Picture this scenario: You're logging into your crypto exchange account when a familiar CAPTCHA appears. "Verify you're human," it prompts. You follow the instructions to send a verification SMS, believing you're protecting your digital assets. Within seconds, you've unknowingly sent messages to over 60 international premium numbers, triggering charges that will appear on your phone bill weeks later while simultaneously compromising your security posture. (Source: The Hacker News)
This is the reality of International Revenue Share Fraud (IRSF), a sophisticated telecommunications scam that exploits the complex web of international carrier agreements. When you send an SMS to certain international numbers, your carrier pays termination fees to the destination network - fees that can range from pennies to dollars per message. Fraudsters lease these premium-rate numbers in countries with high termination fees or weak regulatory oversight, then split the revenue with complicit local telecom providers.
The campaign documented by Infoblox reveals an operation active since June 2020, utilizing 35 phone numbers across 17 countries including Azerbaijan, Kazakhstan, the Netherlands, Belgium, Poland, Spain, and Turkey. These locations aren't random - they're specifically chosen for their favorable revenue-sharing agreements and regulatory gaps that make prosecution difficult.
What transforms this from a simple SMS scam into a major security threat is the integration with Keitaro TDS infrastructure. Between October 2025 and January 2026 alone, researchers identified 120 distinct campaigns abusing this traffic distribution system. The scale is staggering: Infoblox customers recorded approximately 226,000 DNS queries spanning 13,500 domains associated with Keitaro-related activity during just four months.
Cryptocurrency users represent the perfect target for this convergence of fraud techniques. Unlike traditional banking customers who benefit from decades of fraud protection mechanisms and regulatory oversight, crypto investors operate in a space where transactions are irreversible and dispute resolution is minimal. Your crypto holdings might be worth thousands or millions, yet the platforms hosting them often lack the sophisticated fraud detection systems that traditional financial institutions have refined over decades.
The threat actors behind these campaigns demonstrate varying levels of sophistication. FaiKast employs deepfake videos and fabricated celebrity endorsements to promote fraudulent AI-powered trading platforms through Facebook Ads. TA2726 operates using stolen or cracked Keitaro licenses, reducing their operational costs while maximizing profit margins. These aren't opportunistic criminals - they're organized operations with clear monetization strategies.
The multi-stage CAPTCHA verification process exemplifies this sophistication. Each fake verification step triggers separate SMS messages to server-designated numbers, programmatically launching SMS apps on both Android and iOS devices with pre-filled content. After four verification steps, victims have sent approximately 60 messages to 15 unique numbers, incurring charges around $30. While this seems modest per victim, the automated nature and massive scale generate substantial revenue streams for operators.
"Approximately 96% of Keitaro-linked spam traffic promoted cryptocurrency wallet-drainer schemes, primarily via fake airdrop/giveaway lures centered on AURA, SOL (Solana token), Phantom (wallet), and Jupiter (DEX/aggregator)."
The campaign employs browser manipulation techniques including back button hijacking - JavaScript code that traps users in navigation loops, preventing them from leaving the fraudulent page by hitting the back button. Cookie tracking monitors progression through the fake verification flow, with values like "successRate" determining whether targets receive the IRSF payload or get redirected to separate campaigns.
Attack Chain: From Keitaro TDS to Compromised Accounts
The attack begins when victims encounter malicious advertisements on legitimate websites or receive phishing emails containing shortened URLs that mask the true destination. These initial vectors leverage Facebook Ads infrastructure, with threat actors purchasing advertising space to promote fraudulent AI-powered investment platforms. The campaigns specifically target cryptocurrency enthusiasts by mimicking popular wallet services and decentralized exchanges.
Once a user clicks the malicious link, Keitaro TDS takes control of the traffic flow. The self-hosted advertising tracker, originally designed for legitimate marketing analytics, becomes a sophisticated filtering mechanism in the hands of threat actors. The system evaluates each incoming visitor through multiple criteria: browser fingerprinting, geographic location, device type, and referral source. This profiling determines whether to serve the malicious payload or redirect to benign content, effectively cloaking the operation from security researchers and automated scanners.
The Keitaro infrastructure maintains detailed tracking through cookie-based progression monitoring. Specific cookie values like "successRate" dictate the victim's journey through the attack chain. If the system deems a visitor unsuitable - perhaps due to VPN usage or security tool detection - it redirects them to legitimate CAPTCHA services or unrelated campaigns, maintaining operational security while avoiding detection.
For victims who pass the filtering criteria, the system delivers them to the fake CAPTCHA interface. This sophisticated social engineering mechanism programmatically launches SMS applications on both Android and iOS devices, pre-filling phone numbers and message content without requiring manual input. The multi-stage verification process compounds the fraud - each "verification step" triggers additional SMS messages to different international premium numbers registered in countries with high termination fees.
