Cybersecurity researchers have disclosed details of a telecommunications fraud campaign that uses fake CAPTCHA verification pages to trick users into sending international text messages, generating illicit revenue for threat actors who lease premium phone numbers.
The operation is believed to have been active since at least June 2020 and uses social engineering, back-button hijacking and malicious traffic distribution systems to conduct SMS scams at scale. Infoblox said as many as 35 phone numbers across 17 countries have been observed as part of the international revenue share fraud campaign.
Fake CAPTCHA Used To Trigger International SMS Charges
The scheme redirects users to a bogus web page through a commercial traffic distribution system. The page then serves a CAPTCHA that asks users to send an SMS to “confirm you are human.”
That action starts a multi-stage verification chain, with each step triggering a separate SMS message to numbers designated by the server. The method programmatically launches SMS apps on Android and iOS devices with phone numbers and message content already filled in.
Researchers David Brunsdon and Darby Wise said the fake CAPTCHA has multiple steps, with each message preconfigured with more than a dozen phone numbers. As a result, victims may not be charged for just one message, but for sending SMS messages to more than 50 international destinations.
The campaign benefits from delayed billing because international SMS charges often appear on a victim’s bill weeks later, after the fake CAPTCHA interaction has been forgotten.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Keitaro TDS Abused For Fraud Campaigns
The operation brings together revenue share fraud and malicious traffic distribution systems, using infrastructure usually associated with routing traffic to malware or phishing pages through redirection chains to evade detection.
Infoblox, in collaboration with Confiant, published a three-part analysis detailing how Keitaro TDS, also known as Keitaro Tracker, is being abused by threat actors. In some cases, stolen or cracked licenses were used, including in activity linked to TA2726.
Keitaro is a self-hosted advertising performance tracker designed to conditionally route visitors using flows. Threat actors repurpose that mechanism, turning a Keitaro server into an all-in-one tool that functions as a traffic distribution system, tracker and cloaking layer.
More than 120 distinct campaigns abused Keitaro’s TDS for link delivery over a four-month period between October 2025 and January 2026. Infoblox customers recorded about 226,000 DNS queries spanning 13,500 domains associated with Keitaro-related activity during that period. Following responsible disclosure, Keitaro cancelled more than a dozen accounts linked to the activity.
Fraud Expands Into AI-Themed Investment Lures
The campaign also uses Facebook ads to lure victims to fraudulent AI-powered platforms. In some cases, scammers fabricated celebrity endorsements through fake news articles and deepfake videos to promote investment schemes. The use of synthetic videos has been attributed to a threat actor called FaiKast.
Infoblox and Confiant said threat actors combined an older but effective investment fraud theme with modern AI technologies to launch large-scale, highly convincing cyber campaigns. They said about 96% of Keitaro-linked spam traffic promoted cryptocurrency wallet-drainer schemes, mainly through fake airdrop and giveaway lures centered on AURA, SOL, Phantom and Jupiter.
The international revenue share fraud model involves fraudsters illegally acquiring premium-rate numbers or number ranges and artificially inflating international calls or messages to those numbers. Revenue is then generated from termination charges obtained by the number range holder for inbound traffic.
Infoblox said the observed campaign registered phone numbers in countries with high termination fees or relaxed regulations, including Azerbaijan, Kazakhstan and certain premium-rate number ranges in Europe, while colluding with local telecom providers.
The operation defrauds both individuals and telecommunication carriers. Individual victims face unexpected premium SMS charges, while telecom carriers may pay revenue shares to perpetrators and absorb losses from customer disputes or chargebacks.
