iGamingNews – новости iGaming

Confiant and Infoblox: Keitaro Tracker Used in Fraud Campaigns

Cybersecurity companies Confiant (monitoring ~90 billion ad impressions per month) and Infoblox (monitoring DNS infrastructure) published the first systematic study of abuse involving the self-hosted advertising tracker Keitaro (developed by Apliteni), based on four months of data starting from October 2025.

Scale of Keitaro Abuse

The study covers a four-month period and highlights the widespread use of the Keitaro tracker in fraudulent campaigns.

Number of Domains and Traffic Sources

Researchers identified approximately 15,500 malicious domains, with around 9,000 registered specifically for these campaigns.

Traffic originated from programmatic advertising, spam, social media, and compromised websites.

Types of Threats

The majority of cases involve investment scams, including fake platforms and schemes designed to collect user data.

Use of AI in Fraud Campaigns

Threat actors actively use AI to generate landing pages, text content, creatives, and video materials.

Content and Languages

Content is produced at scale and most commonly appears in Russian and English.

Campaigns also include deepfake videos and fake news pages featuring fabricated quotes from public figures.

Investment Scam Scenarios

Websites promote so-called AI-powered trading platforms, promising high returns and automated trading.

These pages typically include forms to collect user data, after which victims are contacted by individuals posing as account managers.

Technical Setup Using Keitaro

The Keitaro tracker is used for cloaking and traffic routing based on device type, location, and other parameters.

User Redirection

Users are redirected to different pages, ranging from fake news websites to investment-focused landing pages.

Some users are routed to third-party advertising platforms or decoy pages.

Specific Campaigns and Groups

FaiKast

This campaign distributes deepfake videos featuring AI-generated news anchors through ad networks, including Bigo Ads.

Target regions include France, the United Kingdom, Canada, Japan, and Kazakhstan.

FishSteaks

This group imitates giveaways on behalf of well-known consumer brands, using gamified landing pages.

They rely on .ru domains and AI-generated content replacement during campaign launches.

Keitaro Developer Response

Since August 2025, researchers have reported more than 100 domains linked to fraudulent campaigns to the developer.

Account Bans and Violations

The company has blocked more than 12 accounts associated with abuse.

Some threat actors were found using unlicensed copies of the tracker, including the TA2726 group.

Platform Policy

Keitaro’s licensing terms prohibit the use of the platform for misleading content.

Company representatives stated that they combine external abuse reports with internal monitoring.

Ongoing Evolution of Fraud Campaigns

Researchers note that threat actors rapidly rotate domains and creatives, making blocking efforts more difficult.

Keitaro remains a commonly used tool in such operations alongside other tracking solutions.