Perceptive Security
SOC/SIEM Consultancy
Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud
Published:
27 April 2026 at 06:33:00
Alert date:
27 April 2026 at 09:01:22
Source:
thehackernews.com
Web Technologies, Ransomware & Malware, Email & Messaging
Cybersecurity researchers disclosed a telecommunications fraud campaign using fake CAPTCHA verification tricks to deceive users into sending international text messages. The scam generates illicit revenue by incurring charges on victims' mobile bills. The operation involves 120 Keitaro campaigns driving global SMS and cryptocurrency fraud. Threat actors lease phone numbers to monetize the fraudulent international SMS traffic. The campaign represents a significant IRSF (International Revenue Share Fraud) operation targeting unsuspecting mobile users worldwide.
Technical details
International Revenue Share Fraud (IRSF) campaign using fake CAPTCHA verification that tricks users into sending SMS messages to premium rate numbers. The scam uses Traffic Distribution Systems (TDS) infrastructure, specifically abusing Keitaro TDS, to redirect users to fake web pages. The fake CAPTCHA has multiple verification steps, each triggering separate SMS messages by programmatically launching SMS apps on Android and iOS with pre-filled numbers and content. Up to 60 SMS messages are sent to 15 unique numbers after 4 CAPTCHA steps, costing users up to $30. The campaign uses back button hijacking via JavaScript to trap users in navigation loops. Threat actors register phone numbers in countries with high termination fees like Azerbaijan, Kazakhstan, and Europe. The operation tracks user progression through cookies with values like 'successRate' to determine next actions.
Mitigation steps:
Monitor for unexpected premium SMS charges on mobile bills. Be cautious of multi-step CAPTCHA verification processes that request SMS sending. Avoid clicking back button repeatedly on suspicious CAPTCHA pages - instead fully exit the browser. Report suspicious SMS charges to telecom carriers. Organizations should monitor DNS queries to known Keitaro-associated domains. Telecom carriers should implement stronger controls on premium rate number registration and monitor for artificial traffic inflation patterns.
Affected products:
Keitaro TDS (Keitaro Tracker)
Android SMS apps
iOS SMS apps
Related links:
https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html#crackdown-on-navigation-abuse
https://www.ndss-symposium.org/ndss-paper/understanding-and-detecting-international-revenue-share-fraud/
https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/
https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribution-systems/
https://blog.confiant.com/p/tracking-software-weaponized-by-criminals
https://thehackernews.com/2025/02/new-frigidstealer-malware-targets-macos.html
https://thehackernews.com/2025/08/socgholish-malware-spread-via-ad-tools.html
https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/
https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/
https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/
Related CVE's:
Related threat actors:
IOC's:
35 phone numbers spanning 17 countries including Azerbaijan, Netherlands, Belgium, Poland, Spain, Turkey, 226,000 DNS queries spanning 13,500 domains associated with Keitaro-related activity, Cookie values including 'successRate', Over 120 distinct Keitaro TDS campaigns, Fake CAPTCHA pages with multi-step verification
This article was created with the assistance of AI technology by Perceptive.