenue while crypto drainers target higher-value targets
• Following disclosure, Keitaro canceled a dozen malicious accounts; however, the infrastructure can be trivially rebuilt

Sources

• Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud — The Hacker News
• Infoblox Threat Intel — TA2726 Keitaro Campaign Research
• Confiant — Ad Security and Malvertising Research