Cybersecurity researchers have uncovered a massive fraud campaign that uses fake CAPTCHAs to trick users into sending expensive international SMS messages. The scheme has been running for years, spanning dozens of countries, and generating revenue through telecom fraud and cryptocurrency transactions.
Cybersecurity researchers have found a massive telephone fraud using international SMS to make money from unsuspecting people who complete CAPTCHA checks. While the victims appear to be completing a typical “not a robot” CAPTCHA test, they unknowingly create international SMS transactions that will cost them money and provide the fraudsters with a profit.
This scam started no less than June 2020. Like many other scams, it includes social engineering as well as technical tricks. One of the most interesting features of this scam is how it manipulates the user’s experience. When a user tries to go back to a previous page using their browser’s “back” button, the page will automatically reload. This is done using JavaScript code that was added to the website. By doing this, the victim cannot escape the web page and therefore continues to submit multiple messages, resulting in higher profits for the scammers.
A total of 35 international phone numbers located in 17 countries were identified as part of this global telecommunications revenue sharing fraud campaign.
While it is an easy-to-understand method, it proves to be highly effective. First, the victim is directed to a fake “I’m not a robot” page utilizing a traffic distribution system (TDS). Afterward, there are additional verification pages created for the purpose of allowing multiple international SMS messages to be sent. All of these steps occur relatively unnoticed because, as soon as a message is sent from a smart-phone, the standard messaging app opens, pre-populating numbers and text fields to allow the next message to be sent immediately.
According to the researchers:
“The fake CAPTCHA contains several steps…the victim pays not for one message, but sends SMS to more than 50 foreign destinations”
After completing several of the verification steps (and depending on the number of different destinations), up to 60 messages can be sent to 15 different numbers. The average cost per victim for the entire process is approximately $30. While it seems like a relatively low amount for one victim, it provides a steady source of income for those involved in the scam.
Additionally, victims typically do not know they have been targeted until weeks later when their international SMS charges show up on their monthly cell phone bill.
Similar to many other types of cyber-attacks, this type of scam relies on something called International Revenue Sharing Fraud (IRSF) schemes. In IRSF schemes, attackers obtain control over expensive international or premium phone numbers and intentionally cause large amounts of traffic. As a result, telecom companies are forced to pay for terminating such calls and the attacker(s) benefit financially from the connection charges paid by the telecom company.
Phone numbers are registered particularly aggressively in regions where there are extremely high rates and/or weak regulatory oversight. Some examples include Azerbaijan and Kazakhstan as well as specific premium rate areas within Europe. According to some researchers, in certain situations attackers collaborate with local telecom service providers.
Cookies are also utilized to monitor user behavior. Cookies can identify whether or not a victim would be profitable in participating in this particular scheme. If the victim would not be profitable, they are merely redirected to another CAPTCHA. That CAPTCHA could belong to an entirely separate fraudulent scheme.
Another feature of this scam is known as “back button hijacking”. Using JavaScript coding techniques, the webpage modifies the browser history so that if you attempt to click your “back” button to return to a previous page, you will instead be returned to the same fake CAPTCHA again. Your only option to exit this loop would be to either close the current browser tab or shut down your browser altogether.
Ultimately, this scheme benefits two groups simultaneously. Victims incur unanticipated SMS charges, while telecom companies unwittingly fund scams as they continue to share portions of their international revenue with the scammers (usually before they realize they are losing money).
Researchers working alongside Confiant found yet another issue – mass exploitation of the Keitaro system. Keitaro is legitimate traffic routing software commonly utilized by marketers; however, researchers now observe that Keitaro is increasingly being exploited in malicious campaigns.
Fraudulent actors either purchase cracked licenses or utilize stolen access credentials and then turn Keitaro into a versatile tool for launching various types of attacks against users. Such attacks include:
distributing malware
stealing cryptocurrency
promoting investment scams that claim to use artificial intelligence
conducting fake sweepstakes and giveaways
Scammers often use Facebook ads to draw victims in. To build credibility, they post fake news articles, fake celebrities endorsing products or services, and even create fake video content (known as “deepfakes”) to make things appear legitimate.
One such scammer is being tracked by researchers, who have identified him by his name – FaiKast. Researchers report that during a span of over 4 months (October 2025-January 2026) more than 120 campaigns were run using the Keitaro system. In total, there were over 226,000 DNS requests and over 13.500 Domains were also found to be associated with the activity.
Once the scammers’ operation was exposed, part of the scammers’ infrastructure was shut down. Keitaro shut down over a dozen accounts which were found to be abusing Keitaro’s service.
Researchers further report that nearly all of these types of operations (approximately 96%) are focused on Crypto Fraud. The primary objective of each operation is to get users to attach or “Confirm” their cryptocurrency wallet(s) via fake Sweepstakes/Contests. Some of the most popular topics include AURA, Solana, Phantom & Jupiter.
Therefore, this example provides clear evidence of how common internet features (like CAPTCHA), can be transformed into tools to perpetuate mass fraud. Further, the more authentic a website appears to the user, the better chance the user has of falling prey to the scammers.
