Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users
Infoblox researchers reported a long-running International Revenue Share Fraud (IRSF) campaign that uses fake CAPTCHA pages to trick mobile users into sending premium-rate international text messages. Victims are funneled through typosquatted telecom-themed domains, ad-network redirects, and Traffic Distribution System (TDS) infrastructure to scam landing pages that present bogus verification steps. Those prompts trigger JavaScript that opens the phone’s SMS app with pre-filled messages and dozens of international numbers, and a single four-step interaction can generate about 60 SMS messages to more than 50 destinations, costing roughly $30 or more per session. Researchers said the operation has been active since at least 2020, uses high-fee destinations including Azerbaijan, Egypt, and Myanmar, and has been linked to an affiliate of a European Click2SMS network using infrastructure hosted on AS15699, Adam Ecotech.
Separately, Toronto police arrested three men in what authorities described as Canada’s first criminal case involving a mobile SMS blaster, a rogue device that impersonates a cellular tower to push phishing texts and disrupt legitimate service. Investigators said the devices were tracked across the Greater Toronto Area after one was detected in downtown Toronto, and police seized multiple SMS blasters and related equipment. Authorities believe tens of thousands of phones connected to the rogue system, contributing to more than 13 million network disruptions that may have interfered with normal mobile access and even emergency services such as 911. The cases highlight how attackers are abusing both web lures and fake base-station hardware to scale smishing and mobile billing fraud.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Researchers attribute campaign to Click2SMS affiliate
Infoblox attributed the fake CAPTCHA IRSF activity to an affiliate of a European Click2SMS network and linked supporting infrastructure to AS15699, Adam Ecotech. This added actor attribution to the long-running fraud campaign.
Infoblox documents fake CAPTCHA IRSF campaign details
Infoblox publicly documented the fake CAPTCHA fraud operation, describing its use of typosquatted telecom domains, Traffic Distribution System redirects, back-button hijacking, and JavaScript that pre-fills SMS messages to high-fee international destinations. Researchers said a single victim interaction can trigger about 60 messages to more than 50 destinations, costing roughly $30 or more per session.
Police announce three arrests in Canada's first SMS blaster case
Canadian authorities disclosed that three men were arrested in what they described as the country's first criminal case involving a mobile SMS blaster. Police linked the devices to tens of thousands of phones and more than 13 million network disruptions, including possible interference with emergency services.
Toronto police arrest two suspects and seize SMS blasters
Police said they arrested two suspects in March in connection with Canada's first known criminal case involving a mobile SMS blaster. Investigators seized several SMS blasters and other electronic equipment tied to mass phishing texts and network disruption.
Infoblox observes 120+ Keitaro abuse campaigns
Infoblox reported that more than 120 malicious campaigns abusing the Keitaro traffic distribution system were active between October 2025 and January 2026. The campaigns supported malware delivery, cryptocurrency wallet-drainer activity, and AI-themed investment scams, expanding the scope beyond the fake CAPTCHA IRSF operation.
Toronto police begin SMS blaster investigation
Toronto Police Service began investigating in November after detecting a suspicious rogue device in downtown Toronto. Authorities later tracked the mobile SMS blaster across multiple locations in the Greater Toronto Area.
IRSF fake CAPTCHA SMS fraud campaign begins
Infoblox said a long-running International Revenue Share Fraud campaign using fake CAPTCHA pages has been active since at least June 2020. The scheme tricks mobile users into sending premium-rate international SMS messages through scam landing pages and redirect infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
New Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Run Up Victims’ Phone Bills - Cyber Security News
cybersecuritynews.com
Open sourceFake CAPTCHA scam drains bank accounts through international revenue share fraud | brief | SC Media
scworld.com
Open sourceFake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud
thehackernews.com
Open sourceFake CAPTCHA Pages Exploit Clicks to Send Costly International Texts
hackread.com
Open sourceHackers Use Fake CAPTCHA Pages to Trigger Costly International SMS Fraud - Cyber Security News
cybersecuritynews.com
Open sourceToronto police arrest three in Canada’s first mobile SMS blaster case | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


