Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams

This joint Infoblox–Confiant report analyzes widespread criminal abuse of the Keitaro Tracker to perform domain cloaking and conditional traffic routing for large-scale ad-driven fraud and malware delivery. Over a four-month window the teams observed thousands of malicious Keitaro instances and roughly 15,500 domains used in scams and distribution, with prominent use of AI (deepfakes, AI‑generated content) to amplify investment scams, tech‑support fraud, and phishing; the report catalogs TTPs, sample indicators, actor clusters (FaiKast, WickedWally, FishSteaks, TA2726), and vendor takedown outcomes.