{"id":12121,"date":"2025-08-12T07:58:55","date_gmt":"2025-08-12T14:58:55","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=12121"},"modified":"2025-10-03T04:37:02","modified_gmt":"2025-10-03T11:37:02","slug":"vextrio-unmasked-a-legacy-of-spam-and-homegrown-scams","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/vextrio-unmasked-a-legacy-of-spam-and-homegrown-scams\/","title":{"rendered":"VexTrio Unmasked: A Legacy of Spam and Homegrown Scams"},"content":{"rendered":"
\n

This is the second in a three-part, in-depth report covering nearly a year of research into VexTrio. To learn more about the people and entities involved, see the first part here<\/strong><\/a>. To learn about VexTrio\u2019s infrastructure and technology stack, see here. VexTrio domains and references from this research can be found in our GitHub repository<\/strong><\/a>.<\/em><\/p>\n<\/blockquote>\n

VexTrio<\/strong><\/a> is a cybercriminal organization with tendrils that are far-reaching. But at the core of their operations are scams and spam. As we described in the first part of this research, key figures in VexTrio have been involved in fraudulent activity<\/strong><\/a> since at least 2004. Images of VexTrio\u2019s fake CAPTCHA robots have been included in a multitude of reports about fraudulent activities for years. Their affiliate networks offer so-called smartlinks in many verticals, including dating<\/strong><\/a>, crypto, and sweepstakes. These links hide (\u201ccloak\u201d) the landing page and hinder analysis by security teams. They are embedded into compromised websites<\/strong><\/a>, Instagram messages<\/strong><\/a>, Facebook<\/strong><\/a>, and even email security tools<\/strong><\/a>. Regardless of the starting point, the final landing pages are all scams, both in our experience<\/strong><\/a> and as widely reported by others in the industry.<\/p>\n

\"The<\/p>\n

The infamous VexTrio robot<\/p>\n

While the fact that the VexTrio traffic distribution systems (TDS) deliver scams is wellknown, it is not widely known that most of the time VexTrio is delivering their own scam content, rather than that of independent advertisers. As a result, they benefit in multiple ways from embedding their smartlinks in compromised websites and social media. Fraudulent sites include a wide range of marketing verticals, most prevalently dating and cryptocurrency. Many affiliate networks will cite abuse when advertisers deliver malicious content to users, but VexTrio will have difficulty making this claim. There is substantial evidence that demonstrates that they control the landing pages.<\/p>\n

VexTrio also offers fake VPNs, ad blockers, and other apps. Available in Google Play and the App Store, as well as via direct download sites, the apps have been downloaded over a million times in aggregate over several years. They show incessant ads to users, bind them into subscription contracts that are difficult to cancel, and convince them to reveal personal information like email addresses.<\/p>\n

But this software also reveals the murky line between VexTrio and their business partners. Apps created by VexTrio appear to be identical to those offered by two of their advertisers based in Prague, and they share hosting with VexTrio\u2019s development group, HolaCode. These overlaps raise questions about the relationship between VexTrio and VexTrio advertisers. Just how distinct are they? Beyond the shared code, there is a personal link: a founder of one of the companies, Techintrade, was also previously a managing director at VexTrio\u2019s AdsPro Group. If the software and hosting of Technitrade apps are identical to those of AdsPro and the second firm, Oilimpex, how does this company relate to VexTrio? We aren\u2019t sure, but it does hint at the potential that the full extent of the VexTrio enterprise is even larger than we know.<\/p>\n

Another pillar of their enterprise is spam, which they use in a vicious cycle with their scam operations. They blatantly copy major direct email marketing (DEM) companies, like SendGrid<\/strong><\/a>, and use generic terms, like Fidelity Mail<\/strong><\/a> to avoid detection. Try searching sendgrid[.]rest<\/span> in a search engine and see for yourself. Fidelity Mail claims to give their customers access to over 220 million verified email addresses. Where do they get those email addresses? Based on our personal experience, they come from their fraudulent sites and apps. A victim\u2019s journey includes numerous requests for email addresses to win a free gift card, join a dating app, or recover some lost cryptocurrency. Entering an email is often an action in their cost-per-action affiliate marketing model. <\/p>\n

