Cybersecurity researchers said a telecommunications fraud campaign has used fake CAPTCHA pages to trick users into sending international text messages that add charges to mobile bills, while a separate analysis found more than 120 campaigns abusing Keitaro TDS between October 2025 and January 2026. The fake CAPTCHA operation has been active since at least June 2020 and involved 35 phone numbers across 17 countries.
KEY FACTS
- Fake CAPTCHA scam Victims were pushed through multi-step verification pages that sent SMS messages to premium or international numbers.
- Reach The campaign used phone numbers in 17 countries, including Azerbaijan, the Netherlands, Belgium, Poland, Spain and Turkey.
- Scale Up to 60 SMS messages could be sent in a single flow, with costs estimated at about $30 for one user.
- Keitaro abuse More than 120 campaigns used the traffic distribution system for malware delivery, crypto theft and investment scams.
In a technical analysis, Infoblox said the fake CAPTCHA scheme relied on social engineering, browser back button hijacking and commercial traffic distribution systems to route victims through a redirection chain. The pages used cookies to track progress and decide which step came next.
The report said the flow could open the SMS app on Android and iOS devices with prefilled numbers and messages, which made each step send a separate text. In some cases, users were redirected to a different CAPTCHA page if they were not considered suitable for the campaign.
The disclosure also said the operators targeted numbers in countries with high termination fees or looser rules and worked with local telecom providers. Infoblox and Confiant said Keitaro TDS had been abused in a broad set of spam and fraud campaigns, with about 226,000 DNS queries tied to 13,500 domains over four months.
Following responsible disclosure, Keitaro canceled more than a dozen accounts linked to the activity. The companies said about 96% of Keitaro-linked spam traffic promoted cryptocurrency wallet-drainer schemes, often using fake airdrops and giveaway lures.
WHY IT MATTERS
The findings show how fake human verification pages and traffic routing tools can be combined to generate billable SMS traffic and distribute other scams at scale. The activity can leave victims with delayed charges and can also create losses for carriers that pay revenue shares or handle disputes.