New research from Infoblox Threat Intel and Confiant reveals that cybercriminals are abusing Keitaro, a widely used ad tracker, to hide (“cloak”) scams and malware behind ordinary web traffic; with many posing specifically as AI investment opportunities.
Cloaking has become a foundational block of modern cybercrime, allowing criminals to make a malicious website look safe. The joint research provides the first longitudinal look at how a widely used commercial tracker – Keitaro Tracker – has been abused by threat actors. Over a four-month period, researchers identified thousands of malicious Keitaro instances that used domain cloaking to route victims into scams and malware while showing benign content to everyone else. Concurrently, they collaborated with Keitaro to take down threat actors and to better understand the use of stolen licenses.
Rather than building bespoke infrastructure, many threat actors purchase or pirate commercial tracking software that already does what they need. Keitaro’s feature-rich, self-hosted design and ease of deployment makes it attractive to both legitimate marketers and, unfortunately, threat actors.
Key findings from the research include:
- First longitudinal view of Keitaro abuse at scale
Infoblox and Confiant examined four months of Keitaro activity starting October 1, 2025, and found approximately 15,500 domains actively used for malicious Keitaro instances. These infrastructures cloaked everything from investment scams to information-stealing malware, with traffic flowing in from compromised websites, spam, social media and online advertising. - Cloaking as crime infrastructure
The study confirms that domain cloaking, implemented through traffic distribution systems (TDSs) and cloaking kits, is now a core component of cybercriminal operations. Cloaking is used to evade ad and content restrictions, precisely target victims and even shield threat actors from each other. Many actors no longer build their own systems, instead abusing commercial trackers such as Keitaro as readymade infrastructure that brings the same convenience to marketers and criminals alike. While Keitaro Tracker no longer supports cloaker integrations, threat actors are still able to misuse its features in this way. - AI-branded investment scams now dominate malicious Keitaro use
Among the threats abusing Keitaro, investment scams were by far the largest category. A recent trend within these scams is the use of AI as the central marketing hook: pages routinely claim “Smart AI Trading Technology” or “Intelligent Trading Solutions” that automate trading and promise outsized returns, sometimes reinforced with deepfake imagery or video. Researchers also saw signs that generative AI is being used programmatically to mass-produce headlines, copy and visuals for lure pages and ad imagery. - Two complementary views reveal a much larger ecosystem
In producing this research, Confiant contributed visibility across the advertising chain, while Infoblox focused on how threats appear in DNS, supported by spam and website content analysis. This combination of perspectives gave the researchers a broad understanding of the landscape.
“For years, Keitaro has popped up in individual investigations, but no one had stepped back to ask how big the problem really is,” said Dr. Renée Burton, Vice President of Infoblox Threat Intel. “We found that Keitaro frequently appeared in malicious campaigns – but the story really isn’t about Keitaro; they are just one player in an ecosystem that malicious actors are using to scale and target attacks around the globe.”
This blog is the first of a three-part series on Keitaro and cloaking, which will continue to publish over the coming weeks:
- Part 1: AI-scaled lures and Keitaro-mediated routing, announced today
- Part 2: Other fraud schemes leveraging Keitaro and supporting spam/advertising pipelines
- Part 3: How cybercriminals weaponize Keitaro’s features, and how coordinated vendor collaboration can disrupt abuse
Read the full blog post here.