In spite of the number of email marketing companies they own, VexTrio\u2019s domain name system (DNS) records lack diversity, tying email distribution<\/strong><\/a> domains to their very own TacoLoco. We used DNS records and our own spam collection to analyze how their spam and scam operations tie together. Of note, we found that in addition to their own mail servers, VexTrio is contracting with third parties like YNOT Mail for spam distribution. We will show how the domain datingcell[.]com was used in dating-themed spam. Buttons that are included in the email allow YNOT Mail to track clicks, which when pressed will lead users to VexTrio fake dating sites. VexTrio\u2019s scams feed their spam, and their spam feeds their scams.<\/p>\n

Besides classic spam and scam operations, the key figures are involved in dozens of other businesses, primarily micro-companies. Many of these have little connection to the advertising industry. Some of them are quite puzzling to us, and we\u2019ll provide some examples in this blog. For example, one of the firms is connected to a promised \u20ac1 billion investment in Bulgaria to provide solar energy by a German manufacturing group. How does a businessman from the adult industry become the head of such a large national endeavor? We don\u2019t know, but it certainly shows that it pays being in the malicious adtech industry.<\/p>\n

We have included numerous links to supporting evidence throughout this paper. All these hyperlinks were active in early July 2025. Names, domains, and companies may appear in this report only because of technical or business link to VexTrio; their mention alone does not mean they knew of or took part in any wrongdoing. Specific illegal activity claims are explicit and backed by cited evidence.<\/em><\/p>\n

Scam Sites<\/h3>\n

The scams promoted through VexTrio smartlinks have been covered numerous times over the years (like here<\/strong><\/a> and here<\/strong><\/a> and here<\/strong><\/a> and here<\/strong><\/a>), but what isn\u2019t widely known is that they also create the majority of the content they deliver. Thus VexTrio benefits twice when publishing affiliates distribute their smartlinks. The affiliate networks (Los Pollos, Adtrafico, TacoLoco) offer several verticals, including dating, adult-only, sweepstakes, nutra industry vertical, and crypto-related advertisements\u2014and they offer scams for each of these verticals. See Figure 1 for a sample of the many landing pages that we have confirmed are controlled by VexTrio. <\/p>\n

\"Figure<\/p>\n

Figure 1. A collage of scam landing pages related to VexTrio\u2019s cryptocurrency, investment, sweepstake, and antivirus scam verticals<\/p>\n

The dating verticals are the most popular. VexTrio\u2019s firm Teknology owns trademarks for some of their dating sites, including OneDate. While their dating and hookup sites claim to connect customers to real people, they are widely reported as scams. Reviews<\/strong><\/a> of many VexTrio sites state that they require subscriptions that are difficult to cancel, the profiles are not real people, and the central part of the service is a fake chat scam. In these fake chats, users are charged excessive amounts to send messages, but without the possibility of meeting someone in real life. We have interacted with their sites<\/strong><\/a> and created accounts<\/strong><\/a> dozens of times. Even when their sites put up control questions, such as \u201cAre you 18?\u201d, you will be allowed into the content and a constant stream of connection requests from fake profiles will begin. Besides their trademarked brands, several other brands have long been associated with Tekka\/Teknology, including OnlyOne, which can be seen hosted in their dedicated Swiss IP<\/strong><\/a> range, as well as hidden in Cloudflare<\/strong><\/a>.<\/p>\n

Trademark ownership is one way to connect VexTrio directly to the scam sites, but there is other evidence as well. Based on the volume of DNS queries and observed redirection chains, the VexTrio TDS delivers content more often from their own hosting, for example, AS5368, than external partners, such as PropellerAds and Traffic Partners, which are listed on their website<\/strong><\/a>. Through the use of smartlinks, VexTrio determines what gets shown<\/strong><\/a> to end users and the DNS query volumes indicate that favor themselves.<\/p>\n

