Fake CAPTCHA and Keitaro abused for SMS, crypto scams

Infoblox researchers report a long-running scheme that uses fake CAPTCHA pages and abused traffic distribution systems to trick people into sending billable international SMS messages that generate revenue for the fraud operators. The activity has been observed since at least June 2020 and runs alongside a separate set of campaigns that repurpose the Keitaro tracker to funnel users to cryptocurrency scams.

The scam redirects visitors through commercial traffic distribution systems to bogus verification pages that instruct them to send an SMS to “confirm you are human.” At each step the page programmatically opens the device’s SMS app with recipient numbers and message text prefilled, prompting the user to send. Infoblox observed configurations that can trigger as many as 60 messages to about 15 unique destination numbers over four CAPTCHA steps, a sequence that could cost a user roughly $30. The operators store progress in cookies such as “successRate” to control which steps a visitor sees and may route users to different pages if they are judged unsuitable for the flow.

Infoblox identified 35 phone numbers across 17 countries used in the scheme. Numbers were registered in jurisdictions chosen for high termination fees or lax regulation, including Azerbaijan and Kazakhstan and premium‑rate ranges in several European countries. The fraud exploits international revenue‑share agreements: originating carriers pay termination fees to the networks that receive inbound SMS traffic, and a share of those fees flows to the numbers’ operators. Delayed billing can hide charges for weeks after a victim closes the browser.

Pages in the scam use browser tricks to retain visitors. Operators alter the browser history with JavaScript so that pressing the back button returns the visitor to the fake CAPTCHA, creating a navigation loop unless the user closes the browser. When victims dispute charges, carriers may face refunds or chargebacks while revenue share payments have already gone to the perpetrators.

Separately, Infoblox and Confiant documented widespread abuse of Keitaro, a self‑hosted advertising performance tracker that threat actors repurpose as a traffic distribution system and cloaking layer. Over a four‑month window from October 2025 to January 2026 the researchers tracked more than 120 distinct campaigns delivering links to malicious pages. Infoblox recorded roughly 226,000 DNS queries tied to Keitaro activity across about 13,500 domains. Keitaro canceled more than a dozen accounts linked to abusive campaigns after disclosure.

About 96% of the Keitaro‑linked traffic pushed cryptocurrency wallet‑drainer schemes, often using fake airdrop or giveaway lures tied to tokens and wallets such as AURA, Solana, Phantom and Jupiter. Operators used paid social ads and fabricated endorsements, including fake articles and synthetic videos, to promote fraudulent AI trading platforms. Some Keitaro servers ran on stolen or cracked licenses.

“The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn’t charged for just a single message – they’re charged for sending SMSs to over 50 international destinations,” the report’s authors wrote. The joint analysis added that “Keitaro is first and foremost a self‑hosted advertising performance tracker designed to conditionally route visitors using flows,” and that attackers have repurposed it into an all‑in‑one traffic and cloaking system.

Infoblox recommended that users avoid sending texts prompted by unexpected web pages, check billing statements for unexplained international SMS fees, and report suspicious charges to their carrier. The report also called for tighter controls on premium number registration and for carriers to monitor unusual inbound traffic patterns that could indicate revenue‑share abuse.