{"id":13063,"date":"2026-03-19T07:55:13","date_gmt":"2026-03-19T14:55:13","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13063"},"modified":"2026-03-19T13:01:23","modified_gmt":"2026-03-19T20:01:23","slug":"inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams\/","title":{"rendered":"Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams"},"content":{"rendered":"

Authors: Infoblox Threat Intel and Confiant<\/strong><\/p>\n

Executive Summary<\/h3>\n

Cloaking\u2014the act and art of hiding a website\u2019s true nature\u2014is a critical component of cybercriminal operations today. Threat actors use domain cloaking, implemented through traffic distribution systems (TDSs) and cloaking kits, to evade content restrictions in advertising, for precision targeting of victims for malware and scams, and to protect themselves from each other. Some actors develop their own TDS or purchase access to wholly criminal operations like BlackTDS, 404TDS, and ParrotTDS. But many avail themselves of commercially available software. After all, cybercrime is like any other economy: Why build when you can use highly sophisticated products developed by others?<\/p>\n

\"Keitaro<\/p>\n

Keitaro Tracker, sometimes referred to as Keitaro TDS, is an advertising performance tracking platform that has been frequently observed in malicious campaigns and abused by threat actors, though it certainly isn\u2019t the only commercial tracker used in this way. It has gained attention across the security community<\/a> because of its adoption by some of the most notorious criminal actors over the last decade. In the past few years, it has been a signature of TA2726, who uses Keitaro<\/strong><\/a> to deliver traffic to SocGholish (TA569) for their fake browser update campaigns. Website visitors who do not meet the targeting requirements for SocGholish are dumped out to other affiliate advertising platforms or fed decoy pages. Beyond TA2726, Keitaro has been reported in security literature dozens of times, most recently in spam campaigns using Jira<\/a> to target government entities.<\/p>\n

While it is \u201cwell known\u201d that Keitaro is abused by threat actors, there has never been a longitudinal study to understand the nature of this abuse. Infoblox and Confiant collaborated over the last six months to understand how threat actors use the tracker based on our complementary views of the environment. Confiant can see across the advertising chain, while Infoblox focuses on how threats appear in DNS, using spam and website content to inform our understanding of the landscape. We discovered early on that the Keitaro instances we observed in attacks showed little overlap, making a combined story not just more compelling, but vast.<\/p>\n

We examined four months of data starting October 1, 2025, to determine how much of that use was malicious. During this time, we detected thousands of instances of malicious Keitaro cloaking content ranging from investment scams to information stealers. Traffic to the instances was driven from compromised websites, spam, social media, and advertising. The level and persistence of abuse is quite staggering. Keitaro is a feature-rich, self-hosted tracker that can be spun up in a few minutes on multiple hosting platforms, likely making it attractive to use. We found approximately 15,500 domains actively used for malicious Keitaro instances during this time, with about 9,000 of those registered before their use. These were used in advertising campaigns seen by Confiant, but also included in spam emails, embedded in compromised websites, and linked through other traffic sources.<\/p>\n

Investment scams dominated the threats we saw. A recent trend in this type of scam is the use of AI as a central marketing hook: pages routinely claim “advanced AI” or “AI\u2011driven algorithms” that automate trading and promise outsized returns. Several actors also incorporate deepfake imagery or video to boost perceived credibility. We additionally observed indicators of programmatic use of generative AI to mass\u2011produce headlines, copy, and visuals that are deployed as lure pages and ad creatives.<\/p>\n

Aside from domain cloaking, Keitaro\u2019s conditional routing based on device characteristics allows operators to create complex traffic flows. We analyzed thousands of attack instances to characterize the flows used in these types of scams. Figure 1 summarizes the most common flows from geo + user agent cohorts to the languages used by the landing page. We can see that in these attacks, regardless of visitor location and device type, the final lure is shown in a limited number of languages, predominantly Russian and English. This might indicate targeting by the attacker or limited capabilities on their part. While many of the campaigns are global, there are notable threat actors, particularly ones observed by Confiant in the advertising ecosystem that specifically target the United States.<\/p>\n

\"Keitaro<\/p>\n

Figure 1. Keitaro traffic filters for AI-driven campaigns<\/p>\n

We also set out to determine how responsive Apliteni, the company that developed and sells Keitaro Tracker, was to abuse reporting. After all, Keitaro has been used by bad actors over such a long period of time, it begged the question of whether the company turned a blind eye to abuse: were they a bulletproof tracker, so to speak? Since August 2025, we have reported over a hundred domains. The company responded quickly and thoroughly to each of our requests. As a result, over a dozen threat actors\u2019 accounts were canceled. The Keitaro Tracker licensing terms<\/strong><\/a> prohibit, among other things, \u201cmisleading\u201d content. This allows the company to terminate an instance using a tracker for malicious cloaking purposes. In many cases, the domains we observed were not valid licenses. Through multiple exchanges based on the activity we saw and the customer information the Keitaro team held, we verified that TA2726 and other malware actors were using illicit copies of the tracker.<\/p>\n

While we took a deep dive into Keitaro Tracker, this multi-part publication is intended to highlight the depth and breadth of cloaking in the threat landscape. Other commercial trackers, like Binom, are also highly abused and this research is not intended to implicate Keitaro more than these others. Indeed, our collaboration with Keitaro led to new discoveries that would not have been possible otherwise. Hyrhorii, head of Trust and Safety, told us regarding this reporting, “At Keitaro, we are dedicated to maintaining a professional and secure environment for legitimate marketing. Our strategy is built on both reactive and proactive measures: while we promptly act on external abuse reports, we also invest heavily in internal monitoring to identify and neutralize malicious patterns before they can impact the ecosystem. The fact that actors ‘stay down’ after our intervention confirms that our approach is working. We value our collaboration with Infoblox, as proactive synergy between software vendors and cybersecurity experts is the only way to effectively protect industry reputation and user safety.<\/em>”<\/p>\n

This is the first of three blogs sharing the results of this study. The use of AI in illicit activity is growing, and campaigns fueled by Keitaro abuse are no different. In this blog we will report on the subset of threat actors who have leveraged AI in their campaigns, most of which were investment scams. The next blog will provide a survey of the many other subsets of actors both teams found. The final blog will dive into how cybercriminals have weaponized the features and functionalities of Keitaro\u2019s software for nefarious purposes, and discuss our collaboration with the vendor on abuse.<\/p>\n

While we are using real-world examples to tell the story\u2014this is not just another blog about AI or investment scams. The key takeaway here is that threat actors are using domain cloaking to drive an endless torrent of malicious content to users of all types, in all corners of the globe, and that Keitaro is one tool they commonly choose in these campaigns. While Apliteni can, and has, responded to abuse reporting, the sheer volume and diversity of the threats, not to mention the ingenuity and license theft, makes these technologies a persistent, underreported challenge for defenders.<\/p>\n

Confiant secures the digital advertising supply chain and protects many major advertising exchanges, platforms, and publishers. Their visibility of close to 90 billion ad impressions a month on publisher sites is derived from thousands of client-side integrations that block malvertising attacks. This product suite also collects telemetry on threat activity seen in the wild and serves to complement the view Infoblox Threat Intel has via DNS, spam, and website scans.<\/p>\n

Investment Scams and AI<\/h3>\n

The largest category of threats we have identified abusing Keitaro services is investment scams. While both Infoblox and Confiant found this type of fraud to dominate our detections, the threat actors we see are different due to our visibility and focus. In a previously published blog<\/strong><\/a>, Infoblox highlighted the recurring tactics, techniques, and procedures (TTPs) that define these operations, and those patterns remain consistent:<\/p>\n