https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/
Security researchers have uncovered a sophisticated criminal advertising ecosystem that leverages fake CAPTCHA challenges to trick users into enabling malicious push notifications, while simultaneously powering Russian disinformation campaigns across social media platforms. The sprawling network, centered around the notorious VexTrio traffic distribution system, represents one of the most resilient and interconnected cybercriminal operations ever documented, affecting hundreds of thousands of compromised websites worldwide.
The investigation began when researchers at Qurium Security discovered that the Kremlin-backed “Doppelganger” disinformation network was using the same malicious advertising infrastructure employed by online scammers and website hackers. Doppelganger operations push pro-Russian narratives through cloned news websites, relying on domain cloaking services to evade detection while ensuring targeted audiences receive fake news content. This cloaking technology shares infrastructure with VexTrio, believed to be the oldest malicious traffic distribution system in existence, which primarily manages traffic from victims of phishing attacks, malware infections, and social engineering schemes.
Central to this dark advertising empire are affiliate networks like LosPollos and TacoLoco, which distribute JavaScript-heavy “smartlinks” through hacked WordPress sites to drive traffic into the VexTrio system. These networks, operated by companies with ties to Switzerland, Czech Republic, and Russia, earn commissions by directing victims to dating scams, fraudulent sweepstakes, malware downloads, and financial schemes. The fake CAPTCHA challenges presented to users actually trick them into enabling push notifications that continuously bombard their devices with virus alerts and misleading pop-up messages, creating a persistent channel for cybercriminal communications.
Following the public exposure of these operations in November 2024, the criminal networks demonstrated remarkable resilience by rapidly rebranding and shifting infrastructure. Within days of the research publication, LosPollos suspended its push notification services, Adspro rebranded to Aimed Global, and malware families that previously used VexTrio pivoted to alternative traffic distribution systems. Security experts warn that this adaptability, combined with the Russian nexus of many operators, represents a significant threat to global cybersecurity, as these systems facilitate both large-scale disinformation campaigns and billions of dollars in consumer fraud annually.