Description: Researchers reported that threat actors abused Keitaro Tracker infrastructure to cloak and route AI-themed investment scams across about 15,500 domains. The campaigns allegedly used AI-trading claims, deepfake videos or imagery, generative AI-produced copy and visuals, spoofed news pages, and fraudulent trading platforms to target potential victims while hiding scam content from scanners and reviewers.
Editor Notes: Timeline notes: The incident date for this ID is 10/01/2025, when Infoblox and Confiant's four-month review of malicious Keitaro infrastructure began; Infoblox and Confiant published their report on 03/19/2026; Malwarebytes summarized the findings on 05/07/2026; the incident ID was created 05/11/2026. Please see the Quantum AI cluster (Incident 1236) as well.
Entities
View all entitiesAlleged: Deepfake technology developers , Image generation technology developers , Synthetic audio generation technology developers , Generative AI developers and Synthetic video generation technology developers developed an AI system deployed by FaiKast , Unknown operators of malicious Keitaro infrastructure , Scammers , Unknown AI-themed investment scammers , Unknown cryptocurrency scammers , Quantum AI and Quantum AI scammers, which harmed Cryptocurrency investors , Investment scam victims , Cryptocurrency scam victims , Social media users , Epistemic integrity , News consumers , Impersonated public figures and General public.
Alleged implicated AI systems: Quantum AI , Keitaro Tracker , Domain cloaking infrastructure , Unknown generative AI tools , Spoofed news websites , Fraudulent trading platforms , Deepfake technology and Synthetic audio generation technology
Incident Stats
Risk Subdomain
A further 23 subdomains create an accessible and understandable classification of hazards and harms associated with AI
4.3. Fraud, scams, and targeted manipulation
Risk Domain
The Domain Taxonomy of AI Risks classifies risks into seven AI risk domains: (1) Discrimination & toxicity, (2) Privacy & security, (3) Misinformation, (4) Malicious actors & misuse, (5) Human-computer interaction, (6) Socioeconomic & environmental harms, and (7) AI system safety, failures & limitations.
- Malicious Actors & Misuse
Entity
Which, if any, entity is presented as the main cause of the risk
Human
Timing
The stage in the AI lifecycle at which the risk is presented as occurring
Post-deployment
Intent
Whether the risk is presented as occurring as an expected or unexpected outcome from pursuing a goal
Intentional
Incident Reports
Reports Timeline
Loading...
Executive Summary
Cloaking---the act and art of hiding a website's true nature---is a critical component of cybercriminal operations today. Threat actors use domain cloaking, implemented through traffic distribution systems (TDSs) and cloak…
Loading...
Researchers tracked a large AI‑themed investment scam campaign involving more than 15,000 domains. It uses cloaking and deepfakes to hide from security tools while targeting ordinary users.
Criminals abused the Keitaro ad-tracking platform …
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
