Hacking

Fake CAPTCHA SMS Fraud Campaign Charges Victims $30

Published  ·  9 min read
Updated on April 27, 2026

You have seen countless CAPTCHA tests. Select the traffic lights. Click on the bicycles. Type the wobbly letters.

Now imagine a CAPTCHA that asks you to send a text message to prove you are human. That is exactly what a long-running scam has been doing and victims are paying the price on their phone bills.

Security researchers at Infoblox have uncovered a fake CAPTCHA SMS fraud campaign that has been active since at least June 2020. The scheme tricks unsuspecting users into sending international text messages that generate premium charges. The attackers pocket a cut of the revenue.

What Is International Revenue Share Fraud?

Before understanding the scam, you need to understand how international revenue share fraud (IRSF) works.

Carriers pay each other termination fees when calls or messages cross international borders. If someone in the United States sends an SMS to a number in Azerbaijan, the US carrier pays a fee to the Azerbaijani carrier to complete that message.

Fraudsters exploit this system. They lease international premium rate numbers (IPRNs) in countries with high termination fees or lax regulations. Then they artificially generate massive volumes of international traffic to those numbers. The originating carrier pays the termination fee. The destination carrier shares a portion of that fee with the fraudster.

The fake CAPTCHA SMS fraud campaign is a clever way to generate that traffic. Attackers trick real people into sending messages. The victims pay. The carriers pay. Only the fraudsters profit.

How the Fake CAPTCHA Scam Works

The fake CAPTCHA SMS fraud campaign uses a multi-step process designed to maximize charges while keeping victims confused.

Step 1: Redirection.

A user clicks a link somewhere online. That link is routed through a commercial traffic distribution system (TDS). The TDS redirects the user to a bogus web page that looks like a legitimate CAPTCHA verification screen.

Step 2: The first SMS request.

The fake page instructs users to send a text message to an automated phone number for the purpose of confirming that they have confirmed they are a human being. The text message is composed of the content and number pre-filled. The customer will only need to press the send button.

Step 3: The beginning of the multi-step "verification" process.

After the first SMS is sent, the phone will indicate the initial verification attempt failed and that the customer must send another additional confirmation for further verification. Each new round of confirmation will trigger another SMS from another pre-filled international number within the automated phone application. 
The campaigns that the scammers run via fake CAPTCHA SMS exploit both iOS and Android devices and will cause users to feel that they have sent multiple SMSs via automated phone operations by way of JavaScript sending the SMS.

Step 4: The true cost.

Over four CAPTCHA steps, the victim sends as many as 60 text messages to 15 unique numbers across 17 countries. The total cost can reach $30 per victim.

The fake CAPTCHA SMS fraud campaign benefits from delayed billing. Those international SMS charges often appear on the victim's bill weeks later. By that time, the experience with the fake CAPTCHA has been long forgotten. The victim pays without ever connecting the charge to the scam.

The Countries and Numbers Involved

According to Infoblox, there were 35 distinct telephone numbers spanning 17 different countries involved in the fake CAPTCHA SMS fraud operation; attackers determined that these nations were feasible targets, typically due to either relatively high termination charges on international calls or the absence of regulation.

Affected countries include:
1. Azerbaijan
2. Kazakhstan
3. The Netherlands
4. Belgium
5. Poland
6. Spain
7. Turkey

The fake CAPTCHA SMS fraud campaign also registers numbers in certain premium-rate ranges within Europe.Fraudsters work together with local telecommunication companies so that they can continue to receive their share of fraud from mobile users via SMS. 

Back Button Hijacking: The Victim Gets Stuck

Back button hijacking is one of the most deceitful methods used in the fraudulent CAPTCHA SMS schemes. It uses JavaScript to execute the script against the web browser's navigation history index during the victim's click of the back button, redirecting the victim back to the fraudulent CAPTCHA web page, leaving them trapped in a loop of clicking on back buttons to twice visit the original fraudulent CAPTCHA website.

The only way out is to completely close the browser. This technique dramatically increases the number of users who complete the fake verification process simply because they cannot easily escape it.

Tracking Victims with Cookies

The fake CAPTCHA SMS fraud campaign relies heavily on cookies to track each victim's progression through the fake verification flow.

Specific cookies named things like "successRate" tell the scam server which steps a user has completed and what to show next. If the system determines a user is not suitable for the campaign (perhaps because their carrier does not support premium SMS billing), the page redirects them to an entirely different CAPTCHA page.

That second page is likely part of a separate campaign controlled by a different actor. The fake CAPTCHA SMS fraud campaign operators do not waste effort on victims who cannot generate revenue.

Who Pays?

The fake CAPTCHA SMS fraud campaign defrauds two parties simultaneously.

Individual victims face unexpected premium SMS charges on their mobile bills. At $30 per victim, the amount is small enough that many people pay without disputing it. But at scale, those $30 charges add up quickly for the fraudsters.

