- Experts warn Facebook crypto ads now deliver malware through trusted brand impersonation
- Malware deploys only when victims meet specific browser or profile criteria
- Local server and PowerShell commands allow stealthy data exfiltration and control
A new wave of malware attacks is targeting Bitcoin and crypto owners through Facebook ads that mimic trusted names in the industry.
Bitdefender says it has uncovered a multi-stage malvertising campaign that exploits the reputations of well-known platforms like Binance, TradingView, ByBit, and others.
These malicious ads don’t just trick users, they also adapt in real time to avoid detection and deliver malware only when conditions are ideal for the attackers.
Highly evasive delivery system
The scheme begins when cybercriminals hijack or create Facebook accounts and use Meta’s ad network to run fraudulent promotions.
These ads feature fake offers and use photos of celebrities – Zendaya, Elon Musk, and Cristiano Ronaldo are the usual suspects – to appear more convincing.
Once clicked, users are redirected to lookalike websites that impersonate legitimate cryptocurrency services and prompt them to download what appears to be a desktop client.
The malware delivery system is highly evasive. Bitdefender says the front-end of the fake site works with a local server quietly spun up by the initial install, allowing attackers to send payloads directly to the victim’s system while dodging most security software.
Delivery only happens if the victim meets specific criteria, such as being logged into Facebook, using a preferred browser like Microsoft Edge, or matching a certain demographic profile.
Some malware samples run lightweight .NET servers locally and communicate with the website using advanced scripts that execute encoded PowerShell commands. These can exfiltrate sensitive data like installed software, system and OS info, and even GPU details.
Depending on the findings, the malware may download further payloads or simply go dormant if it suspects it’s being analyzed in a sandbox.
Bitdefender researchers found hundreds of Facebook accounts promoting these campaigns. One ran more than 100 ads in a single day. Many ads target men aged 18 and older, with examples found in Bulgaria and Slovakia.
How to stay safe
Scrutinize ads carefully: Be highly skeptical of ads offering free crypto tools or financial perks. Always verify links before clicking.
Download from official sources only: Visit platforms like Binance or TradingView directly. Never trust redirects from ads.
Use link-checking tools: Tools like Bitdefender Scamio or Link Checker can alert you to dangerous URLs before you engage.
Keep your security software up to date: Use a reputable antivirus that gets regular updates to catch evolving threats.
Watch for suspicious browser behavior: Pages that insist you use Edge or redirect erratically are massive red flags.
Report shady ads: Flag suspicious content on Facebook to help others avoid falling into the same trap.
