Unmasking VexTrio: A 15-Year Cybercrime Empire of Scams, Spam, and Fake Apps

In a detailed investigation, Infoblox Threat Intel has unmasked VexTrio as a sprawling cybercriminal network whose operations have infiltrated multiple corners of the internet—ranging from fake dating sites and cryptocurrency scams to fraudulent mobile apps and large-scale spam campaigns. The report emphasizes that while their name is well-known in the security community, “it is not widely known that most of the time VexTrio is delivering their own scam content, rather than that of independent advertisers.”

At the heart of VexTrio’s operation is a self-reinforcing ecosystem: “VexTrio’s scams feed their spam, and their spam feeds their scams.” Their so-called “smartlinks” hide malicious landing pages across compromised websites, social media platforms, and even email security tools. Victims are funneled into fraudulent dating, cryptocurrency, sweepstakes, and antivirus schemes—each carefully designed to extract money or personal data.

The affiliate networks they operate—Los Pollos, Adtrafico, and TacoLoco—are used to control what content is delivered to end users, ensuring maximum profitability while masking ownership. DNS analysis shows that in many cases, “the VexTrio TDS delivers content more often from their own hosting… than external partners.”

Beyond web-based fraud, VexTrio has expanded aggressively into mobile app distribution. Infoblox notes that they have released VPNs, spam blockers, and dating apps under various developer names like HolaCode, LocoMind, Hugmi, and AlphaScale Media—often achieving millions of downloads. The apps are deceptively marketed, hiding their fraudulent nature behind inflated ratings, while user reviews tell the real story.

One example is Spam Shield, which promised to protect users from unwanted notifications but instead simply disabled browser alerts while locking victims into paid subscriptions. As the report explains: “While it claims to eliminate threats, this app simply turns off browser notifications.”

Similarly, their VPN products often operate as residential proxies—raising serious privacy concerns. Names and branding are deliberately chosen to mimic legitimate services, sowing confusion among users.

VexTrio’s scam landing pages have appropriated the likenesses of public figures and brands including MrBeast, Elon Musk, President Donald Trump, and even the U.S. Cybersecurity and Infrastructure Security Agency (CISA). As Infoblox highlights, this tactic is used to “deceive users into participating in its cryptocurrency scams.”

The investigation reveals deep interconnections between VexTrio and ostensibly legitimate companies, particularly in Prague and Cyprus. Entities such as Techintrade and OILIMPEX share software, hosting, and even corporate leadership ties with VexTrio. DNS records have directly linked these companies to VexTrio infrastructure, raising questions about the true size of their enterprise.

Perhaps the most alarming aspect is how long VexTrio has operated without facing significant legal repercussions. Infoblox bluntly states: “We are astonished that VexTrio has operated—and thrived—for 15 years without facing legal consequences.” Despite numerous takedown attempts, the group adapts and re-emerges—its tactics evolving, but its core mission unchanged.

The report closes with a warning to the cybersecurity community, quoting Publilius Syrus: “Fraus est celare fraudem—to conceal fraud is itself a fraud.”

Related Posts:

• Infoblox Uncovers Malicious Wave in .US Domain Registrations
• 13,000 MikroTik Routers Hijacked for Global Malspam Operation
• Infoblox Exposes $5.7B Investment Scam Surge Fueled by RDGAs and DNS Abuse
• Morphing Meerkat’s Phishing Tactics: Abusing DNS MX Records