VexTrio’s Origin Story Unveils Scams Including Fake VPN Ads and Spam Blockers, Crypto Fraud

• Malicious portfolio: VexTrio focuses on fake VPNs, ad blockers, scareware and dating and cryptocurrency scams.
• Malware on official stores: These seemingly useful apps only engaged in subscription scams without delivering the promised service.
• VexTrio evolution: This entity evolved from small-scale spam operations into a behemoth in the malicious adtech ecosystem.

A recent investigation has unveiled a link between fake VPN apps, spam blocker applications, and the notorious VexTrio Viper ad fraud operation. At least seven malicious apps are historically associated with one of the developer names they used, including a “RAM cleaner” and several VPNs, such as FastVPN.

Exploitation of Security Tools  

Posing as legitimate tools, these fake VPN and spam blocker apps infiltrated the Google and Apple app marketplaces under several developer names, including HolaCode, Hugmi, Klover Group, AlphaScale Media, and LocoMind. 

Many apps deliver scareware or exploit subscription models, enrolling victims in hidden recurring charges under the guise of premium services. Users often realize too late that the apps provide no authentic functionality, a comprehensive Infoblox analysis says. 

Once downloaded, they initiate ad fraud schemes by silently redirecting user traffic to malicious websites. This redirection enables VexTrio to generate vast revenue through deceptive ad impressions and clicks. 

Their spam website impersonated known brands, such as SendGrid, Mailgun, and Fidelity Mail.

Role of VexTrio in Cybercrime  

Launching in the early 2000s with Italian roots, VexTrio initially operated spam campaigns tied to fake dating websites. By 2015, a partnership with Eastern European counterparts expanded their operations to include a sophisticated traffic distribution system (TDS).  

The TDS became a hallmark of VexTrio’s strategy, redirecting massive volumes of web traffic into scams ranging from crypto fraud to fake VPN ads, sometimes using compromised WordPress websites.

By 2024, almost 40% of all compromised websites globally were funneling victims through VexTrio’s servers. Their infrastructure extended across bulletproof hosting providers and mainstream cloud services, enabling seamless delivery of their fraudulent schemes.  

VexTrio’s partnerships with affiliate advertising firms like Los Pollos further solidified their footprint in cybercrime operations. Part of AdsPro Group, Los Pollos was identified as the source of links distributed by the Russian disinformation actor Doppleganger. 

AdsPro Group was very active on social media, including LinkedIn and Facebook, until Infoblox's exposure in December 2024.

The group also maintained ties with hackers and their network conceals connections to other threat activities, according to the report.  

Protecting Users  

To mitigate these cybersecurity threats, experts recommend downloading apps directly from trusted developers, scrutinizing permissions, and actively monitoring financial statements for unauthorized charges.  

Last month, WordPress redirect malware exploited Google Tag Manager in a spam campaign.