How can users protect themselves from fake CAPTCHA scams?

Users should be cautious of CAPTCHAs requesting SMS verification and avoid sending messages to unknown numbers. Verifying the legitimacy of such requests can prevent falling victim to scams.

Unveiling the 2026 Fake CAPTCHA IRSF Scam

A deep dive into the sophisticated IRSF scam that exploited fake CAPTCHAs to defraud users globally.

Published: April 28, 2026

Share this on:

Executive Summary

In April 2026, cybersecurity researchers uncovered a sophisticated telecommunications fraud campaign leveraging fake CAPTCHA verifications to deceive users into sending international SMS messages. This scheme, active since at least June 2020, exploits social engineering tactics and browser vulnerabilities to generate illicit revenue through International Revenue Share Fraud (IRSF). Victims, believing they are completing standard CAPTCHA tests, unknowingly send multiple SMS messages to premium-rate international numbers, incurring significant charges on their mobile bills.

This incident highlights the evolving nature of cyber threats, where attackers combine traditional social engineering with technical exploitation to achieve financial gain. The use of familiar web elements like CAPTCHAs in fraudulent schemes underscores the need for heightened user awareness and robust security measures to detect and prevent such deceptive practices.

Why This Matters Now

The increasing sophistication of cyber fraud tactics, such as the misuse of CAPTCHAs for IRSF, poses significant financial risks to individuals and organizations. Understanding and mitigating these threats is crucial to prevent widespread financial losses and maintain trust in digital communications.

Attack Path Analysis

Attackers lured users to malicious websites mimicking legitimate CAPTCHA verification pages, prompting them to send SMS messages to premium-rate international numbers. This social engineering tactic led victims to unknowingly incur charges on their mobile bills, generating illicit revenue for the attackers. The campaign utilized traffic distribution systems to direct users to these fraudulent sites, and employed techniques like back button hijacking to trap users on the page, increasing the likelihood of multiple SMS submissions. The attackers' infrastructure was linked to networks previously associated with malware distribution, indicating a sophisticated and organized operation.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

Users were directed to malicious websites mimicking legitimate CAPTCHA verification pages, prompting them to send SMS messages to premium-rate international numbers.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566.001

Spearphishing Attachment

Execution

T1204.001

User Execution: Malicious Link

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Defense Evasion

T1078

Valid Accounts

Resource Development

T1583.003

Acquire Infrastructure: Virtual Private Server

Resource Development

T1585.002

Establish Accounts: Email Accounts

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities

Control ID: 6.4.3

The incident exploited vulnerabilities in user verification processes, indicating a failure to protect system components from known threats.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The fraudulent activities suggest deficiencies in the organization's cybersecurity policy, particularly in detecting and preventing social engineering attacks.

DORA – ICT Risk Management Framework

Control ID: Article 5

The attack highlights weaknesses in the ICT risk management framework, as it failed to identify and mitigate risks associated with fake CAPTCHA scams.

CISA ZTMM 2.0 – User Authentication

Control ID: 3.1

The use of fake CAPTCHA to deceive users indicates a need for stronger user authentication mechanisms to prevent unauthorized access.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident underscores the necessity for comprehensive risk management measures to address social engineering tactics like fake CAPTCHA scams.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Primary target for IRSF fraud campaigns exploiting SMS infrastructure vulnerabilities, requiring enhanced egress security and anomaly detection for international message routing protection.

Financial Services

High risk from crypto fraud components and SMS-based authentication bypass attacks, necessitating zero trust segmentation and encrypted traffic monitoring capabilities.

Internet

Fake CAPTCHA delivery infrastructure creates liability for web platforms, demanding inline IPS protection and threat detection to prevent user exploitation campaigns.

Marketing/Advertising/Sales

Keitaro campaign infrastructure abuse threatens legitimate advertising networks, requiring multicloud visibility and egress policy enforcement to prevent fraud association.

Sources

Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraudhttps://thehackernews.com/2026/04/fake-captcha-irsf-scam-and-120-keitaro.html
Verified

Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAshttps://www.infoblox.com/blog/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

Verified

Warning: Fake CAPTCHA Scam Tricks Users into Sending International SMS, Causing Hidden Chargeshttps://www.thaicert.or.th/en/2026/04/27/warning-fake-captcha-scam-tricks-users-into-sending-international-sms-causing-hidden-charges/

Verified

Frequently Asked Questions

IRSF is a type of telecommunications fraud where attackers exploit premium-rate numbers to generate revenue by artificially inflating traffic to these numbers.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could limit the attacker's ability to exploit implicit trust within cloud environments, thereby reducing the potential blast radius of such social engineering campaigns.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit implicit trust within cloud environments would likely be constrained, reducing the potential blast radius of such social engineering campaigns.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: While privilege escalation was not a factor in this incident, Zero Trust Segmentation could limit unauthorized access attempts, reducing the risk of privilege escalation in similar scenarios.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Although lateral movement was not observed in this incident, East-West Traffic Security could limit unauthorized internal communications, reducing the risk of lateral movement in similar attacks.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to manipulate user traffic through malicious distribution systems would likely be constrained, reducing the effectiveness of such command and control techniques.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: While data exfiltration was not a factor in this incident, Egress Security & Policy Enforcement could limit unauthorized outbound communications, reducing the risk of data exfiltration in similar scenarios.

Impact (Mitigations)

The financial impact on victims could be reduced by limiting the attacker's ability to exploit implicit trust within cloud environments.

Impact at a Glance

Affected Business Functions

Customer Billing
Fraud Detection
Customer Support

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

n/a

Recommended Actions

• Implement user education programs to raise awareness about social engineering tactics, such as fake CAPTCHA scams.
• Deploy web filtering solutions to block access to known malicious domains and prevent users from reaching fraudulent sites.
• Utilize threat detection systems to identify and alert on anomalous traffic patterns indicative of traffic distribution systems.
• Enforce strict egress security policies to monitor and control outbound communications, reducing the risk of unauthorized SMS transmissions.
• Establish incident response protocols to quickly address and mitigate the impact of similar fraud campaigns in the future.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Unveiling the 2026 Fake CAPTCHA IRSF Scam

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Spearphishing Attachment

User Execution: Malicious Link

Application Layer Protocol: Web Protocols

Valid Accounts

Acquire Infrastructure: Virtual Private Server

Establish Accounts: Email Accounts

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – User Authentication

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Telecommunications

Financial Services

Internet

Marketing/Advertising/Sales

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads