{"id":12088,"date":"2025-08-06T12:55:34","date_gmt":"2025-08-06T19:55:34","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=12088"},"modified":"2025-08-12T11:43:59","modified_gmt":"2025-08-12T18:43:59","slug":"vextrios-origin-story-from-spam-to-scam-to-adtech","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/vextrios-origin-story-from-spam-to-scam-to-adtech\/","title":{"rendered":"VexTrio\u2019s Origin Story: From Spam to Scam to Adtech"},"content":{"rendered":"
\n

\u201cEveryone knows that eliminating spam is impossible to achieve, until an ignorant person who doesn\u2019t know this comes along and starts sending some (Italian) spammer to jail<\/em>. <beg>\u201d<\/em> \u2014Lex Tutor, 2011<\/p>\n<\/blockquote>\n

This quote is powerful when you realize that it is referring to progenitors<\/strong><\/a> of the notorious VexTrio<\/strong><\/a> traffic distribution system (TDS). \u201cLex Tutor<\/strong><\/a>\u201d was an online moniker active in anti-spam communities for at least a decade. He not only complained about the endless torrent of spam plaguing internet users, but actively battled spammers in the courts as well. Through forum posts, Tutor documented a series of micro-companies he claimed were connected to persistent spam operations, referencing their \u201chideouts\u201d in Lugano (Switzerland), fake identities, their practice of using abuse reports to clean email lists, and their alleged theft of personal data from various partner services to fuel more spam.<\/p>\n

\"\"<\/p>\n

Although Tutor complained about spam, VexTrio is more widely known for their traffic distribution system (TDS). The TDS helps disguise digital fraud, the cost of which, according to the Association of National Advertisers (ANA)<\/strong><\/a>, will grow to US$172 billion by 2028. Investment fraud scams alone reportedly brought in US$16.6 billion from U.S. victims in 2024, according to FBI reporting<\/a>. VexTrio delivers scareware, dating scams, cryptocurrency scams, fake VPNs and ad blockers, among other types of fraud.<\/p>\n

VexTrio gained our attention because of their affiliation with major malware actors<\/a> and the seemingly ubiquitous presence of their TDS in the threat landscape. When we first reported<\/a> on the actor in 2022, their domains were seen in over 50% of our customer networks. In 2024, nearly 40 percent of all compromised websites<\/a> worldwide redirected to VexTrio\u2019s TDS and led victims to a wide array of scams. Hundreds of sites hosted in a single WordPress provider have been hacked simultaneously to route visitors to VexTrio. As of July 2025, domains that support their core infrastructure rank in the top 10,000 most popular in the world, despite concerted security industry efforts to hobble their operations.<\/p>\n

The Italian spammers that Tutor hoped would be sent to jail became part of what we know as VexTrio today. But the TDS technology was developed by a group from Eastern Europe. Until 2020, the Italians and Eastern Europeans appear to operate independently but then join forces and establish their headquarters in Lugano, Switzerland. The merger created a formidable suite of commercial entities that touch every part of the adtech industry. Relationships with black hats<\/a> cemented their dominance in malicious traffic distribution. In the last few years, many of the original Italians appear to have moved on to other ventures.<\/p>\n

So how did a few friends from Turin, Italy find themselves embroiled in a Russian-nexus cybercriminal organization with close ties to some of the most prolific website hackers in the world? It\u2019s a complicated and murky story. But internet history shows the Italian group wasn\u2019t innocent to start with: they were accused of spamming and scamming early on, using shell companies for cover and embroiled in lawsuits stemming from their spam. The group emerged around 2004 and was heavily invested in dating websites by 2009. They grew numerous adult brands, profiting from the growth of Facebook. Despite the accusations, their sites were enormously popular, and they garnered partnerships with multiple mobile providers. By 2015, this group\u2019s primary company, Tekka<\/a>, part of their holding company, Tekka Group<\/a>, was led by two childhood friends and projected an image of leaders in website innovation: \u201cTekka is young, Tekka is fast, Tekka is digital<\/a><\/em>.\u201d A move to Lugano and the addition of another Italian, Guilio Cerutti<\/a>, marked the kickoff of a new phase in their business<\/a>, as they rebranded and began creating a series of new micro-companies.<\/p>\n

The Eastern Europeans, many originally from Belarus and Russia, developed the TDS and related technology stack. They established companies in several countries, including Bulgaria, Moldova, Romania, and Estonia, before ending up in Prague, Czechia in 2015. Like the Italians, there are numerous micro-companies with complex relationships. Their affiliate advertising firm Los Pollos, part of AdsPro Group, was identified by Qurium<\/a> as the source of links distributed by the Russian disinformation actor Doppleganger. That discovery was made through analysis of a revealing YouTube video<\/a>. While AdsPro claims headquarters in Switzerland, many of its employees work in Eastern Europe, including Czechia, Bulgaria, Montenegro, and Moldova; see Figure 1. In addition to AdsPro and Los Pollos, several other adtech firms are central to VexTrio\u2019s operations, including Taco Loco and HolaCode.<\/p>\n

\"\"<\/p>\n

Figure 1. AdsPro office locations in July 2024 according to their website. Following public disclosure of AdsPro as part of VexTrio in December 2024, someone successfully had the company domains excluded from the Internet Archive project. Captured December 2024.<\/p>\n

