Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro This report analyzes large-scale abuse of the Keitaro tracking platform across spam, malvertising, and traffic-distribution ecosystems, documenting bulk domain registrations, conditional redirects, cloaking, and cookie-based correlations used by threat actors. Researchers found widespread use of cracked/stolen Keitaro licenses tied to malicious campaigns (including activity attributed to TA2726), confirmed Keitaro’s responsiveness to abuse reports, and published domains, IPs, and cookie signatures to aid detection. #Keitaro #TA2726

Analysis of Keitaro tracking platform reveals large-scale abuse with cracked licenses fueling spam and malvertising campaigns, including those linked to TA2726. Data from DNS, email, and ad telemetry used for detection. #KeitaroAbuse #Malvertising

Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams Keitaro Tracker is being widely abused by threat actors to perform domain cloaking, conditional traffic routing, and large-scale investment and tech-support scams, often leveraging AI-generated content and deepfakes to increase credibility and scale. Collaborative research by Infoblox and Confiant found thousands of malicious Keitaro instances, extensive domain registration patterns (RDGAs), and active abuse by actors including TA2726. #Keitaro #TA2726

Keitaro Tracker is exploited by cybercriminals for AI-driven investment and tech-support scams, using domain cloaking and conditional traffic routing. Thousands of malicious instances linked to TA2726 identified. #KeitaroAbuse #AIscams #TA2726