Fake CAPTCHA Lures Power IRSF Fraud and Crypto Theft Campaigns

 

Research by Infoblox reveals a new fraud operation that combines routine web security practices with telecom billing abuse, resulting in unauthorized mobile activity by using counterfeit CAPTCHA interfaces. 

In this scheme, familiar human verification prompts are repurposed as covert triggers for International Revenue Share Fraud, effectively converting a typical browser interaction into an event that is monetized through telecom billing. 

Several studies have demonstrated that users who navigate what appears to be a legitimate verification process may unknowingly authorize premium or international SMS transmissions, creating a direct revenue stream for threat actors. 

IRSF has presented challenges to telecom operators for decades, but this implementation introduces a previously undetected delivery vector that takes advantage of user trust in widely used web validation mechanisms in order to accomplish the delivery. 

While individual charges may appear insignificant, the cumulative impacts at scale present carriers with measurable financial exposure, along with an increase in customer disputes resulting from opaque and unrecognized billing activity. 

Based on the analysis, it appears that the campaign has been operating since mid-2020, resulting from a sustained and carefully developed exploitation approach. Through the utilization of classic social engineering techniques as well as browser manipulation tactics, including back-button hijacking, the infrastructure effectively limits user navigation and reinforces the illusion of a legitimate verification process. 

In addition, dozens of originating numbers were identified in multiple international jurisdictions, emphasizing the geographical dispersion of the monetization layer underpinning the scheme. The staged CAPTCHA sequence is particularly designed to trigger multiple outbound SMS events silently, routing messages to a variety of premium-rate destinations in place of a single endpoint, thus maximizing revenue generation per interaction by triggering multiple SMS events.

A delay in the manifestation of associated charges which often occurs weeks after the event—obscures attribution further, reducing the possibility of user recalling or disputing the charges at bill time. In particular, the integration of malicious traffic distribution systems within this operation is significant, as is the repurposing of infrastructure typically utilized for malware delivery and phishing redirection into SMS fraud orchestration in a high volume. 

Threat actors can scale a campaign efficiently while maintaining operational stealth by utilizing layers of redirection and evasion mechanisms through this convergence. These findings have led to the discovery of a highly orchestrated, multi-phase fraud scheme that combines behavioral manipulation with telemarketing monetization. 

By utilizing a pool of internationally distributed numbers - many of which are registered in regions with higher SMS termination costs, including Azerbaijan, Egypt, and Myanmar - the operation maximizes per transaction yields.

It is common practice for victims to be funneled through a series of convincing CAPTCHA challenges that are intended to trigger outbound messaging events to numerous premium-rate destinations discreetly, often resulting in several SMS transmissions within the same session. This layered interaction model, strengthened by browser-level interference, such as history manipulation, prevents users from leaving the website while maintaining the illusion that the application is legitimate. 

In this fraud model, the threat actor exploits inter-carrier settlement mechanisms to route traffic toward high-fee endpoints under revenue-sharing arrangements by leveraging inter-carrier settlement mechanisms. Moreover, the integration of traffic distribution systems provides an additional level of operational precision, allowing targeted victimization while dynamically concealing malicious infrastructure from detection systems. 

Based on industry assessments, artificially inflated traffic associated with such schemes remains among the most financially damaging types of messaging abuse, as significant portions of telecom operators report both elevated traffic volumes as well as significant revenue leaks associated with such schemes. 

Individual users' seemingly trivial costs aggregate into a scalable and persistent revenue stream within this context, demonstrating the ongoing viability of IRSF to serve as a global fraud vector. Detailed investigations conducted by Infoblox and Confiant further illustrate how Keitaro Tracker abuse has enabled large-scale fraud ecosystems by acting as an enabler.

It was originally designed as a self-hosted ad performance tracking tool, but its conditional routing capabilities have been systematically repurposed by threat actors, who often operate with illegally obtained or cracked licenses, as a covert traffic distribution system and cloaking tool. By misusing this information, victims are diverted from seemingly legitimate entry points, such as sponsored social media advertisements, to fraudulent investment platforms claiming to be AI-driven and guaranteed high returns. 

As a method of enhancing credibility and engagement, campaigns frequently employ fabricated media narratives, including spoofed news coverage, synthetic endorsements, and deepfake video content attributed to actors such as FaiKast. In a four-month observation period, telemetry indicates more than 120 discrete campaigns were deployed in conjunction with Keitaro-linked infrastructure, resulting in significant DNS activity across thousands of domains. 

The majority of this traffic has been attributed to cryptocurrency-related fraud, particularly wallet draining schemes disguised as promotional airdrops involving widely recognized blockchain services and assets. 

The convergence of legacy investment scam tactics with adaptive traffic orchestration and artificial intelligence-based deception techniques demonstrates how scalable infrastructure is intertwined with persuasive social engineering to ensure maximum reach and financial extraction in an evolving threat landscape.

In terms of execution, the scheme contains carefully optimized conversion funnels that maximize engagement as well as monetization. The typical interaction sequence, which consists of multiple CAPTCHA stages, can result in as many as 60 outbound SMS messages to a distributed network of international phone numbers, resulting in an additional charge of around $30 per session for each outbound SMS message. 

Although this cost model is modest when considered individually, it scales well across large victim pools when replicated, especially in countries with high- and mid-level termination rates across Europe and Eurasia. It is possible to further refine the campaign logic through client-side state management, which uses cookies, which track progression metrics such as “successRate” and dynamically determine user pathways.

By selectively advancing, redirecting, or filtering participants into parallel fraud streams, adaptive routing improves targeting precision while fragmenting detection efforts by distributing traffic among multiple controlled endpoints, which increases detection efficiency. 

Additionally, browser manipulation techniques, specifically JavaScript-driven history tampering, continue to be used, thereby ensuring persistence by redirecting users back into the fraudulent flow upon attempt to exit through standard navigation controls. 

As a result, the user is faced with a constrained browsing environment that prolongs interaction time and increases the possibility of repeating chargeable events before disengaging. Overall, the operation illustrates a shift in fraud engineering as telecom exploitation, adaptive web scripting, and traffic orchestration are converged into a unified, revenue-generating system. 

By embedding monetization triggers within seemingly benign user interactions, and by reinforcing those triggers with persistence mechanisms, such as cookie-driven logic and navigation controls, threat actors are successfully industrializing high volume, low value fraud. According to Information Blox, these campaigns are not only technically sophisticated, but also exploit systemic gaps in web platforms, advertising networks, and telecom billing frameworks. 

Increasingly, these tactics have become more sophisticated, and they require more coordinated mitigation in addition to detection, so tighter controls across digital advertising supply chains, improved browser-level safeguards, and greater transparency regarding cross-border messaging charges will be required to limit the scaleability of such abuses.