Over the last decade, VexTrio became the darling of many famous, and many other not so famous, malicious actors who used Los Pollos so-called smartlinks to funnel victims to scams from compromised websites, spam, and poisoned search engine optimization (SEO) results. Surprisingly, in affiliate marketing forums, Los Pollos acknowledged that some of their traffic came from black (illegal) sources. In our research, we also found self-described black hat hackers who claimed to work for Los Pollos. This online material supports the results of our previous research<\/a>, showing that VexTrio has a long-term relationship with malware actors that drives their success in digital fraud.<\/p>\n

In 2024, Los Pollos claimed 200,000 affiliates and over 2 billion unique users every month. VexTrio, as a parent enterprise, maintained an infrastructure across the globe, some of it hidden in bulletproof hosting providers and other elements in cloud providers. They still used the hosting originally established by the Italians, leasing IP addresses for multiple autonomous systems (ASs) from the Lugano-based ISP C41<\/a> (InternetOne) (AS203639, AS5398 and AS6898). These Swiss IP ranges are still used for dating scam landing pages, while the TDS and spam operations are run from several other hosting providers around the world, often with bulletproof hosting providers. The crypto scams are run out of ISPs in Eastern Europe.<\/p>\n

Their many commercial entities are intertwined in ways that make traditional analysis difficult. For example, in Figure 2, Teknology, a VexTrio company created by the Italians, acts as a reference for Los Pollos, while several of the others listed as trusted brands are also owned by the actors. In some cases, they will present two companies as distinct, such as AdsPro and Apperito, but will have identical staff and claim ownership of the same \u201cprojects.\u201d They register companies with names that are difficult to distinguish from other legitimate entities. The business relationships are so convoluted that separating VexTrio from their independent partners is a daunting task. While we\u2019ve uncovered nearly a hundred firms created, and often dissolved, over the last two decades, we\u2019re certain we\u2019ve missed many.<\/p>\n

\"\"<\/p>\n

Figure 2. The Los Pollos website in May 2024, as recorded by archive.org, claimed 2 billion unique users. Several of the testimonial brands listed on the site, including Teknology, tacolo[.]co, and Adtrafico are part of VexTrio.<\/p>\n

That\u2019s the short version. What we know about VexTrio could cover hundreds of pages.<\/p>\n

But VexTrio is only one player in malicious adtech. From a strategic perspective, this industry facilitates a vast array of cybercrime and has taken root, largely unnoticed, in the last decade. This corner of the advertising world has relied on plausible deniability while raking in vast sums from scams, phishing, and malware. They advertise openly and have convoluted relationships with each other that make it difficult to find where one company, or group, ends and a partner begins. Hopefully, this work will inspire others to join in the hunt.<\/p>\n

For readability\u2019s sake, we have split this research into three parts. This first segment describes the VexTrio enterprise and key figures, the second will discuss their cybercrime activities, and the third investigates their technology stack and infrastructure. <\/em><\/p>\n

We have included numerous links to supporting evidence throughout this paper. All these hyperlinks were active in early July 2025. Names, domains, and companies may appear in this report only because of technical or business link to VexTrio; their mention alone does not mean they knew of or took part in any wrongdoing. Specific illegal activity claims are explicit and backed by cited evidence.<\/p>\n

Defining VexTrio<\/h3>\n

Before we get started, let\u2019s explain briefly how we got here. Infoblox Threat Intel has been tracking and chasing VexTrio since 2022. We\u2019ve published multiple papers on the threat actor and collaborated with various folks in the industry along the way to better understand how they fit into the threat landscape. In the fall of 2024, researchers at Qurium and Sucuri\/GoDaddy independently discovered that URL links that led to scams from the VexTrio TDS were owned by the commercial affiliate advertising company, Los Pollos. Qurium further connected<\/a> AdsPro, Teknology, TacoLoco, and Guilio Cerutti. Qurium further identified, but did not publish, several key individuals, and we started collaborating.<\/p>\n

Puzzle pieces began to fall into place. When we pulled the thread on the Los Pollos lead, we were able to unravel a complex network of companies and individuals that spanned many countries and years. We reported their domains to several providers and watched as tens of thousands of compromised websites that once directed traffic to VexTrio directed it elsewhere. We hinted at their misdeeds on LinkedIn, and they responded by pulling down material from websites and the Web Archive (archive.org), including that shown in Figure 1.<\/p>\n

Using material found on the open internet dating back over two decades, we\u2019ve spent thousands of hours assembling a picture that goes well beyond anything previously published. In total, the VexTrio enterprise includes nearly a hundred companies and brands. The scope of their activities includes malicious apps and large-scale spamming operations, and as we published a few months ago, they have a special relationship with numerous website hackers.<\/p>\n

In this three-part report, we\u2019ll introduce the people, the enabling technology, the companies, the hosting, and the activities of VexTrio, a name we use for both the actor and the TDS operations. VexTrio is the union of two independent groups; we use the term to encompass all the entities that the key figures are involved in because, as you\u2019ll learn, finding the dividing line between what is and isn\u2019t VexTrio is complicated. It is much cleaner to include all commercial links and all shared infrastructure into the name.<\/p>\n

VexTrio was first recognized as a distinct actor in 2022 but has been delivering scams through their advertising networks since 2015. We assume the reader knows something about the threat actor and their affiliation with other malicious actors of various sorts, particularly WordPress hackers. If you want more background, there are many publications available including:<\/p>\n