Vibe-Coded Fraud: How AI Deepfakes and Digital ‘Cloaking’ Bypass Security to Drain Bank Accounts

A sophisticated new wave of cybercrime is blending psychological manipulation with cutting-edge technology to drain the bank accounts of unsuspecting victims. A joint investigation by Infoblox Threat Intel and Confiant has exposed a massive operation where threat actors use artificial intelligence and commercial “cloaking” tools to deploy highly convincing investment scams at a global scale.

At the heart of this operation is “cloaking”—the digital art of hiding a website’s true nature from security scanners while showing a persuasive lure to real people.

Threat actors are increasingly leveraging a commercial advertising tracker known as Keitaro. While designed for legitimate marketing, it is being abused as a “traffic distribution system” (TDS) to filter victims based on their device type, location, and language.

“The approach scales and defeats conventional defenses by combining conditional traffic routing… and cloaking that shows benign pages to scanners and persuasive lures to real users,” the researchers explain.

What makes these current campaigns particularly “persistent” is the integration of generative AI. Attackers are no longer limited by language barriers or a lack of design skills. Instead, they use AI to create “high-fidelity AI-generated creatives localized to the target, and deepfake audio/video assets to simulate trusted representatives or media personalities”.

By “combining an older but still highly effective investment fraud theme with modern AI technologies,” these actors can launch campaigns that feel deeply personal and urgent. This “vibe coding” of scams increases trust and engagement, making victims more likely to hand over their contact details or follow instructions over the phone.

The journey from a simple web search to a financial loss follows a carefully engineered path:

1. The Lure: A user clicks on a search or social media ad for a “get-rich-quick” investment scheme or a fake browser update.
2. Precision Targeting: The cloaking infrastructure (often using Keitaro) analyzes the user’s device and IP address.
3. The Split: If a security bot visits, it sees a harmless “decoy” page. If a real user from a target country (like the U.S. or Poland) visits, they are shown the AI-personalized scam.
4. The Extraction: Actors “tune their TTPs to maximize trust and engagement,” eventually pressuring victims into making fraudulent transfers.

The researchers note that because many of these scams rely on commercial software like the Apliteni platform (which powers Keitaro), coordinated reporting efforts are proving effective.

“Coordinated reporting efforts have already led to infrastructure and account takedowns, giving us a viable remediation path even as actors continue rotating domains and ad creatives,” the report concludes.