Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro

This report analyzes large-scale abuse of the Keitaro self-hosted tracker as a traffic distribution system by multiple criminal actors. Using telemetry from Infoblox and Confiant (DNS, email, and ad-impression data), the authors document thousands of malicious domains, actor campaigns (including TA2726), extensive malvertising and spam-driven crypto wallet scams, techniques for cloaking and client-side substitution, cracked/stolen licenses, cookie collisions that complicate attribution, and the results of coordinated abuse reporting and takedown engagement with Keitaro.