Cybersecurity company Check Point warns that approximately 10 million people worldwide have been exposed to online ads promoting fake cryptocurrency applications that contain malware.
Check Point Research states that they have been tracking a malware campaign named "JSCEAL," which targets cryptocurrency users by impersonating common crypto trading applications.
The campaign has been active since at least March 2024 and has "gradually evolved over time," the company added. It uses ads to lure victims into installing fake applications that "impersonate nearly 50 common cryptocurrency trading applications," including Binance, MetaMask, and Kraken.
Cryptocurrency users are a primary target for various malicious activities, as victims of crypto theft have little recourse to recover their funds, and the blockchain allows criminals to remain anonymous, making it difficult to expose the individuals behind these schemes.
Check Point states that Meta's advertising tools show that 35,000 malicious ads were promoted in the first half of 2025, leading to "millions of views" in the EU alone.
The company estimates that at least 3.5 million people in the EU have been exposed to these ad campaigns, but they also "impersonated crypto and financial institutions in Asia"—regions with a relatively high number of social media users.
Check Point claims, "Its global reach easily exceeds 10 million."
The company notes that it is usually impossible to determine the full extent of malware activity, as ad coverage "does not equate to the number of victims."
The latest version of the malware campaign employs "unique evasion techniques," resulting in "extremely low detection rates," allowing it to remain undetected for a long time, Check Point stated.
Victims clicking on malicious ads are directed to a seemingly legitimate but actually fake website to download the malware. The attackers' website and the installation software run simultaneously, which Check Point says "significantly increases the difficulty of analysis and detection," as they are hard to detect in isolation.
The fake application opens a program that points to the legitimate website of the application the victims believe they downloaded to deceive them, but in the background, it is collecting "sensitive user information, primarily related to cryptocurrency."
The malware uses the popular programming language JavaScript and can run without victim input. Check Point states that the "combination of compiled code and extensive obfuscation" makes analyzing the malware "challenging and time-consuming."
Check Point indicates that the primary goal of the malware is to collect as much information from infected devices as possible to send to threat actors for use.
Some of the information collected by the program includes users' keystrokes—which can reveal passwords—as well as stealing Telegram account information and autofilling passwords.
The malware also collects browser cookies, which can show the websites victims frequently visit, and can manipulate cryptocurrency-related web extensions like MetaMask.
It states that detecting malicious JavaScript execution through anti-malware will "very effectively" prevent attacks on already infected devices.
Related: Bitwise Executive: Treasury Department Solved the Narrative Issue for Ether (ETH)
Original: “Crypto Users Warned as Ads Push Malware-Laden Crypto Apps”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
