VexTrio Uncovered: A Global Ad-Fraud Empire with Billions at Stake

Infoblox Threat Intel has released a detailed investigation exposing the VexTrio threat group as a sophisticated global business enterprise engaged in extensive ad-fraud activities. Previously identified as a significant player in malicious traffic distribution systems, VexTrio is now recognised as a complex multinational corporate entity comprising nearly 100 companies across the adtech, energy, and construction sectors. This extensive network reportedly supports an ad-fraud scheme valued in the billions. The investigation reveals that VexTrio is not merely a collection of hackers but rather a merger of Italian and Eastern European criminal organisations. They utilise a structured network of businesses to obscure their fraudulent activities, with named executives overseeing operations that have persisted for over a decade. VexTrio manages a comprehensive scam supply chain, controlling everything from the creation of fraudulent applications to the operation of payment processors that collect illicit proceeds. Prominent adtech brands within the network, such as Los Pollos, TacoLoco, and Adtrafico, masquerade as legitimate affiliate marketing platforms while actually facilitating the group’s criminal operations.

The international reach of VexTrio is substantial, with their affiliate network Los Pollos reportedly attracting over 2 billion unique users each month in 2024. A review by GoDaddy of compromised websites indicated that approximately 40 per cent were redirecting traffic to VexTrio. Furthermore, one of the group’s core Content Delivery Network domains ranks among the world’s top 10,000 most visited domains. VexTrio’s control extends to the development of fraudulent products, including fake dating platforms, eCommerce portals, and cryptocurrency investment websites. They operate their own payment processing systems and run email validation services, enabling high-volume spam campaigns that lure new victims into their schemes. Affiliates within VexTrio’s network are incentivised with offers exceeding AUD $100 per lead for fraudulent antivirus products, while some scams, such as “blank credit card” schemes, promise returns in the six-figure range and up to 300 per cent return on investment. Despite its vast scale, VexTrio reportedly operates with fewer than 250 virtual machines globally, employing automated tools and leveraging multiple hosting and legitimate Content Delivery Networks to maintain its operations. 

Categories: Ad-Fraud Operations, Criminal Enterprise Structure, International Cybercrime Network 

Tags: VexTrio, Ad-Fraud, Criminal Structure, Multinational, Affiliate Marketing, Fraudulent Applications, Payment Processors, Content Delivery Network, Spam Campaigns, Financial Incentives