Cybersecurity firms Confiant, which monitors 90 billion ad impressions monthly, and Infoblox, specializing in DNS infrastructure monitoring, have published the first systematic study on the abuse of the self-hosted ad tracker Keitaro, developed by Apliteni. This research is based on four months of data from October 2025.
Scale of Abuse:
Researchers identified 15,500 malicious domains, with 9,000 of them registered specifically for fraudulent campaigns. Traffic was generated through programmatic ads, spam, social media, and hacked websites simultaneously. Investment fraud is the dominant threat among those identified. Fraudsters are using AI to mass-generate landing pages, creatives, and deepfake videos primarily in Russian and English.
FaiKast (Tracked since May 2025):
Fraudsters are distributing deepfake videos featuring AI news anchors via the Bigo Ads network, targeting France, the UK, Canada, Japan, and Kazakhstan. Victims are redirected to copies of legitimate media outlets with fabricated quotes from public figures and fake cryptocurrency platforms.
FishSteaks (Tracked since at least March 2024):
Fraudsters are mimicking giveaways on behalf of American consumer brands, targeting the USA. They gamify landing pages, use domains in the .ru zone, and replace placeholders with real brand logos when launching campaigns.
Developer Response:
Since August 2025, researchers have reported over 100 domains to Apliteni. The company has blocked more than 12 fraudster accounts. Among the violators, researchers found users of unlicensed copies of Keitaro, including TA2726. The licensing terms of Keitaro prohibit misleading content.
The head of security at Keitaro stated that the company combines operational responses to complaints with internal monitoring to detect malicious activity.
This is the first of three parts of the study. Despite Apliteni's efforts, researchers note that fraudsters rotate domains and creatives faster than any single response channel can block them.