The technical implementation employs JavaScript-based back button hijacking, manipulating browser history to trap victims in a navigation loop. Any attempt to leave the page using standard browser controls redirects back to the fake CAPTCHA, forcing users to either complete the fraudulent process or entirely close their browser session.
Behind the scenes, Keitaro Tracker logs every interaction, building comprehensive victim profiles that include device identifiers, interaction timestamps, and conversion metrics. This data enables threat actors to refine their targeting, identify successful campaign variations, and track revenue generation across different victim segments. The platform's analytics dashboard provides real-time visibility into campaign performance, allowing operators to adjust tactics based on success rates.
The cryptocurrency-focused campaigns represent approximately 96% of observed Keitaro-linked traffic, utilizing fake airdrop and giveaway lures centered on AURA tokens, Solana ecosystem components, Phantom wallets, and Jupiter DEX platforms. These campaigns employ deepfake videos and fabricated celebrity endorsements, with the threat actor FaiKast specifically identified as deploying synthetic video content to enhance credibility.
Post-compromise activities extend beyond immediate SMS fraud. The infrastructure captures session data and device information that enables future targeting. Victims who complete the fake CAPTCHA process often find themselves enrolled in recurring premium SMS services, generating continuous revenue streams for operators. The delayed billing nature of international SMS charges - appearing weeks after the initial interaction - makes attribution difficult and reduces the likelihood of successful chargebacks.
The operation demonstrates sophisticated understanding of telecommunications infrastructure, exploiting revenue-sharing agreements between carriers across 17 countries including Azerbaijan, Kazakhstan, Netherlands, Belgium, Poland, Spain, and Turkey. By registering phone numbers in jurisdictions with favorable termination fee structures and collaborating with local telecom providers, operators maximize profit margins while minimizing regulatory oversight.
SMS Fraud Attack Chain
Immediate Detection and Response: What to Do Today
Your security operations center needs immediate visibility into potential IRSF activity occurring through your network infrastructure. Begin by configuring DNS monitoring to detect queries to domains associated with fake CAPTCHA operations - specifically those routing through commercial TDS platforms that facilitate these scams.
Within the next 24 hours, implement detection rules that flag unusual SMS gateway interactions originating from web browsers. Monitor your web application firewall logs for JavaScript patterns that manipulate browser history through window.history.pushState() or window.history.replaceState() functions - these indicate back button hijacking attempts designed to trap users on fraudulent pages.
Immediate Actions for SOC Teams:
- Deploy network monitoring rules to detect outbound connections to phone number validation APIs followed by SMS gateway requests within 30-second windows
- Configure alerts for web sessions that programmatically launch SMS applications through
sms:URI schemes more than three times in rapid succession - Monitor for cookie values containing "successRate" parameters combined with multiple redirects to different CAPTCHA endpoints
- Track DNS queries showing patterns of resolution to IP addresses in Azerbaijan, Kazakhstan, Netherlands, Belgium, Poland, Spain, and Turkey when preceded by CAPTCHA-related domains
Your incident response team should establish correlation rules linking user complaints about unexpected international SMS charges with authentication events from the preceding 4-6 weeks. The delayed billing nature of IRSF means victims often forget the triggering event by the time charges appear.
Short-Term Detection Enhancements (1-2 Weeks):
Deploy behavioral analytics that identify authentication flows bypassing standard multi-factor authentication after CAPTCHA completion. Configure your SIEM to correlate successful logins immediately following CAPTCHA interactions with subsequent API calls to cryptocurrency exchange endpoints - this pattern indicates potential wallet drainer activity following IRSF compromise.
Key Insight: Configure your SIEM to correlate successful logins immediately following CAPTCHA interactions with subsequent API calls to cryptocurrency exchange endpoints - this pattern indicates potential wallet drainer activity following IRSF compromise.
Implement session token analysis to detect hijacking attempts. Alert when authentication tokens show geographic inconsistencies or when the same token appears across multiple IP addresses within minutes. Set thresholds to trigger investigations when five or more failed login attempts from varying geolocations precede a successful authentication from a new location within a 10-minute window.
Review your web application logs for patterns where users encounter multiple sequential CAPTCHA challenges, each triggering separate SMS transmissions. This multi-stage verification chain represents the core mechanism of the IRSF campaign.
Long-Term Defensive Measures:
Deploy CAPTCHA integrity verification systems that validate all CAPTCHA resources load from expected, legitimate domains. Configure Content Security Policy headers to restrict JavaScript execution to trusted sources, preventing injection of malicious CAPTCHA elements.
Establish step-up authentication requirements for high-value cryptocurrency transactions initiated after CAPTCHA verification. When users complete CAPTCHA challenges followed by attempts to transfer digital assets, require additional verification through hardware tokens or biometric authentication.
