Fake CAPTCHA IRSF Scam and Large-Scale Keitaro Fraud Campaigns Target Global Users Through SMS Charges and Crypto Scams

Cybercriminals Use Fake Verification Pages, Premium Text Message Fraud, and Traffic Redirection Systems to Generate Revenue Worldwide

EXECUTIVE SUMMARY

Cybersecurity researchers have uncovered a large-scale fraud ecosystem involving fake CAPTCHA verification scams, International Revenue Share Fraud (IRSF), and abuse of Keitaro Traffic Distribution Systems (TDS) to run global scam campaigns.

Threat actors trick users into sending premium international SMS messages that create hidden mobile charges. At the same time, they use cloaking infrastructure to push cryptocurrency scams, fake investment offers, malware delivery, and phishing pages.

Because these campaigns combine social engineering with automated traffic routing, they create financial and security risks for both individuals and businesses.

THREAT OVERVIEW

Main Fraud Techniques Identified

Threat TypeImpactFake CAPTCHA ScamUsers tricked into sending paid SMS messagesIRSF FraudTelecom carriers lose money through premium routing abuseKeitaro TDS AbuseUsers redirected to scams, malware, and phishingCrypto FraudFake airdrops and investment platformsDeepfake PromotionsFake celebrity endorsements used to lure victims

HOW THE FAKE CAPTCHA SCAM WORKS

Victims land on fraudulent websites showing fake verification messages such as:

➡️ “Confirm you are human by sending a text message.”

Each step automatically opens the phone’s SMS app with pre-filled premium international numbers. Some users may unknowingly send up to 60 text messages to multiple countries, leading to charges that often appear later on billing statements.

BACK BUTTON HIJACKING USED TO TRAP USERS

Researchers also found scammers using JavaScript to hijack browser navigation.

When victims press the back button, they are redirected back to the fake CAPTCHA page, creating a loop that keeps them trapped unless they fully close the browser.

HOW KEITARO IS BEING ABUSED

Threat actors are also using Keitaro Tracker to filter visitors and route selected users to malicious destinations.

Observed abuse includes:

Fake crypto wallet giveaways
Fraudulent AI trading platforms
Malware downloads
Credential phishing pages
Scam advertisements

Researchers observed more than 120 campaigns abusing this infrastructure over a four-month period.

IMPACT ON USERS AND BUSINESSES

Potential consequences include:

Hidden telecom charges
Financial fraud losses
Device malware infections
Credential theft
Increased phishing risk
Brand impersonation scams
Customer trust damage

Additionally, telecom providers may face losses from billing disputes and fraudulent premium routing abuse.

RECOMMENDED SAFETY STEPS

For Individuals

Avoid CAPTCHA pages asking you to send SMS messages
Never trust urgent crypto giveaway offers
Check mobile bills regularly for unknown charges
Use secure browsers and anti-phishing tools

For Businesses

Train staff on scam landing pages and redirection fraud
Use DNS filtering and secure web gateways
Monitor telecom expense anomalies
Block suspicious traffic redirection domains

KEY TAKEAWAY

Modern cybercrime increasingly relies on deception and automation rather than complex hacking tools.

➡️ Fake verification pages and cloaking systems are being used at scale to generate money through fraud, hidden charges, and cryptocurrency scams.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

Fake CAPTCHA IRSF Scam and Large-Scale Keitaro Fraud Campaigns Target Global Users Through SMS Charges and Crypto Scams