Traffic Distribution System Detection Toolkit
We are not claiming all Keitaro users are criminals. However, despite extensive research, we have found no legitimate use cases. Every instance involves malware, phishing, scams, or ad fraud.
Our tools are non-invasive. They only use publicly documented Keitaro API endpoints. No exploitation, no attacks — just detection.
A Traffic Distribution System designed to show different content to different visitors. In practice, moderators see legitimate content while victims see malicious pages: crypto scams, phishing, malware downloads, fake shops. This is "cloaking" — it exists solely to deceive security systems.
/click_api/v3_lp + _token_update_tokens=1KTracking, {subid}, {offer}_subid + _tokenVerdict: 2+ evidences = KEITARO CONFIRMED
* Satirical commentary on publicly documented facts. Every claim is sourced. Keitaro did not write this — we did, based on their own documentation, court records, and security research.
"Dear valued partners and friends of the ecosystem. We at Apliteni OU, operating as Keitaro from our prestigious office at Sepapaja tn 6, Tallinn, Estonia, would like to share our pride in our achievements and clientele."
"At Keitaro, we have always attracted the most ambitious operators in their respective fields:"
"We always strive to help our valued clients maintain uninterrupted operations. Because nothing ruins a good phishing campaign like getting banned:"
"Why do we cost more than all competitors? Because our features are specifically designed for one audience, and they know exactly what they're paying for."
All "features" on the left are available for free from Google, Facebook, TikTok, and Cloudflare. No legitimate marketer pays €40-400/month for things they get free. The price is for the cloaking engine on the right.
Binom and Voluum are legitimate ad trackers. They don't have 20+ cloaking filters, AV checker integration, or a client base of documented threat actors. Keitaro costs more because it's optimized for a specific type of client who understands what they're paying for.
These are real products. Open-source. Actually self-hosted. No license server. No telemetry. No ClickUp. No surveillance.
Five open-source tools above do everything a legitimate marketer needs — for $0. Keitaro charges €40-400/month to run on your server while streaming your data to their infrastructure. That's not self-hosting — that's surveillance as a service. The price isn't for analytics. It's for the dark interface: cloaking, sandbox detection, AV bypass.
Keitaro is not a tool that criminals happen to use. Keitaro IS the criminal infrastructure. Every cloaked page, every bypassed moderation check, every malware download — it runs through Keitaro's TDS engine, tracked by Keitaro's license server, stored at Keitaro's ClickUp workspace, hosted on Keitaro's partner AWS.
Real self-hosted trackers exist for free. Open-source, no phone-home, no telemetry, no SaaS dependency. The fact that criminals pay €40 to €400 per month for Keitaro instead proves it: the product isn't a tracker. The product is the cloaking infrastructure itself — the moderation bypass engine, the sandbox detector, the AV evasion checker. Without Keitaro, these campaigns don't work.
When you build, sell, and maintain the infrastructure that makes crime possible — you're not a bystander. You're not an accomplice. You are the infrastructure. Especially when you charge premium prices for it.
"We love telling everyone we're self-hosted. It sounds so private! Let's read our own documentation..."
Keitaro 10+ introduced ClickUp integration. ClickUp runs on Amazon Web Services (AWS). Here is what this means for your "self-hosted" data:
All ClickUp data physically resides on AWS servers. Legally this means:
Your Estonian company registration is irrelevant when your data lives on Amazon's servers in the United States.
"Since we collect all data, store it for years, and take card payments with full identity verification — of course we'll gladly assist in your investigation against our client. We're not an accomplice. We're just the infrastructure. But we're on YOUR side, naturally."
All of this stored for up to 9.75 years. All paid for with credit cards. All accessible via license server, ClickUp API, and AWS infrastructure logs. That's a complete evidence package.
"We will also gladly welcome lawsuits from Google and Facebook. After all, we openly advertise that our product bypasses their moderation systems, allowing our clients to promote illegal goods, phishing, CSAM, and whatever else they desire through Google Ads and Facebook Ads."
We've checked over 50,000+ domains using Keitaro TDS. What we found:
Phishing Google Ads from inside Google Ads. We're sure Keitaro is proud of that one.
Keitaro accepts payments via Stripe (their director mentioned it proudly). Interesting question:
Do these payment processors approve of such a "useful tracker"? Every transaction is a paper trail linking Apliteni OU to the infrastructure behind documented phishing, malware, and fraud campaigns.
An interesting question for Google and Meta's legal teams: have they calculated the total damage from their "partnership" with Keitaro and CIS-region traffers?
Keitaro doesn't just bypass moderation — it makes moderation exponentially more expensive for everyone. Every dollar Google spends fighting cloakers is a dollar Keitaro's existence costs them.
Keitaro has a Trust & Safety page. Their director writes about how Stripe stayed with them — as if that's proof of legitimacy. A few questions:
Keitaro provides an abuse reporting email. In practice: it's pointless. The people who chose to become a direct part of cybercrime infrastructure — who had more than full ties to cryptor.biz and AV checker services — are unlikely to act on abuse reports against their own clients.
If a domain is behind Keitaro's tracker, it's far more effective to obtain the necessary information outside of them: domain registrar, hosting provider, upstream ISP, payment processor, and of course — the ClickUp/AWS data trail they so conveniently created for us.
Thank you, Keitaro, for storing everything so meticulously. It makes our job much easier.
Google and Facebook (Meta) have both filed lawsuits against companies and individuals who abuse their advertising platforms. Keitaro openly markets features whose sole purpose is to bypass these platforms' moderation systems. Their "Integration Google Ads" and "Integration Facebook" aren't for legitimate ad tracking — Google Tag Manager and Facebook Pixel do that for free. These integrations exist to help cloakers coordinate their deception of Google and Facebook's review systems.
This isn't a gray area. The core product is moderation evasion. The 20+ traffic filters, sandbox detection, AV checker integration — none of these have a legitimate use case. A product built to deceive platforms is a product built to facilitate fraud, and the platforms' legal teams tend to notice eventually.
"Sincerely, your friends at Keitaro. We're definitely a legitimate company. Please don't look at our client list."
— Apliteni OU, Sepapaja tn 6, Tallinn, 15551, Estonia
Collected by PhishDestroy | For security research, abuse investigation, and ad fraud detection