Your security team should maintain an updated blocklist of phone numbers associated with premium rate services in high-risk countries. Configure your SMS gateway to require manual approval for any automated messages sent to these destinations, disrupting the automated nature of IRSF campaigns while maintaining legitimate business communications.
Why Crypto Platforms Are Prime Targets for This Campaign
The cryptocurrency ecosystem presents unique vulnerabilities that make it particularly attractive for telecommunications fraud operations. Unlike traditional financial institutions that have developed sophisticated fraud detection systems over decades, crypto platforms operate in a relatively nascent security environment where standard banking protections haven't fully matured.
The irreversible nature of blockchain transactions creates an ideal hunting ground for IRSF operators. When victims unknowingly send premium SMS messages through fake CAPTCHA verification, the resulting charges appear on phone bills weeks later - long after any cryptocurrency transactions have been permanently recorded on the blockchain. This temporal disconnect between the fraud mechanism and its discovery eliminates any possibility of transaction reversal, unlike credit card chargebacks or wire transfer recalls that traditional financial institutions can execute.
Cryptocurrency accounts typically hold significantly higher values than standard online accounts. Where a compromised social media or email account might yield minimal direct financial benefit, crypto wallets often contain thousands or tens of thousands of dollars in digital assets. This concentration of value makes each successful compromise exponentially more profitable for threat actors, justifying the investment in sophisticated TDS infrastructure and multi-stage attack chains.
The global nature of cryptocurrency trading creates additional exploitation opportunities. Users accessing platforms from Azerbaijan, Kazakhstan, Poland, Spain, Turkey, and other regions with varying telecommunications regulations encounter different levels of carrier fraud protection. Threat actors specifically register phone numbers in jurisdictions with high termination fees or limited fraud enforcement, knowing that international users may have less recourse when disputing charges with foreign carriers.
Regulatory gaps between telecommunications and cryptocurrency oversight create enforcement blind spots that fraudsters actively exploit. While traditional banks must comply with strict Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements that include fraud monitoring, crypto platforms often operate under less stringent regulatory frameworks. This regulatory arbitrage means fraudulent SMS charges can accumulate without triggering the automated fraud alerts that would typically flag unusual activity in traditional banking systems.
The monetization model demonstrates sophisticated financial engineering. Threat actors lease premium rate numbers through complicit or compromised telecom providers, establishing revenue-sharing agreements that pay out portions of termination fees. When victims send messages to these numbers, carriers pay inter-operator charges that flow directly to the fraudsters' accounts. Combined with potential wallet draining through compromised crypto accounts, operators can extract value through both telecommunications billing fraud and direct asset theft.
Cookie-based tracking mechanisms enable precise victim profiling and campaign optimization. The "successRate" cookies mentioned in the campaign infrastructure allow operators to identify which users complete the full CAPTCHA flow versus those who abandon the process. This data feeds back into targeting algorithms, helping refine which crypto platforms and user demographics yield the highest conversion rates for SMS fraud completion.
The intersection of AI-powered investment scams with IRSF demonstrates evolving threat sophistication. Deepfake videos promoting fraudulent trading platforms establish initial trust, while the familiar CAPTCHA interface exploits users' conditioned security behaviors. This psychological manipulation leverages the very security consciousness of crypto users against them - their willingness to complete verification steps becomes the attack vector itself.
Defensive Architecture: Preventing Fake CAPTCHA Exploitation
Building defensive architecture against fake CAPTCHA exploitation requires implementing multiple layers of security controls that validate authenticity at every interaction point. The campaign's success relies on victims trusting seemingly legitimate verification mechanisms, making CAPTCHA delivery security your first line of defense.
Key Insight: Building defensive architecture against fake CAPTCHA exploitation requires implementing multiple layers of security controls that validate authenticity at every interaction point.
Content Security Policy (CSP) headers provide critical protection against iframe injection and unauthorized script execution. Configure your web servers to enforce strict CSP directives that prevent external domains from loading CAPTCHA elements:
Content-Security-Policy: default-src 'self'; frame-src 'self' https://trusted-captcha-provider.com; script-src 'self' 'nonce-randomvalue123'
This configuration ensures CAPTCHA components only load from explicitly trusted sources. The nonce attribute creates unique tokens for each page load, preventing attackers from injecting malicious JavaScript that could redirect users to fraudulent verification flows.
Backend token validation becomes essential when implementing CAPTCHA services. Every verification request must include cryptographic proof that the token originated from your legitimate service. Implement server-side validation that checks token signatures against your CAPTCHA provider's public key, rejecting any requests that lack proper authentication headers or contain expired timestamps.
