Hackers spread crypto stealing malware through Facebook ads

Hackers are targeting crypto users through launching aggressive Windows 11 update ads on Facebook. 

The fake ads steal crypto wallet seed phrases, login details, and other sensitive information. Moreover, the malware harvests saved passwords and browser sessions.

Hackers promote fake Windows 11 updates on Facebook

According to a Malwarebytes report, hackers use professional Microsoft branding to promote the fake Windows 11 update. Once a victim clicks the advertisement, they see a cloned Microsoft website with a domain name mimicking legitimate Microsoft domains.

The hackers use geofencing, which is a technique that targets regular users who connect from home internet or offices, and it avoids IP addresses from data centers. This is done to stop automated scanners from exposing the attack.

Once the victim passes geofencing, they receive a malicious installer, which is hosted on GitHub and downloaded from a secure domain with a security certificate. This makes the attack look like a genuine Microsoft download.

The malicious installer has an evasion mechanism that scans for virtual machines and analysis tools and stops execution to avoid detection. However, on a victim’s computer, the malware installs and begins infecting the system.

The malware installs a real framework in a folder named LunarApplication. The folder name is similar to a crypto tooling brand called Lunar. This makes the malware look legitimate to crypto users, but in reality, it targets crypto wallet files and seed phrases and sends the data to hackers.  

The malicious Facebook ad campaigns have been running for a long time and have avoided detection through sophisticated evasion techniques such as geofencing.

Crypto malware spreads through social media ads

This is not the first time crypto hackers have utilized Facebook ads to steal crypto wallet data. Last year, hackers took advantage of the annual Pi2Day event and launched malicious Facebook ad campaigns targeting crypto users. 

The annual Pi2Day event is celebrated by the Pi Network community on June 28. During the last event, hackers launched 140 fake ads using Pi Network branding. Victims were redirected to phishing websites that promoted free Pi tokens or airdrop events, but in exchange for the victim’s recovery phrase. 

The phishing attack targeted victims from various regions, including the US, Europe, Australia, China, and India. It lured victims through other techniques, including easy Pi token mining on smartphones. 

In September of last year, cybersecurity researchers discovered another Meta ads based attack promoting free access to TradingView Premium. Researchers from Bitdefender Labs found that the attack spread to Google and YouTube ads.

The hackers hijacked a verified YouTube account and a Google advertiser account and launched fake ads to redirect victims and phish their information. Abusing verified YouTube accounts usually lures unsuspecting victims to malicious websites masquerading as legitimate ones.

According to Bitdefender, one of the fake video ads titled “Free TradingView Premium – Secret Method They Don’t Want You to Know” was viewed more than 182,000 times in a few days.

The video description includes a link to the malicious executable. It features an evasion technique that causes the user to see a harmless page if the attackers don’t recognize them as a valid target. The video was unlisted, which makes it unsearchable and difficult to report to Google.

There is no public report isolating the total amount of cryptocurrency stolen specifically through fake ads. However, an estimated $17 billion was lost to crypto scams in 2025 based on Chainalysis data.

Infostealer malware affected millions of devices and stole around 1.8 billion credentials in 2025, according to cybersecurity firm DeepStrike. “Anything with money attached to online banking, PayPal, cryptocurrency wallets is obviously prized by cybercriminals,” stated the report.

Join a premium crypto trading community free for 30 days - normally $100/mo.