Description: Researchers reported that threat actors abused Keitaro Tracker infrastructure to cloak and route AI-themed investment scams across about 15,500 domains. The campaigns allegedly used AI-trading claims, deepfake videos or imagery, generative AI-produced copy and visuals, spoofed news pages, and fraudulent trading platforms to target potential victims while hiding scam content from scanners and reviewers.
Editor Notes: Timeline notes: The incident date for this ID is 10/01/2025, when Infoblox and Confiant's four-month review of malicious Keitaro infrastructure began; Infoblox and Confiant published their report on 03/19/2026; Malwarebytes summarized the findings on 05/07/2026; the incident ID was created 05/11/2026. Please see the Quantum AI cluster (Incident 1236) as well.
Entities
View all entitiesAlleged: Unknown generative AI developers , Unknown deepfake technology developers , Unknown AI video generation technology developers , Unknown image generation technology developers and Unknown voice cloning technology developers developed an AI system deployed by FaiKast , Unknown operators of malicious Keitaro infrastructure , Scammers , Unknown AI-themed investment scammers , Unknown cryptocurrency scammers , Quantum AI and Quantum AI scammers, which harmed Cryptocurrency investors , Investment scam victims , Cryptocurrency scam victims , social media users , Epistemic integrity , News consumers , Impersonated public figures and General public.
Alleged implicated AI systems: Quantum AI , Keitaro Tracker , Domain cloaking infrastructure , Unknown generative AI tools , Unknown deepfake technology , Unknown voice cloning technology , Spoofed news websites and Fraudulent trading platforms
Incident Stats
Incident ID
1486
Report Count
2
Incident Date
2025-10-01
Editors
Daniel Atherton
Incident Reports
Reports Timeline
Loading...
Executive Summary
Cloaking---the act and art of hiding a website's true nature---is a critical component of cybercriminal operations today. Threat actors use domain cloaking, implemented through traffic distribution systems (TDSs) and cloak…
Loading...
Researchers tracked a large AI‑themed investment scam campaign involving more than 15,000 domains. It uses cloaking and deepfakes to hide from security tools while targeting ordinary users.
Criminals abused the Keitaro ad-tracking platform …
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