The evidence that the landing pages belong to VexTrio includes unique web artifacts<\/strong><\/a> employed by no other entity. More decisively, TDS servers we have linked to VexTrio are hosting the scam toolkits directly. When delivering these scams to victims, those TDS servers use the following URL patterns:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
URL<\/th>\nVertical<\/th>\n<\/tr>\n<\/thead>\n
hXXps[:]\/\/fastminingpro[.]com\/payouts\/<\/td>\nCryptocurrency Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/bit-wagifouzolu[.]top\/transfers\/<\/td>\nCryptocurrency Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/base-fastbitco[.]top\/threads\/transfers?u=d4w264<\/td>\nCryptocurrency Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/cryptoprofit[.]life\/?u=fmkpte4&o=m45kwzr&t=html<\/td>\nInvestment Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/www[.]pattern-trader[.]net\/lp?k=acf93&i=25e7&utm=941d7b3f-1ca7-470b-8ccd-641a056c15d4<\/td>\nInvestment Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/place-more-prizes[.]life\/?u=m5uwwwl&o=frcpbz7&t={affiliate_id}&cid={transaction_id}<\/td>\nDating Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/defendyourpc[.]com\/shield\/norton_global_2_new\/?lpkey=17de31083311094c36<\/td>\nAntivirus Scam<\/td>\n<\/tr>\n
hXXps[:]\/\/multipleprofit-now[.]life\/?u=30wweky&o=pvkptz3&t=CryptoSingnetSG<\/td>\nSweepstakes Scam<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

VexTrio landing pages infringe on high-profile brands, such as Tinder and PornHub, and use images from high-profile public figures. Previous cryptocurrency and investment campaigns have appropriated the brands of famous YouTube celebrity MrBeast, President Donald Trump, billionaire Elon Musk, and even the Cybersecurity and Infrastructure Security Agency (CISA)<\/strong><\/a>. Figure 2 shows how VexTrio blatantly pirates celebrity trademarks to deceive users into participating in its cryptocurrency scams.<\/p>\n

\"Figure<\/p>\n

Figure 2. VexTrio blatantly infringes on the trademarks of MrBeast, President Trump, and Elon Musk to deceive users into participating in its cryptocurrency scams.<\/p>\n

Scam Apps<\/h3>\n

In addition to their direct scams and push notifications, VexTrio has developed malicious apps<\/strong><\/a> over the last several years, including VPNs, device \u201cmonitoring\u201d apps, spam blocker<\/strong><\/a> apps, and dating apps. They released apps under several developer names, including HolaCode, LocoMind<\/strong><\/a>, Hugmi, Klover Group, and AlphaScale Media<\/strong><\/a>. Available in Google Play and the App Store, these have been downloaded millions of times in aggregate. High ratings for the apps hide the true nature of the software, and it is only in the one- and two-star reviews that it becomes clear that they are scams.<\/p>\n

Dating apps like Hugmi<\/strong><\/a> and Cheri<\/strong><\/a> have been downloaded over a million times each on the Google Play store, despite reviews that reveal their scam nature. Like many scam chat apps, these require users to buy coins to send text messages, while also forcing users to watch ads. These apps were originally released by LocoMind<\/strong><\/a> but the developer information was changed to MateyX sometime in 2024. WinkChat, an app released by VexTrio group AlphaScale Media GmbH is ranked 158th in the Apple Store\u2019s social networking category. Reviews for all of these<\/strong><\/a> include comments about bot accounts and incessant advertising. A TikTok review<\/strong><\/a> of dating app similar to those offered by VexTrio describes the full scam.<\/p>\n

These apps can be tied to the VexTrio enterprise in multiple ways, such as through developer information, which often lists one of the shell companies, and through DNS records. Figure 3 shows that the IP address 136[.]243[.]216[.]249 was used simultaneously to host HolaCode, AdsPro Digital, Los Pollos, and multiple scam apps. Late into our investigation, we discovered in-depth research by Cyjax<\/strong><\/a> that also demonstrated the link between HolaCode and several scam apps. <\/p>\n

\"Figure<\/p>\n

Figure 3. DNS records show that VexTrio domains are resolving at the same dedicated IP address as scam apps. Captured June 2025.<\/p>\n

Let\u2019s take a look at one of VexTrio\u2019s adblock scam apps: Spam Shield<\/strong><\/a>. It\u2019s been available on Google Play<\/strong><\/a> since 2021, and claims to be a spam blocker for push notifications. In July 2025, the app\u2019s Google Play page urged \u201cJust give us permission and you won\u2019t see any spam or unwanted notifications. Trust us \u2013 we only want to protect you, your data is safe!\u201d The variant shown in Figure 4 had garnered over 100,000 downloads in December 2024. The real deal? While it claims to eliminate threats, this app simply turns off browser notifications. Spam Shield displays a fake monitor showing notifications and spam email that it has blocked. After 24 hours, the user is forced to pay for a subscription ($6.99 per month in December 2024) to continue service.<\/p>\n