Session management hardening disrupts the cookie-based tracking mechanisms these campaigns employ. Configure session tokens to expire after 15 minutes of inactivity, forcing reauthentication before sensitive operations. Bind each session to specific device fingerprints combining browser user agent, screen resolution, and installed plugins - any deviation triggers immediate session termination.
Geographic velocity checks add another defensive layer by detecting impossible travel scenarios. When a user authenticates from New York at 2:00 PM and attempts access from Azerbaijan at 2:15 PM, your system should automatically invalidate both sessions and require password reset through a verified channel. This prevents attackers from leveraging compromised credentials even if they successfully bypass initial authentication.
WebAuthn implementation eliminates password-based vulnerabilities entirely. Deploy FIDO2-compliant authentication that requires physical security keys or biometric verification:
navigator.credentials.create({publicKey: {challenge: new Uint8Array(32), rp: {name: "YourPlatform"}, user: {id: userIdBuffer, name: "
This passwordless approach prevents credential theft since authentication requires physical possession of the registered device. Even if attackers compromise session cookies or intercept network traffic, they cannot complete authentication without the cryptographic key stored in the user's hardware token.
Step-up authentication provides graduated security based on transaction risk. Low-value operations proceed with standard session validation, while fund transfers or account modifications trigger additional verification requirements. Implement progressive authentication challenges that escalate from SMS verification (for amounts under $100) to hardware token confirmation (for transactions exceeding $1,000).
Account recovery flows require special attention since they represent common exploitation vectors. Disable SMS-based password resets entirely for high-value accounts, requiring video verification calls or in-person identity confirmation. Recovery attempts from new geographic locations should trigger 72-hour waiting periods with notifications sent to all registered contact methods, giving legitimate users time to report unauthorized access attempts.
Attribution and Tracking: FaiKast and TA2726 Operations
The orchestrated nature of these campaigns becomes evident through telemetry analysis revealing systematic infrastructure deployment patterns. FaiKast operations demonstrate sophisticated campaign management through sequential numbering conventions observed across DNS queries - with campaign identifiers incrementing from IRSF_2020_06 through IRSF_2026_01, indicating continuous operations spanning nearly six years. This methodical approach suggests centralized coordination rather than disparate criminal groups operating independently.
Infrastructure analysis reveals TA2726 maintains persistent control over specific IP ranges that rotate through different campaign phases while maintaining core command infrastructure. The group operates through stolen or cracked Keitaro licenses, reducing operational costs while maintaining the appearance of legitimate advertising operations. Their infrastructure shows distinctive patterns: primary command servers remain static across campaigns while distribution nodes cycle through compromised hosting providers every 4-6 weeks.
The timeline of observed activity demonstrates escalating sophistication. Initial campaigns from June 2020 through December 2023 focused exclusively on SMS fraud operations. Beginning in January 2024, FaiKast expanded operations to incorporate deepfake technology for celebrity endorsement fabrication. The integration of synthetic video generation marks a significant evolution in their technical capabilities, requiring substantial computational resources and specialized expertise beyond typical fraud operations.
Victim targeting telemetry extracted from Keitaro Tracker reveals deliberate geographic and demographic selection. The campaigns specifically target users in regions with higher mobile plan costs and limited consumer protection regulations. Cookie tracking mechanisms embedded in the fake CAPTCHA pages transmit victim device information including carrier identification, enabling real-time adjustment of premium number selection based on termination fee optimization.
Cross-campaign analysis identifies shared infrastructure components between FaiKast and TA2726 operations. Both groups utilize identical JavaScript obfuscation techniques for back button hijacking implementations, suggesting either collaboration or shared tooling sources. The successRate cookie parameter appears consistently across both actors' campaigns, using identical value ranges (0.1-0.9) to determine victim progression through fraud flows.
Domain registration patterns provide attribution indicators linking current operations to historical TA2726 activity. The group consistently registers domains through specific registrars using cryptocurrency payments, with registration timing correlating to Facebook Ad campaign launches. Domain naming conventions follow predictable patterns: legitimate-sounding financial terms combined with trending cryptocurrency project names, registered in batches of 15-20 domains simultaneously.
The scale becomes apparent through DNS query volumes - 226,000 queries across 13,500 domains during the October 2025 to January 2026 observation period represents only detected traffic from participating organizations. Extrapolating from Keitaro server capacity limits and observed campaign rotation schedules suggests actual victim volumes exceed millions globally. The 96% focus on cryptocurrency wallet-drainer schemes indicates strategic prioritization of high-value targets over volume-based SMS fraud.
Campaign evolution tracking shows FaiKast rapidly iterating detection evasion techniques. Recent campaigns implement dynamic TDS routing that evaluates victim browser fingerprints against known security researcher profiles, redirecting suspicious traffic to legitimate websites while serving malicious content to validated targets. This adaptive filtering reduces exposure to security analysis while maintaining operational tempo.
