Facebook Ads Hijacked: Hackers Deploy Crypto-Stealing Malware in Broad Daylight
Your social media scroll just got riskier. Security researchers have uncovered a sophisticated campaign turning Facebook's ad platform into a delivery system for cryptocurrency theft.
The Bait-and-Switch Playbook
It starts with a legitimate-looking advertisement. Maybe it's for a popular software tool, a game, or a productivity app. The ad clicks through to a site that looks authentic—until it triggers a download. That's where the malware payload gets delivered, often disguised as a necessary plugin or update.
Anatomy of a Digital Heist
Once installed, this isn't just spyware. It's a precision tool designed for one job: pilfering crypto assets. The malware scans for wallet extensions, browser sessions connected to exchanges, and even clipboard data to hijack transactions. It swaps out legitimate wallet addresses for ones controlled by the attackers before you even hit 'send'.
Why Facebook? Why Now?
The platform's vast reach and sophisticated targeting tools make it ideal. Hackers can micro-target users who've shown interest in cryptocurrency topics, exchanges, or specific coins. The ads look native, and the trust associated with a major platform lowers user suspicion dramatically. It's a brutal reminder that in crypto, your security is only as strong as your least secure habit—like clicking a convincing ad.
The incident underscores a painful truth for the asset class: while evangelists tout 'be your own bank,' the infrastructure—from ad networks to app stores—remains riddled with old-school vulnerabilities. Maybe the real decentralized finance revolution hasn't started until we can stop getting scammed by a fake Flash Player update. Stay skeptical out there.
Hackers promote fake Windows 11 updates on Facebook
According to a Malwarebytes report, hackers use professional Microsoft branding to promote the fake Windows 11 update. Once a victim clicks the advertisement, they see a cloned Microsoft website with a domain name mimicking legitimate Microsoft domains.
The hackers use geofencing, which is a technique that targets regular users who connect from home internet or offices, and it avoids IP addresses from data centers. This is done to stop automated scanners from exposing the attack.
Once the victim passes geofencing, they receive a malicious installer, which is hosted on GitHub and downloaded from a secure domain with a security certificate. This makes the attack look like a genuine Microsoft download.
The malicious installer has an evasion mechanism that scans for virtual machines and analysis tools and stops execution to avoid detection. However, on a victim’s computer, the malware installs and begins infecting the system.
The malware installs a real framework in a folder named LunarApplication. The folder name is similar to a crypto tooling brand called Lunar. This makes the malware look legitimate to crypto users, but in reality, it targets crypto wallet files and seed phrases and sends the data to hackers.
The malicious Facebook ad campaigns have been running for a long time and have avoided detection through sophisticated evasion techniques such as geofencing.
Crypto malware spreads through social media ads
This is not the first time crypto hackers have utilized Facebook ads to steal crypto wallet data. Last year, hackers took advantage of the annual Pi2Day event and launched malicious Facebook ad campaigns targeting crypto users.
The annual Pi2Day event is celebrated by the Pi Network community on June 28. During the last event, hackers launched 140 fake ads using Pi Network branding. Victims were redirected to phishing websites that promoted free Pi tokens or airdrop events, but in exchange for the victim’s recovery phrase.
The phishing attack targeted victims from various regions, including the US, Europe, Australia, China, and India. It lured victims through other techniques, including easy Pi token mining on smartphones.
In September of last year, cybersecurity researchers discovered another Meta ads based attack promoting free access to TradingView Premium. Researchers from Bitdefender Labs found that the attack spread to Google and YouTube ads.
The hackers hijacked a verified YouTube account and a Google advertiser account and launched fake ads to redirect victims and phish their information. Abusing verified YouTube accounts usually lures unsuspecting victims to malicious websites masquerading as legitimate ones.
According to Bitdefender, one of the fake video ads titled “Free TradingView Premium – Secret Method They Don’t Want You to Know” was viewed more than 182,000 times in a few days.
The video description includes a LINK to the malicious executable. It features an evasion technique that causes the user to see a harmless page if the attackers don’t recognize them as a valid target. The video was unlisted, which makes it unsearchable and difficult to report to Google.
There is no public report isolating the total amount of cryptocurrency stolen specifically through fake ads. However, an estimated $17 billion was lost to crypto scams in 2025 based on Chainalysis data.
Infostealer malware affected millions of devices and stole around 1.8 billion credentials in 2025, according to cybersecurity firm DeepStrike. “Anything with money attached to online banking, PayPal, cryptocurrency wallets is obviously prized by cybercriminals,” stated the report.
Join a premium crypto trading community free for 30 days - normally $100/mo.
