Keitaro used in AI investment scam across 15,500 domains
Researchers found an AI-themed investment scam used Keitaro across 15,500+ domains, employing cloaking and deepfake endorsements to hide from security tools and target ordinary users.
Researchers tracked an AI-themed investment scam that used the Keitaro tracking platform across more than 15,500 domains. The campaign routed ordinary users to fraudulent trading sites while hiding those pages from automated security tools and human reviewers.
Traffic came from compromised websites, spam emails, social media posts and paid ads. Links funneled visitors into a tracking system connected to a traffic distribution system that decides which page a visitor sees. The system checked country or region, device and browser type, referrer source and, in some cases, IP reputation or other fingerprints. Only visitors who matched the attackers’ ‘ideal victim’ profile were redirected to the scam landing pages; other visitors saw harmless placeholder sites.
Landing pages promoted “Smart AI Trading Technology” or “Intelligent Trading Solutions” and promised consistent high returns. The campaign used deepfake images and videos and fabricated interviews that mimicked public figures and finance experts to prompt sign-ups and deposits.
Cloaking and the use of Keitaro’s routing features limited exposure to scanners and ad platform reviewers. By combining the tracker with a traffic distribution system, operators served benign content to automated tools and reviewers while serving scam content to selected users.
Keitaro is a commercial ad-tracking platform used by marketers to route visitors, test ads and segment traffic. Its routing, filtering and easy deployment on standard hosting were repurposed by the campaign to manage the cloaking workflow.
The campaign’s scale made it difficult for registrars, ad networks and security teams to identify all malicious endpoints quickly, since takedown requests and ad reviews often encountered only the benign pages. Researchers continue to monitor the infrastructure and its evolution.
“The system delivers the scam only to users who match an ‘ideal victim’ profile, while everyone else is routed to harmless content,” researchers wrote.
Researchers recommend that consumers avoid unsolicited investment offers, verify platforms with regulated financial institutions before sending money, and treat claims of guaranteed returns with skepticism. They advise security teams to look for routing and cloaking patterns that deliver different content based on visitor signals.
