Fake CAPTCHA Pages Fuel IRSF Toll Fraud and 120 Keitaro-Driven Crypto Scams

Researchers have linked a sprawling fraud operation that uses fake CAPTCHA challenges to drive International Revenue Share Fraud (IRSF), tricking victims into triggering premium SMS routes that pay out to attacker-controlled telecom partners. The same infrastructure overlaps with roughly 120 campaigns running on the Keitaro traffic distribution system, which fingerprints visitors and routes them to crypto scams, malware drops, or benign decoy pages depending on who is looking.

Keitaro’s legitimate ad-tech use makes takedown messy: the platform itself is not malicious, but its cloaking and conditional-redirect features let operators hide payloads from scanners and security researchers while serving live victims. The CAPTCHA lure is the front door — it lends a veneer of legitimacy, defeats casual suspicion, and gates the redirect chain so automated crawlers see nothing.

The campaigns are global in reach and multi-monetization by design: SMS toll abuse, crypto theme scams, and commodity malware all share the same delivery pipeline. For defenders, the takeaway is that traffic-distribution abuse is now a durable layer in the fraud stack, and blocking single domains barely dents an operator who can rotate through Keitaro flows on demand.