Telecom carriers also lose money. They pay revenue share to the perpetrators while likely absorbing losses from customer disputes or chargebacks. Some victims eventually notice the charges and demand refunds. The carrier eats that loss.

The fake CAPTCHA SMS fraud campaign operators profit either way. The revenue share arrives before any disputes are resolved.

The Keitaro TDS Connection

Infoblox conducted its analysis in collaboration with Confiant. Together, they published a three-part investigation into how threat actors abuse the Keitaro TDS (also known as Keitaro Tracker).

Keitaro is a legitimate advertising performance tracker. It is designed to conditionally route visitors using flows. Threat actors have adapted it as an all-in-one application for distributing, tracking, and cloaking web traffic.

Research during the period October 2025 through January 2026 found more than 120 distinct campaigns that have exploited Keitaro for the delivery of malicious links; there were approximately 226,000 DNS queries made by Infoblox customers during this period to 13,500 domains related to Keitaro.

Some of the threat actors used stolen or cracked Keitaro licenses.A specific threat actor tracked as TA2726 was observed using cracked versions. Following responsible disclosure, Keitaro canceled over a dozen accounts linked to malicious activity.

Beyond SMS Fraud: Investment Scams and AI Deepfakes

The same Keitaro infrastructure powering the fake CAPTCHA SMS fraud campaign is also used for cryptocurrency wallet-drainer schemes and AI-powered investment fraud.

Approximately 96 percent of Keitaro-linked spam traffic promoted cryptocurrency wallet-drainer schemes. They generally employ the use of impostor airdrop (or giveaway) bait naming popular projects such as AURA or Solana (SOL), Phantom wallet and Jupiter DEX.

Scammers also utilise Facebook Ads to lure unwitting targets into fraudulent AI (artificial intelligence) trading platforms. Many of these scams involve falsely established celebrity endorsements created by manufacturing fake (but believable) news articles, images and "deep fake" videos. One example of such an impersonator actor is a threat actor known as FaiKast that has been associated with the use of synthetic videos to promote their scams.

How to Protect Yourself

The CAPTCHA SMS fake fraud is based on confusion with users and delayed charges. Follow these tips to avoid being a victim of this scam.
1. Do not send an SMS to complete a CAPTCHA test. Legitimate CAPTCHA tests use pictures, check boxes or audio tests to verify the user’s identity. If the webpage asks for SMS verification, close the website immediately.

2. Check your mobile bill carefully. Look for small international SMS charges. They may appear as fees of a few dollars each. If you see charges you do not recognize, contact your carrier and dispute them.

3. Beware of pages that trap you with the back button. If a site prevents you from leaving, force-close the browser entirely. Do not complete any verification steps just to escape.

4. Use a reputable ad blocker and security extension. These tools can block many traffic distribution systems and known scam domains before they load.

Final Thoughts

The fake CAPTCHA SMS fraud campaign has been running for nearly six years. It has likely defrauded hundreds of thousands of victims worldwide. The per-victim cost is low. The operational scale is massive.

What makes this campaign notable is the convergence of two otherwise separate fraud techniques: international revenue share fraud and malicious traffic distribution systems. By combining them, attackers have built a scalable, semi-automated money-making machine.

The fake CAPTCHA SMS fraud campaign operators do not need to hack phones or steal passwords. They simply ask victims to send a text. And enough people do exactly that to make the scam profitable.
Do not be one of them.

FAQ Section

Q1: How can I tell if I have been a victim of a fake CAPTCHA SMS fraud campaign?
Check your mobile bill for small international SMS charges you do not recognize. The charges may appear weeks after you interacted with a suspicious CAPTCHA page. Each charge is typically a few dollars. If you see multiple small international fees, you were likely scammed.

Q2. Can my device be compromised via the fake SMS CAPTCHA fraud scheme with malware?
No, this scheme does not plant any malicious software onto a device but is designed to take premium international rate SMS messages from victims. That said, other scams using the same traffic distribution method may install malware on devices. You should always treat web pages that appear to be suspicious as if they were a possible source of infection.

Q3. What if I already sent SMS text messages to the numbers from the fake CAPTCHA?
First, you should contact your mobile provider immediately and dispute the costs of sending those international SMS text messages and request a refund because you were a victim of a fraudulent verification page. Most providers will refund the charges, especially if you act quickly.

Q4. Why does the fake CAPTCHASending and Receiving Provider(SRCP) scheme use a multipart SMS?
The multiple steps in sending SMS text messages to different international numbers create multiple termination fees collected by the provider. Depending upon how many messages you send per step and how many steps are in the scheme, you could send a total of 60 SMS text messages to 15 unique numbers in 17 countries from four bipartite steps, thus increasing the total charge.

Q5: Are iPhone and Android users both vulnerable?
Yes. The fake CAPTCHA SMS fraud campaign uses JavaScript to programmatically launch the SMS app on both Android and iOS devices. The phone numbers and message content are pre-filled on both platforms. No operating system is immune.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067