A major cybercrime network called VexTrio has just been exposed — and what researchers found is shocking.
Cybersecurity firm Infoblox revealed during the Black Hat USA 2025 conference in Las Vegas that VexTrio is not just a group of hackers — it’s a full-blown criminal business. They are behind countless online scams, malware attacks, fake websites, and even mobile apps that trick people across the world.
Their detailed 80-page report uncovers how this operation works, who runs it, and how it silently affects millions of internet users every day.
Interesting Read
Attacks Linked to Legacy Bug and Password Use
UGC Cracks Down on Unrecognised Foreign Collaborations: Students Warned, EdTech Firms Under Scrutiny
What Is VexTrio and How Does It Work?
VexTrio has been active since at least 2017, but was first discovered by Infoblox in 2022. Think of them as middlemen in cybercrime — they don’t always launch attacks themselves, but they provide the tools, websites, and traffic systems that help other criminals run scams and spread malware.
Here’s what they do:
- They hack into websites (mostly WordPress) and secretly insert malicious code.
- When users visit these hacked websites, they are automatically redirected to dangerous pages — like scam offers, fake virus alerts, or websites that install malware.
- They use Traffic Distribution Systems (TDS) to filter and send people to different scam pages based on their location, device, or behavior.
It doesn’t stop there. VexTrio also manipulates internet domain systems (DNS) to silently redirect users without them even realizing.
How VexTrio Hides Its Tracks
To stay hidden from law enforcement and security systems, VexTrio uses advanced tricks like:
- Fast-flux DNS – constantly changing the IP addresses of their scam websites
- DNS tunneling – sneaking stolen data through normal internet traffic
- Domain generation algorithms (DGAs) – automatically creating new domain names so they can keep operating even if old ones are shut down
Their main website used for delivering scams is ranked among the top 10,000 most-visited sites in the world, showing how big their reach is.
Tricking Users with Celebrity Scams
VexTrio also pretends to be big names like MrBeast, Donald Trump, and Elon Musk to promote fake cryptocurrency giveaways and investment scams. These look real but are designed to steal your money or personal data.
The Real People and Companies Behind VexTrio
For the first time, Infoblox has exposed the real-world businesses and people running VexTrio.
The group was formed by two separate criminal networks:
- An Italian group – linked to spam, fake dating sites, and shady online ads
- An Eastern European group – with deep technical skills and internet infrastructure
In 2020, these two groups merged into a global criminal organization. They now operate nearly 100 fake companies across industries like advertising, mobile apps, construction, energy, and even ski resorts.
One key company is AdsPro Group. It pretends to be a digital advertising company, but in reality, it manages the systems that redirect internet traffic into scams and fraud.
The Full Picture: What VexTrio Does
The report shows that VexTrio is behind a wide range of illegal activities, including:
- Fake dating and porn websites
- Fake antivirus apps and ad blockers
- Scam sweepstakes and lottery pages
- Push notification fraud
- Fake crypto investment platforms and e-commerce websites
- Malicious mobile apps under names like HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media
- Payment and email services used for scam payments and stolen data
They even control entire affiliate networks, including websites like Los Pollos, TacoLoco, and Adtrafico, which are used to both advertise and deliver scam content.
In May 2024, Los Pollos claimed to reach 2 billion users — showing the massive scale of their scam operation.
The Shocking Truth: They Run It All with Just 250 Servers
Despite their global impact, Infoblox found that the entire operation runs on fewer than 250 virtual machines, hosted with just a few providers. This shows how a small setup can cause massive damage when used the wrong way.
Who’s Behind It?
Infoblox named several individuals linked to the VexTrio network:
- Giulio Cerutti
- Igor Voronin
- Andrew Kunitsa
- Dzmitry Laptsevich
- Kroum Vassilev
- Matteo Costa
- Marco Rufa
- Giulio Lingua
These people are connected to dozens of fake businesses spread across Switzerland, Czechia, Bulgaria, Moldova, and Canada. Infoblox traced them using public business records, trademark registrations, and social media activity.
Final Thoughts
VexTrio is not just a group of hackers — it’s a well-organized criminal business empire that pretends to be legitimate while secretly powering global scams.
This discovery is a wake-up call for everyone — businesses, cybersecurity professionals, and everyday internet users.
Cybercrime has evolved. It now looks like a company, behaves like a startup — and it’s hiding in plain sight.
Stay aware. Stay protected. Stay ahead.
