Cybersecurity researchers have uncovered a sprawling global network of over 15,500 malicious domains abusing Keitaro, a widely used advertising performance tracker, to cloak large‑scale scams and malware campaigns many disguised as AI‑driven investment opportunities.
The findings come from a first‑of‑its‑kind joint study by Infoblox Threat Intel and Confiant, offering the most comprehensive look yet at how commercial marketing tools are being hijacked by threat actors.
According to the research, cybercriminals are exploiting Keitaro’s routing and traffic‑distribution capabilities to create a two‑layered web presence: benign, harmless content for security scanners and regulators, and highly targeted scam pages for real users. This tactic known as cloaking has rapidly become a cornerstone of modern cybercrime.
“We found Keitaro everywhere in malicious campaigns but the real story is the vast ecosystem enabling cybercriminals to scale attacks globally.”
— Dr. Renée Burton, Vice President, Infoblox Threat Intel
Over a four‑month period beginning October 1, 2025, investigators identified thousands of Keitaro-powered infrastructures funnelling victims into AI-branded investment scams, deepfake‑enhanced landing pages, and information‑stealing malware. Much of this traffic originated from compromised websites, spam campaigns, social media promotions and deceptive online ads.
The study notes a sharp rise in scams promising “Smart AI Trading Technology” or “Intelligent Trading Solutions,” many of which used generative AI to automatically produce headlines, visuals, testimonials and lure copy at scale.
Researchers also discovered widespread use of stolen or pirated Keitaro licenses, allowing cybercriminals to deploy sophisticated cloaking and traffic-filtering environments without building custom infrastructure. While Keitaro no longer supports cloaker integrations, its legacy flexibility and ease of deployment continue to make it attractive to both legitimate marketers and malicious actors.
The collaboration between Infoblox and Confiant provided two complementary vantage points: DNS‑based threat visibility and advertising‑supply‑chain intelligence. Together, these revealed a far larger, interconnected ecosystem than previously documented.
Today’s publication marks Part 1 of a three‑part series exploring Keitaro-enabled cybercrime, covering AI‑scaled lures and routing abuse. Future instalments will analyse additional fraud schemes and detail how coordinated vendor action can disrupt this growing threat landscape.
