An observational study documents a CAPTCHA scam running across 17 countries since 2020, prompting an alarm that requires further scrutiny.
Fake CAPTCHAs can fuel IRSF, but can one case study justify the alarm? According to a cybersecurity firm’s analysis of threat intelligence and incident data, fake CAPTCHA pages are fueling a variant of international revenue share fraud (IRSF) by tricking users into sending dozens of high-cost international SMS messages.
According to the observational case study analysis release on 22 April 2026, since at least June 2020, cybercriminals had apparently been using a multi-stage scheme where fake verification prompts mimic routine CAPTCHA tasks but launch pre-filled texts to 35+ premium numbers across 17 countries, including Azerbaijan, Egypt, Myanmar and the Netherlands.
In a single encounter observed by Infoblox researchers in February 2025, the process had generated 60 messages — up to 15 per step across four CAPTCHA stages — potentially costing victims around US$30 each, with delayed billing obscuring the source.
Attackers leverage traffic distribution systems (TDS), back-button hijacking and affiliate tracking (e.g., productId=2001) to scale operations, often starting from typo-squatted telecom domains and funneling through commercial ad networks.
While IRSF remains a top telecom fraud vector — per FTI Consulting’s 2025 report, artificially inflated traffic caused high losses for 50% of carriers — the CAPTCHA delivery is framed as “underreported” even when the research lacks aggregate data on victim numbers, global revenue impact or independent carrier validation, relying instead on one campaign’s infrastructure (e.g., AS15699 Adam EcoTech hosting).
The scheme employs server-side controls for rotating phone lists, social-engineered prompts and vague disclaimers that obscure costs (e.g., “research SMS pricing yourself”). While secondary reports echo the findings, independent peer review or regulatory data on prevalence remains absent.
For telecom operators, this highlights persistent revenue leakage amid fragmented oversight; for users, it underscores avoiding any SMS-based “human verification”.
Given all the research based on one case study absent epidemiological data, readers can draw their own conclusions on the warranted level of alarm
* The analysis illuminates IRSF delivery tactics with granular Indicators of Compromise, however the rich technical forensics are diluted by epidemiological rigor, according to vetted AI analysis of the research.
