IRSF Fraud via Fake CAPTCHAs: Analysis of the Campaign Active Since 2020

Over 120 campaigns use Keitaro TDS to distribute IRSF scams via fake CAPTCHAs. 17 countries hit, costs up to $30 per victim. Here are the details.

IRSF Fraud via Fake CAPTCHAs: Analysis of the Campaign Active Since 2020
IRSF Fraud via Fake CAPTCHAs: Analysis of the Campaign Active Since 2020

Over 120 distinct campaigns abused the Keitaro TDS platform to distribute fraudulent links between October 2025 and January 2026, generating approximately 226,000 DNS queries across 13,500 associated domains. The data, collected from Infoblox customers, highlights the convergence between advanced advertising industry techniques and global-scale telecommunications fraud.

The mechanism of the IRSF scam via fake CAPTCHAs

The IRSF (International Revenue Share Fraud) campaign via fake CAPTCHAs has been active since at least June 2020. The attack vector exploits a multi-step mechanism: each message is preconfigured with over a dozen phone numbers, leading the victim to pay for SMS messages to over 50 international destinations. As explained by David Brunsdon and Darby Wise of Infoblox, "the fake CAPTCHA has multiple steps, and each message is preconfigured with over a dozen numbers, meaning the victim is not charged for a single message – they are charged for sending SMS messages to over 50 international destinations."

Infoblox has observed up to 35 phone numbers distributed across 17 countries as part of the IRSF campaign. Numbers are registered in countries with high termination fees or lax regulation, including Azerbaijan, Kazakhstan, and European premium ranges. The process can send up to 60 SMS messages to 15 unique numbers after 4 CAPTCHA steps, costing the victim approximately 30 dollars.

The scam also exploits back button hijacking via JavaScript to trap users in a navigation loop. Google has classified this practice as "harmful" and plans to penalize sites that interfere with navigation starting in mid-2026.

Keitaro TDS: technical infrastructure at the service of fraud

Between October 2025 and January 2026, over 120 distinct campaigns abused Keitaro TDS for link delivery. According to Infoblox and Confiant, "Keitaro is initially a self-hosted advertising performance tracker designed to conditionally route visitors using flows. Malicious actors repurpose this mechanism, turning a Keitaro server into an all-in-one tool that acts as a traffic distribution system, tracker, and cloaking layer."

Infoblox customers recorded approximately 226,000 DNS queries on 13,500 domains associated with Keitaro activity during the observed period. The domains are clustered on a small set of IPs in AS15699 (Adam EcoTech). Keitaro deleted over a dozen accounts linked to these activities following responsible disclosure.

Impact on victims and carriers

The operation simultaneously defrauds individuals and telecommunications carriers. "Individual victims face unexpected premium SMS charges on their bills and would have difficulty identifying and reporting the fraud when it originates from such an unexpected source," Infoblox explained in its April 23, 2026 report.

AIT (Artificially Inflated Traffic), which includes IRSF traffic, is now classified as the most harmful form of messaging fraud in the world. Approximately half of carriers report high financial losses due to this type of fraudulent activity.

Context: phone scams in Italy

The phenomenon is part of a broader landscape of telecom fraud. According to recent data, nearly 3.9 million Italians have been victims of scams or attempted fraud in the context of fixed or mobile telephony. Contrary to common perception, the most affected groups are not the elderly but young people, particularly in the 25-34 and 45-54 age ranges, with percentages exceeding 8%.

People with a university degree appear to be the most affected, with an incidence more than double the average. Geographically, the North West is the most hit area, with an incidence of 7.5%. Despite the scam suffered, nearly half of the victims (49.2%) did not report the incident, mainly due to the impossibility of recovering the money (38.5%), the economic damage being too low (24.6%), and a sense of shame (16.9%).

Frequently Asked Questions

What is IRSF fraud?
IRSF stands for International Revenue Share Fraud, a type of fraud that generates traffic to international premium numbers to profit from termination rates. In this case, it is conveyed via fake CAPTCHAs that trick victims into sending expensive SMS messages.
How does the fake CAPTCHA work in the scam?
The fake CAPTCHA presents multiple steps preconfigured with over a dozen numbers. The victim completes up to 4 steps, sending up to 60 SMS messages to 15 unique numbers, at a cost of approximately 30 dollars.
What is Keitaro TDS and how is it abused?
Keitaro is originally a self-hosted advertising performance tracker. Malicious actors repurpose it as a traffic distribution system, tracker, and cloaking layer to distribute fraudulent links while hiding the malicious infrastructure.
What is Google doing against back button hijacking?
Google has classified back button hijacking as a harmful practice and plans to penalize sites that interfere with navigation starting in mid-2026.

This article is a summary based exclusively on the sources listed.

Sources