\n\"Figure
\n\"Figure\n<\/div>\n

Figure 4. Google Play page for the Spam Shield app listed as developed by HolaCode in December 2024 and ApLabz in early 2025. This app is uniquely identified as com.spam.shield.spamblocker.notificationhistory. The Spam Shield privacy policy as of June 2025 still says HolaCode.<\/p>\n

The scam apps often have an accompanying website; we show Spam Shield\u2019s in Figure 5. This page links the domain to Media Alliance s.r.o., another VexTrio company.<\/p>\n

\"Figure<\/p>\n

Figure 5. Spam Shield website links the app to the company Media Alliance s.r.o. Captured September 2024.<\/p>\n

The VexTrio VPN apps are residential proxies. Everyone in the security community will cringe and sigh at that news. Not surprisingly, these \u201cVPNs\u201d have been reported for questionable privacy<\/strong><\/a>. Figure 6 shows one example, Fast VPN<\/strong><\/a>, which was released in 2021 by LocoMind to Google Play. An app with the same name was also released on the App Store<\/strong><\/a> under the developer name Alpha Scale Media and with the site eugene-ios-mvp[.]apperito[.]dev<\/span>; see Figure 7. Both Alpha Scale Media and Apperito are known VexTrio companies. VexTrio is frequently changing their developer information while forgetting to clean up the details. The terms and conditions<\/strong><\/a> of Fast VPN as of July 2025 refers to Ads Guardian rather than the VPN.<\/p>\n

\"Figure<\/p>\n

Figure 6. Information about Fast VPN shows that it was developed by LocoMind, a VexTrio entity. In the App Store, the developer is listed as Alpha Scale Media.<\/p>\n

\"Figure<\/p>\n

Figure 7. Fast VPN advertised<\/strong><\/a> on the App Store by Alphascale Media GmbH as of July 2025.<\/p>\n

The app ID name for Fast VPN includes the phrase \u201cturbovpn\u201d, a well-known commercial VPN. Wouldn\u2019t you think that an app with the ID com.vpn.proxy.secure.wifi.turbovpn would be related to the extremely popular Turbo VPN? Presumably, confusion is the goal. And as far as we know, there is no relationship between the Turbo VPN and any of the fake VPNs offered by VexTrio. This is consistent with VexTrio\u2019s tactic of choosing product and company names that overlap with legitimate ones.<\/p>\n

VexTrio and their advertising partners sometimes appear to have a shared codebase. For example, VexTrio\u2019s Spam Shield<\/strong><\/a> is almost identical to several other \u201cspam blockers\u201d available on Google Play. Figure 8 shows a comparison of the Spam Shield interface with that of Spam Lock<\/strong><\/a>. The screenshot from Spam Shield is taken from one of our personal devices in January 2025, while the screenshot of Spam Lock was taken from Google Play. But Spam Lock is not the only twin app to Spam Shield; there are many others, purportedly by different developers. For example, we\u2019ve seen nearly identical apps cited in Japanese<\/a> reporting on scareware apps.<\/p>\n

\n\"Figure
\n\"Figure\n<\/div>\n

Figure 8. The main screen of the VexTrio scam app Spam Shield in comparison to the Spam Lock scam app by VexTrio advertising partner, Techintrade. The screenshot on the left came from a personal device in January 2025. On the right, is the Google Play image captured June 2025.<\/p>\n

Spam Lock is supposedly developed by DevTapX<\/strong><\/a>, who is also listed as the developers of another nearly identical app, True Blocker<\/strong><\/a>. But wait, there\u2019s more! The terms and conditions for True Blocker are nearly identical to those of another app, Spam Guard<\/strong><\/a>; see Figure 9. In early January 2025, these pages included the addresses of the responsible parties, and linked the apps to Techintrade s.r.o.<\/strong><\/a> and OILIMPEX s.r.o.<\/strong><\/a>, two entities with Prague addresses and connections in Cypress. Searching in Google Play and the App Store will reveal many more almost identical scam apps.<\/p>\n

\n\"Figure
\n\"Figure\n<\/div>\n

Figure 9. VexTrio advertising partners Techintrade<\/strong><\/a> and OILIMPEX offer scam apps that have identical terms of service structure. The apps True Blocker and Spam Guard are remarkably similar to VexTrio\u2019s own Spam Shield. Captured January 2025. As of July 2025, both websites have been altered to remove company references.<\/p>\n

