Hackers Turn Facebook Ads Into Crypto-Draining Traps

Facebook ads are also being used by hackers to market to cryptocurrency users fake Windows 11 update campaigns

ContentsMalicious Ads use Microsoft brandingTargeting Crypto Users with Evasion TechniquesPrevious Attacks and Broader Malware TrendsSuch advertisements make the victims download malicious software that collects sensitive information, such as crypto wallet seed phrases and login details.

Malicious Ads use Microsoft branding

Malware experts reported that hackers are masquerading their campaigns as official Windows 11 updates

Those who had to click on the ads are redirected to another fraudulent Microsoft site with a similar domain name to the one used by the actual site

The site has a professional look that will fail to confirm that it is a scam site.

The hackers also use a method known as geofencing, where the advertisement is confined to certain geographical areas

This will make sure that only the authentic users who are attached to the home or office networks will be shown the ads

This approach would not allow automated tools to identify and block the malware so that the campaign could reach more people.

After a victim has accessed the fake update, he or she downloads a malicious installer found on GitHub, which seems like a legitimate Microsoft installer because it has a security certificate

The installer searches for virtual machines and analysis tools to prevent detection. The malware will start installing in a folder titled LunarApplication on the computer of the victim

This brand name is structured in a way that it comes across as a legitimate crypto tool brand, and thus, it misleads crypto users.

Targeting Crypto Users with Evasion Techniques

There is one main aim of the malware: it is to steal high-value crypto data. It particularly aims at wallet files and seed phrases and sends this data to the hackers

This malware is especially hard to detect and eliminate by advanced evasion methods, such as geofencing and the seemingly innocent LunarApplication folder.

The Facebook advertisement campaigns are of a long tenure, and they have not been caught by these sophisticated methods

The most susceptible users to this kind of attack are crypto users, who are generally more vulnerable to phishing attacks.

Previous Attacks and Broader Malware Trends

This is not the first occasion when social media advertisements have been used by hackers to steal crypto-related information

The same attack was made last year on the Pi2Day occasion, where hackers placed fake advertisements offering free Pi tokens or airdrops

Here, victims were sent to phishing sites, and their recovery phrases were stolen in place of non-existent rewards.

Moreover, last September of the last year, hackers took over verified YouTube and Google accounts to advertise counterfeit TradingView Premium deals

Before these ads were found, they had been watched more than 180,000 times. Using verified accounts aided the attackers in looking professional to facilitate the probability of enticing victims to their phishing sites.

Bitdefender, a cybersecurity company, reported that the same tactics are implemented on different platforms, such as YouTube and Google advertisements

Attackers who intercept trusted accounts have a high likelihood of accessing unsuspecting victims as a result of such actions.

Such scams and phishing are becoming an increasing menace to the users of cryptocurrency. Although it is unclear what the total number of stolen cryptocurrencies through such ads is, there is an overall increase in the magnitude of crypto scams

In 2025, alone, it lost 17 billion to crypto fraud, and infostealer malware was used in the theft of more than 1.8 billion credentials. With cybercriminals ever after online wallets and digital currencies, users should always be keen and careful whenever handling online advertisements and downloading software.