Fake CAPTCHA IRSF Scam: 120 Keitaro Campaigns Fuel Global SMS and Crypto Fraud

Security researchers at Group-IB have uncovered a large-scale smishing operation that combines fake CAPTCHA verification pages with International Revenue Share Fraud (IRSF) and cryptocurrency scams. The campaign, tracked under the moniker 'Keitaro‑IRSF', leverages 120 distinct Keitaro traffic‑distribution system (TDS) instances to host malicious landing pages. In a 48‑hour window, the actors dispatched more than five million SMS messages to users in the United States, United Kingdom, Germany, and Japan, prompting them to click on shortened URLs that lead to the fraudulent pages.

The attack chain begins when a victim receives a text that claims a package delivery or an account verification is pending. The embedded link routes through a series of Keitaro‑controlled subdomains, each equipped with a unique token that records the target’s device information. The victim is then presented with a convincing fake Google reCAPTCHA interface. Upon solving the puzzle, the page silently executes a hidden JavaScript snippet that triggers an outbound SMS to a premium‑rate number, generating IRSF revenue for the threat actors. The researchers observed 15 command‑and‑control (C2) servers hosted in the Eastern European region that coordinate the redirection logic and log each successful SMS transmission.

In parallel, the same infrastructure serves crypto‑investment pages that masquerade as wallet verification or token‑airdrop offers. After the victim solves the CAPTCHA, a second script loads a cryptocurrency deposit page requiring a small initial transfer to unlock a larger reward. The attackers use a set of 30 look‑aside wallet addresses, all linked to a known mix‑service, to obscure the flow of funds. The entire operation blends legitimate‑looking UI elements with dynamic content injection, making traditional email‑gateway filters ineffective.

Organizations can mitigate risk by implementing SMS‑filtering rules that flag messages containing known short‑link patterns and by deploying browser‑isolation solutions that prevent the hidden CAPTCHA scripts from executing. Threat‑intelligence platforms should be updated with the observed Keitaro domain patterns and the associated C2 IP ranges. End‑user education emphasizing that legitimate services never ask users to send SMS or transfer crypto for verification is also critical to reducing the success rate of this blended fraud scheme.