Techintrade, spol s.r.o.<\/strong><\/a> and VexTrio appear to have a relationship that goes well beyond one of customer and provider. Aside from the shared software, in the registration documents<\/strong><\/a> for Techintrade filed in 2000, the Belarussian Katsiaryna Torapava<\/strong><\/a> (b. 1971) is listed as one of the founders. In 2019, Igor Voronin and Andrew Kunitsa assigned Katerina Toropova as a director for AdsPro Group; see Figure 10. While the spellings are different, the birth dates are the same. In 2024, Techintrade appears to have claimed no income<\/strong><\/a> in online marketing.<\/p>\n

\"Figure<\/p>\n

Figure 10. An extract of a 2019 record in which Andrew Kunitsa and Igor Vornin name Katerinu Toropovou<\/strong><\/a> (nominative Katerina Toropovo), as managing director of AdsPro Group. This is the same birthdate and near-identical name to one of the founders of Techintrade s.r.o. <\/p>\n

OILIMPEX was founded<\/strong><\/a> in 2002 by Dmitri Pachenko (b. 1962), also from Belarus. He later registered Overdrive Systems<\/strong><\/a> in 1999. But, beyond seemingly sharing software with OILIMPEX and VexTrio, we don\u2019t know much about Pachenko or the company. The financial records are available<\/strong><\/a> on the Czechia government website. <\/p>\n

Finally, these two companies are included as hostnames in DNS records of holacode[.]tech. The domains vm-oilimpex.holacode[.]tech<\/span> and vm-technitrade.holacode[.]tech<\/span> resolve to 185[.]155 [.]186 [.]134<\/span>, a dedicated VexTrio IP address as of mid-July 2025. While the exact nature of their relationship isn\u2019t known, it appears close in nature!<\/p>\n

Spam<\/h3>\n

Los Pollos insists that it does not work with affiliates who drive web traffic through spam emails, and its website prominently<\/strong><\/a> states a zero-tolerance policy. Yet behind the scenes, VexTrio is a major spam distributor that reaches out to millions of potential victims. DNS records reveal that VexTrio uses lookalike domains of globally renowned mail services. Most notably SendGrid<\/strong><\/a>, with sendgrid[.]rest<\/span>, and MailGun<\/strong><\/a>, with mailgun[.]fun<\/span>. We don\u2019t know if these companies have any financial relationship with VexTrio entities or whether they are aware of the infringement. These two domains have mail-related DNS TXT records providing the domains\u2019 sender policy framework (SPF) policy <\/p>\n

v=spf1 a mx ip4:78[.]47.103.187 ~all<\/span><\/p>\n

which authorizes 78 [.] 47 [.] 103 [.] 187<\/span> to be the sole email distributor for the domain. <\/p>\n

The DNS PTR record for this IP address is mail[.]holaco[.]de<\/span> as of July 2025. Hola Code<\/strong><\/a> is the VexTrio entity responsible for the software development behind their many commercial services. In addition, numerous other VexTrio domains are also connected to the mail server at this IP address.<\/p>\n

While we focus on DNS, we also collect and analyze spam. Our database contains many emails featuring links to TDS domains operated by VexTrio. Distributed from a variety of mail servers, these messages originate from both VexTrio entities and their affiliates. Among them are several domains that were used both in the links as well as the email address that sent the email. Those domains were configured with the DNS TXT record<\/p>\n

v=spf1 include:_spf.smtp.com include:_spf.ynotmail.com ~all<\/span><\/p>\n

This SPF record is recursive and might be tricky to understand. It tells receiving mail servers that any IP address matching the mechanisms defined in the SPF records at _spf.smtp.com<\/span> or _spf.ynotmail.com<\/span> is authorized to send emails on behalf of the domain. So, the receiving server has to then check the SPF records for those delegated domains. The TXT record for _spf.ynotmail.com<\/span> was recently set to include several large IP ranges, but that\u2019s not particularly important for this story. The important point is that domains that are definitively owned by VexTrio, for example, datingcell[.]com<\/span>, have used a service to deliver mail on their behalf. <\/p>\n

YNOT Mail<\/strong><\/a> is a commercial, subscription-based paid email marketing platform, and we suspect that VexTrio contracts (or contracted) with YNOT Mail for additional mail delivery beyond their own mail servers. To our knowledge, YNOT Mail is not part of VexTrio but merely a conduit to further their spam campaigns.<\/p>\n

The domains with the YNOT Mail SPF record include: <\/p>\n