In 2026, a single fake CAPTCHA trick has become the front door to a global telecom fraud network that’s raked in millions by hijacking mobile billing systems across 40+ countries.
Key Takeaways
- Infoblox identified 120 distinct Keitaro campaigns tied to a fake CAPTCHA IRSF scam.
- The scam tricks users into sending premium-rate international SMS messages, charging their carrier bills.
- Attackers lease premium numbers and earn payouts when victims complete the fraudulent verification.
- Victims see a CAPTCHA-style page but are unknowingly routed to international SMS gateways.
- The infrastructure leverages obfuscated redirects and domain shadowing to evade detection.
The CAPTCHA That Wasn’t
It looks real. You click a link, land on a page, and see a box: “Prove you’re human.” A button says “Start Verification.” That’s it. No typos. No flashing ads. Just clean, minimalist design — eerily similar to Google’s reCAPTCHA.
But there’s no machine learning model analyzing your mouse movements. No AI checking if you’re a bot. This isn’t a test of humanity. It’s a billing trap.
According to original report by The Hacker News based on Infoblox’s April 2026 findings, this fake CAPTCHA is the linchpin of an IRSF (International Revenue Share Fraud) operation that’s been active since at least late 2025. Users who click “Start Verification” are silently routed through a chain of redirects that initiate an SMS transaction to a premium-rate number — often in countries with weak carrier oversight.
They don’t type anything. They don’t confirm a message. The transaction happens in the background, masked by a fake progress bar. By the time the page says “Verification Complete,” the damage is done: the user’s phone has sent a message to a number that costs $5, $10, even $20 — and the fraudster gets a cut.
That’s IRSF. It’s not new. But the delivery mechanism — a convincing, scalable, invisible CAPTCHA — is.
Keitaro’s Role in the Fraud Engine
The operation isn’t running on one server in a basement. Infoblox tracked 120 separate Keitaro traffic management instances powering this scam. Keitaro is a legitimate click-tracking and affiliate marketing tool used by digital advertisers to measure campaign performance. It allows operators to route users through layered redirects, test landing pages, and geo-target traffic.
But in this case, it’s been weaponized. Each of the 120 campaigns uses Keitaro to fine-tune the attack: testing which fake CAPTCHA designs convert best, which countries’ carriers are most vulnerable, and which premium numbers yield the highest payout per message.
These aren’t crude scripts. The campaigns use domain shadowing — registering subdomains that mimic legitimate sites — and HTTPS encryption to appear trustworthy. The fake CAPTCHA pages load quickly, often hosted on compromised domains with valid SSL certificates. That green padlock in the browser? It doesn’t mean safe. It just means encrypted.
And because Keitaro lets attackers rotate domains and IPs rapidly, takedowns are temporary. Shut down one instance, and two more go live by the next day.
How the Redirect Chain Works
The user journey is deceptively smooth:
- Click on a malicious ad or link (often disguised as software updates, media downloads, or fake security alerts)
- Landed on a page with a CAPTCHA prompt — visually identical to real ones
- Clicking “Start Verification” triggers a hidden SMS intent via telco APIs
- The request is routed through multiple Keitaro-managed proxies to obscure origin
- An SMS is sent to a premium number registered in high-payout regions like Indonesia, Nigeria, or Peru
- User’s carrier bills them; fraudster collects a percentage from number owner
The entire process takes under 10 seconds. And since no confirmation dialog appears on most Android and iOS versions when initiated via web APIs, the user has no chance to stop it.
The Numbers Behind the Fraud
Infoblox didn’t estimate revenue — but the mechanics reveal the scale. Premium SMS numbers in some countries generate $8–$15 per message, with fraud operators earning 30–70% per transaction depending on the lease agreement. At a conservative 50% cut and 1,000 daily messages per campaign, each of the 120 Keitaro instances could generate $4,000–$7,500 daily.
That’s $1.4 million to $2.7 million per month — not counting reinvestment, new campaigns, or compounding reach via ad networks.
And this assumes low volume. In high-traffic regions, especially where mobile internet is the default and carrier billing is common, conversion rates spike. One campaign observed by Infoblox targeted Indonesian users with localized language and carrier-specific formatting, increasing success rates by 38% compared to generic versions.
Why This Isn’t Just Another Scam
Most Phishing Attacks rely on fear: “Your account is locked!” “Virus detected!” This one uses legitimacy. It doesn’t scream. It whispers. It mimics one of the most trusted UI patterns on the web. And that’s what makes it dangerous.
It’s not banking credentials. It’s not ransomware. The damage isn’t immediate or catastrophic — just a mysterious $10 charge on your bill. Most people won’t report it. They’ll chalk it up to a subscription they forgot, a carrier error, or a family member’s purchase.
That low individual impact is the scam’s armor. It flies under the radar of both users and fraud detection systems. High-volume, low-value attacks are harder to trace, harder to prove, and harder to stop.
And unlike crypto scams that leave blockchain trails, or credential theft that shows up in breach reports, this fraud leaves no centralized footprint. The money flows through telecom billing systems — opaque, fragmented, and jurisdictionally tangled.
The Infrastructure Is Still Live
As of April 27, 2026, Infoblox confirmed that at least 67 of the 120 Keitaro campaigns remain active. Some have shifted domains. Others now use alternative traffic managers like Voluum or Binom — but the fake CAPTCHA template persists.
Carriers are slow to respond. Premium SMS services are profitable for them too. Many operate revenue-sharing agreements with third-party content providers — meaning they get a cut when users are charged. That creates a conflict of interest: the more messages sent, the more money they make.
And while Google and Apple have implemented some protections — Android 15 blocks automatic SMS sends without user confirmation, and iOS restricts web-to-SMS intents — those updates aren’t universal. Hundreds of millions of devices still run older OS versions. And in emerging markets, where this scam is most prevalent, device fragmentation is extreme.
What This Means For You
If you’re building web apps or handling user traffic, stop treating CAPTCHA-like patterns as neutral. This scam proves they can be weaponized. Never implement a “verification” button that triggers offsite actions without explicit user consent. Audit any third-party scripts that handle redirects — especially marketing or analytics tools that could be repurposed for traffic manipulation.
For developers working with telecom APIs or billing systems, this is a wake-up call. The infrastructure enabling IRSF isn’t darknet code — it’s off-the-shelf software, leased numbers, and lax carrier policies. Build detection rules for rapid-fire SMS initiations from web sources. Monitor for unexpected spikes in international SMS traffic. And if you’re using Keitaro or similar platforms, verify that your instances aren’t being hijacked for fraud.
There’s a quiet irony here: CAPTCHA was invented to stop bots from abusing human systems. Now, it’s being used by humans to automate the abuse of other humans — with the help of tools we built for advertising.
Sources: The Hacker News, Infoblox Threat Research Report (April 2026)
