A sophisticated malvertising campaign, once limited to exploiting Facebook users with fake offers, has dramatically expanded its reach. Researchers at Bitdefender, who have been tracking this threat for over a year, report that cybercriminals are now using Google Ads and YouTube to distribute advanced crypto-stealing malware. This malicious campaign began by luring users with promises of “free access” to popular trading platforms like TradingView Premium on Facebook. However, it has escalated into a much broader and more dangerous operation. By weaponizing trusted advertising ecosystems and hijacking verified accounts, the threat actors are now able to compromise financial data and cryptocurrency wallets on a massive scale.
This expansion poses unprecedented risks for both content creators and ordinary users. Attackers are exploiting the perceived legitimacy of verified accounts and well-known brands to gain user trust. Unlike typical scams, these malicious campaigns use multi-stage infection techniques and advanced evasion mechanisms to trick unsuspecting users. The campaigns redirect victims to malware-laden downloads specifically designed to steal sensitive credentials, compromise accounts, and exfiltrate financial data. This move from Facebook to Google’s advertising platforms and YouTube represents a significant escalation, making the threat harder to detect and mitigate.
The campaign’s remarkable sophistication is evident in its execution. Researchers discovered that cybercriminals successfully hijacked a Google advertiser account belonging to a Norwegian design agency. In an even more concerning development, they compromised a verified YouTube channel and systematically rebranded it to impersonate the official TradingView platform. This included meticulously mirroring the brand’s authentic presence by reusing identical logos, banners, and visual elements. The attackers even mirrored legitimate playlists from the real TradingView channel, creating a convincing illusion of active and official content.
The impersonation strategy relied on several deceptive elements that made it extremely difficult for users to spot the fraud. The attackers exploited the compromised channel’s existing verified badge status, which users typically associate with authenticity without performing deeper checks. The hijacked channel had no original content and very few organic views, yet it appeared legitimate because of its paid placements. These campaigns relied entirely on unlisted advertisement videos shown exclusively through aggressive ad placements, effectively avoiding public scrutiny.
One ad, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” was a prime example of the campaign’s success. It gained over 182,000 views within days through aggressive advertising, despite remaining unlisted and hidden from public view. This highlights how attackers are effectively bypassing traditional detection methods by using paid ad placements and leveraging the trust associated with legitimate, verified platforms. This strategy not only maximizes their reach but also minimizes the risk of being discovered by security researchers or the platforms themselves.
Reference:
