Malik Haidar has spent years inside multinational environments tracing how telecom fraud and web‑scale scams turn clicks into cash. In this conversation, he breaks down a fake multi‑step CAPTCHA that silently triggers international SMS, the way cookies and back‑button hijacking filter and trap users, and how traffic distribution systems like Keitaro are repurposed to cloak wallet‑drainer and investment schemes. We cover the full money trail behind international revenue share fraud, patterns across 17 countries, and the analytics that let defenders turn hundreds of thousands of DNS queries and tens of thousands of domains into precise detections. He also shares practical countermeasures for carriers, browser vendors, and enterprise admins, and closes with a forecast on IRSF and TDS‑enabled abuse over the next two years.
How does the fake multi‑step CAPTCHA trick people into sending international SMS messages, and what specific UI cues or wording make it convincing? Can you walk through the exact flow from the first prompt to the final charge, with examples of messages and numbers involved?
The flow looks familiar on purpose: clean CAPTCHA styling, a progress indicator like “Step 1 of 4,” and reassuring microcopy such as “Send a quick verification text to confirm you are human.” The page programmatically opens the default SMS app with a pre‑filled recipient list and message body, so to the user it feels like a normal verification step. Across the four steps, victims end up sending as many as 60 SMS messages to 15 unique international numbers, and the content increments with each stage—short strings like “verify 1/4,” then “verify 2/4,” to suggest progress. Each message is preconfigured with over a dozen recipients, so one tap isn’t one text; it’s blasts to over 50 destinations spanning 17 countries. By the end of the sequence, users may see about $30 added to their bill, but because charges can be delayed by weeks, the moment of “verification” is forgotten and rarely linked to the expense.
In cases where 60 messages are sent to 15 numbers, potentially costing around , what user behaviors most often lead to full completion of the flow? What friction points have you seen that successfully break the chain, and how can they be amplified?
Completion correlates with urgency and habituation—users arriving from social ads or popups are primed to blaze through four steps without scrutinizing the recipients. They’re also conditioned to accept multi‑step checks, so a “4‑step” ribbon lowers suspicion. Friction that works includes any extra tap inside the SMS app, such as surfacing the full recipient list or requiring an explicit multi‑recipient confirmation; when users glimpse dozens of international numbers, they balk. Amplify that by adding carrier‑level prompts for international SMS, enterprise MDM policies that block multi‑recipient pre‑fills, and browser UI cues that flag when a site tries to launch the SMS app multiple times in a session.
What role do cookies and values like “successRate” play in deciding who advances through the verification steps? Can you describe how audience filtering works in practice and share any indicators analysts can look for in HTTP traffic or dev tools?
Cookies are the gatekeepers. A value like “successRate” accumulates per‑step outcomes—if it crosses a threshold, the user sees the next SMS prompt; if not, they’re diverted to a completely different CAPTCHA in the operator’s rotation. It’s classic audience shaping: higher‑quality traffic is shepherded into the monetized IRSF funnel, while the rest is parked or resold. In HTTP, look for short‑TTL cookies set on each step, conditional 302/307 redirects keyed to cookie values, and JavaScript calls that write progress state before invoking sms: links. In dev tools, watch for rapid DOM rewrites tied to navigation events and a branching map of endpoints that only appear after specific cookie states are met.
Back button hijacking traps users in a loop. How is browser history manipulated under the hood, and which browsers or mobile contexts are most susceptible? What specific countermeasures can developers, browser vendors, and EMM admins deploy to neutralize this tactic?
The trick is pushState/replaceState abuse: the page floods the history stack or swaps entries so the “back” event lands you on the same URL or a clone with identical state. On mobile, lightweight browsers and in‑app webviews are especially prone because their back affordances map 1:1 to history without extra safeguards. Developers can mitigate by refusing to run navigation‑loop scripts in iframes and detecting repetitive state changes. Browser vendors should cap sequential history mutations per tick and surface a “Return to previous site?” interstitial when loops are detected. EMM admins can force enterprise webviews that disable history API manipulation and set policies that require a hard “Close tab” affordance to escape loops.
International revenue share fraud relies on IPRN ranges and termination fees. Can you map the money flow from the first SMS to the final payout, including inter‑carrier settlements? Where are the most effective choke points for detection, auditing, or clawbacks?
The first SMS leaves the user’s device and hits the originating carrier, which bills an international SMS and passes a termination fee to the destination network. The destination network shares a portion with the IPRN range holder, who splits with the fraud operator. Multiply that by sequences of up to 60 SMS across 15 numbers and you get meaningful aggregate revenue, even if a single victim pays roughly $30. Choke points include: near‑real‑time rating of international SMS bursts to known high‑fee ranges; anomaly scoring on short windows of multi‑recipient sends; and post‑settlement audits comparing CDRs against TDS referral logs. Carriers can also escrow settlements for ranges implicated in spikes spanning 17 countries until dispute windows close.
Numbers have been observed across multiple countries, including places with high termination fees or lax oversight such as Azerbaijan and Kazakhstan. What patterns in numbering plans or carrier agreements signal elevated risk, and how should telecoms prioritize monitoring and proactive blocks?
High‑risk signals include clusters of freshly activated international numbers across multiple countries that suddenly receive inbound SMS at a rate inconsistent with organic traffic. Premium‑rate segments in European plans and ranges tied to roaming partners with opaque dispute processes are also red flags. When you see dozens of destinations per message and distribution over 17 countries, that dispersion pattern itself is a hallmark of IRSF load balancing. Prioritize monitoring for ranges with repeated short‑duration spikes, require pre‑clearance for new international SMS routes with elevated termination fees, and implement adaptive blocks that trigger when a single subscriber is nudged to contact over a dozen international numbers in minutes.
When billing is delayed by weeks, complaints often surface long after the event. What forensic steps should carriers and enterprises take to reconstruct the fraud path, and what logs, call detail records, or mobile telemetry are most probative?
Start with CDRs that show timestamped international SMS to 15 unique numbers within a narrow timeframe; that cadence maps back to the four‑step CAPTCHA chain. Correlate with DNS resolution logs that touched TDS‑related domains during the same session—campaigns have driven hundreds of thousands of DNS queries across tens of thousands of domains, which leaves a trail. On device, scrape browser history entries with repeated back/forward sequences and check SMS app telemetry for pre‑filled drafts created by external intents. Finally, pull carrier billing records to confirm delayed rating windows and tie them to the original session using cell‑site and IP metadata.
How are mobile OS intents or URL schemes abused to pre‑fill SMS recipients and content on both Android and iOS? Can you detail the technical calls involved, their limits, and practical ways MDM/EDR tools can detect or prevent automated launches?
The page uses sms: URLs or deeplinks with query parameters to pre‑populate recipients and text, then triggers the OS to open the default messenger. On Android, this rides ACTION_SENDTO with an sms: URI; on iOS, similar sms: schemes open Messages with the fields filled. Limits exist—users must still hit send—but the scam leverages habituation and repetition to get four consecutive confirms. MDM/EDR can flag multiple sms: launches from the same domain within a short window, block multi‑recipient pre‑fills, and prompt users when more than a dozen recipients are present. Policy engines can also rate‑limit external intents originating from pages that set verification cookies like “successRate.”
What responsibilities fall on carriers versus regulators when customers dispute unexpected premium SMS charges? Which refund, chargeback, or dispute workflows limit repeat abuse while maintaining fair treatment for legitimate premium services?
Carriers should implement provisional credits for cases with clear multi‑recipient international SMS patterns, while preserving evidence chains for clawbacks against implicated ranges. Regulators can mandate transparent dispute SLAs and require revenue‑sharing audits when termination spikes cross thresholds tied to 60‑message events or dispersion across 17 countries. Effective workflows include auto‑quarantining the destination ranges during review, notifying peer carriers to suspend settlements, and whitelisting legitimate premium services that pass continuous vetting. Educating customers about delayed billing and adding real‑time alerts for international SMS help reduce repeat incidents without penalizing compliant services.
Traffic distribution systems are being repurposed as cloaking and routing layers. How do conditional flows, geo/device filters, and sandbox evasion shape the redirection chain, and what telemetry (DNS, TLS, JavaScript signals) best reveals these setups at scale?
Conditional flows in a TDS decide whether you see malware, a fake CAPTCHA, or a benign decoy. Geo and device filters steer high‑value visitors into the IRSF path while sandboxes are sent to harmless pages, often determined by signals like cookie freshness and headless browser fingerprints. At scale, DNS gives you the breadth: in one window, about 226,000 DNS queries hit roughly 13,500 domains linked to these flows. TLS cert reuse across rotating domains, uniform JA3/JA4 fingerprints, and JavaScript patterns that set step‑tracking cookies are reliable beacons. Tie those to sudden surges aligned with social ad pushes to expose the active campaigns.
Keitaro has been leveraged with stolen or cracked licenses and used to deliver malware, wallet drainers, and investment scams. What operational tells distinguish a benign performance tracker from a malicious TDS, and how can hosting providers and CDNs act without over‑blocking?
Benign setups use stable domain inventories and transparent flows; malicious Keitaro nodes rotate domains rapidly—tens of thousands over months—and gate content behind cookie‑driven steps like the “successRate” pathing. Another tell is the blend of destinations: fake news placements, investment lures, and CAPTCHA SMS pages all fed from the same tracker instance. Hosts and CDNs should score behaviors, not brands: high domain churn, geo‑targeted conditional responses, and history manipulation scripts together justify containment. Instead of blanket bans, apply graduated controls—sandboxing, request throttles, and customer outreach—while de‑peering instances that sustain 120‑plus campaigns without remediation.
Social ads and deepfake endorsements are driving victims to crypto fraud. Which ad creative patterns, landing‑page funnels, and fake news placements correlate with the highest conversion, and how can ad platforms instrument pre‑ad and post‑click vetting to disrupt them?
The winners pair “AI‑powered” investment promises with fabricated celebrity endorsements, then route through news‑style articles and deepfake videos before handing off to a TDS. The landing pages exploit urgency with countdowns and a two‑step “verification,” echoing the CAPTCHA playbook. Pre‑ad vetting should score ad copy for AI‑investment tropes and link reputations tied to 120‑plus known campaigns; post‑click checks can detect conditional flows and cookie‑gated funnels before spend is optimized. Platforms can auto‑pause buys when traffic patterns match Keitaro‑like rotation across 13,500 domains or when 96% of downstream clicks align with wallet‑drainer markers.
Roughly 96% of observed traffic promoted wallet‑drainer schemes using airdrops tied to tokens and wallets like AURA, SOL, Phantom, and Jupiter. What specific drainer mechanics are in play, and what UI warnings, wallet heuristics, or RPC‑level safeguards most effectively stop them?
The drainers lure with fake airdrops, then present pre‑packaged transactions that request broad spending approvals or token transfers, often via Phantom or similar wallets. They chain approvals across multiple steps—mirroring the four‑step SMS flow—to normalize risk. Effective countermeasures include wallet UIs that highlight unusually broad approvals, heuristics that flag new domains pushing transactions across many tokens, and RPC policies that rate‑limit signature requests from domains seen in large TDS rotations. Surfacing provenance warnings—“This airdrop link is associated with campaigns where 96% of traffic leads to drainers”—interrupts the click‑through reflex.
Over four months, more than 120 campaigns and tens of thousands of domains generated hundreds of thousands of DNS queries. How can defenders convert such volume into practical detections, and what enrichment (WHOIS, ASN, passive DNS, SSL certs) yields the best precision?
Start with clustering: group domains by shared SSL certificate fields and hosting ASNs, then overlay passive DNS to catch fast‑flux siblings. Enrich with WHOIS to find co‑registered sets and creation spikes, and rank clusters by DNS query volume—about 226,000 in the observed window is a strong signal when tied to 13,500 domains. Build allowlists for legitimate trackers so your detection focuses on cookie‑gated conditional flows, history API abuse, and sms: launch patterns. Feed these clusters into your blocklists and EDR playbooks, then measure precision by how effectively they intercept the four‑step verification pages without impacting normal adtech.
When threat actors collude with local telecom providers, what investigative methods, partnerships, or sanctions have actually disrupted revenue sharing? Can you share an example where cross‑border cooperation closed a number range and dismantled the cash‑out pipeline?
Joint investigations that pair DNS intelligence with CDR anomalies have convinced carriers to suspend settlements for implicated ranges pending audit. Cross‑border working groups can notify all operators that a set of 15 numbers used in a four‑step flow drove 60‑message bursts, prompting immediate range quarantine. When settlements pause and “over a dozen” revenue‑sharing accounts are flagged, the operators upstream cut access and the cash‑out dries up. Sanctions can include contract termination for range holders and mandatory refund pools funded by the terminating carrier, which both deters collusion and funds victim remediation.
What is your forecast for IRSF and TDS‑enabled scams over the next 12–24 months?
Expect convergence and scale. We’ll see the fake multi‑step motif reused everywhere—SMS, wallets, and investment on‑ramps—because four short confirmations feel safe and familiar. TDS operators will keep expanding domain inventories into the tens of thousands while maintaining conditional flows that shunt analysts away and herd consumers into IRSF or drainer endpoints; volumes on the order of hundreds of thousands of DNS queries per quarter will become baseline. The good news: carriers and platforms that implement intent‑rate limits, international SMS prompts, cookie‑state anomaly detection, and range escrow for disputes will cut revenue by choking the settlement path. If we execute on clustered DNS/SSL/ASN detections and coordinated settlement holds across 17‑country spans, we can make these schemes unprofitable before they finish their next rotation.
