15,500-domain AI scam used Keitaro to cloak deepfakes

Researchers tracked a large-scale scam operation that created roughly 15,500 AI-themed domains and used the Keitaro ad-tracking platform to cloak malicious landing pages. The setup delivered real scam content to selected visitors while showing benign pages to security scanners, ad reviewers and other non-targeted users.

The operation routed traffic through a traffic distribution system tied to Keitaro. That system examined attributes such as a visitor’s country or region, device and browser, the referrer (for example, a social post, email or ad), and in some cases IP reputation or other fingerprinting signals. Visitors who matched the operators’ target profile were shown investment pitches; others received harmless placeholder content.

Scam pages promoted services labeled as “Smart AI Trading Technology” and “Intelligent Trading Solutions,” promising steady returns. Many landing pages included doctored images, deepfake videos and fabricated interviews that appeared to show endorsements from well-known public figures. The pages used time pressure and other social-engineering techniques to prompt visitors to deposit funds.

Investigators observed that traffic reached the system from compromised websites, spam email campaigns, organic and promoted social media posts, and paid ads. All entry points funneled through the same tracking infrastructure so a single set of cloaking rules could be applied across thousands of domains.

Researchers noted the campaign’s scale enabled rapid swapping of landing pages, A/B testing of content and distribution of risk across many domains, limiting the impact of individual takedowns. By serving benign pages to automated tools and some human reviewers, the operators reduced the chance that the scam content would be detected by routine scans.

Researchers recommended that people avoid unsolicited investment offers, verify platforms with regulated financial institutions and not rely on visual endorsements as proof of legitimacy. Security teams are monitoring the domains and tracking infrastructure to identify operators and disrupt the network.