Hackers have started attacking crypto users through aggressive advertising of Windows 11 updates on Facebook.
Fake announcements are disguised as official updates, but in reality, they steal seed phrases from crypto wallets, logins, and other confidential information. Additionally, malware collects saved passwords and active sessions in the browser.
Hackers promote fake Windows 11 updates through Facebook
According to a report by Malwarebytes, criminals use professional Microsoft branding to promote fake Windows 11 updates. After clicking on the ad, users land on a cloned Microsoft site with a domain name that mimics the company's official addresses.
Hackers use geofencing. This method targets ordinary users connecting from home or office. IP addresses of data centers are ignored. This approach helps evade automatic detection systems.
If a user passes the geofencing check, they are offered a malicious installer. It is hosted on GitHub and downloaded from a secure domain with a security certificate. Because of this, the virus appears to be a legitimate Microsoft file.
The installer itself is equipped with an evasion mechanism. It checks the system for virtual machines and malware analysis tools, and if detected, it stops working. But on a regular user's computer, the program installs and begins the infection.
Malware installs a genuine framework in a folder named LunarApplication. This name resembles the brand of crypto tools Lunar, creating an appearance of legitimacy for crypto users. In reality, the program searches for cryptocurrency wallet files and seed phrases, then sends the data to hackers.
Malicious ad campaigns on Facebook have been ongoing for a long time and remain unnoticed due to advanced evasion techniques, including geofencing.
Malware for stealing cryptocurrency is distributed through social media ads
This is not the first case where hackers use Facebook ads to steal cryptocurrency wallet data. Last year, criminals took advantage of the annual Pi2Day event and launched large-scale ad campaigns with malicious content targeting crypto users.
Pi2Day is celebrated by the Pi Network community on June 28. During last year's event, hackers posted 140 fake ads using the Pi Network brand. Users were redirected to phishing sites with promises of free Pi tokens or participation in an airdrop, but in exchange, they were asked for their recovery seed phrase.
The attack affected users from various regions, including the USA, Europe, Australia, China, and India. Additionally, criminals lured victims with offers of easy Pi mining on smartphones.
In September of last year, cybersecurity experts uncovered another attack through Meta ads, which offered free access to TradingView Premium. Bitdefender Labs researchers found that the campaign also spread through Google and YouTube.
Hackers seized a verified YouTube account and a Google ad account, then launched fake ads to redirect users to phishing pages. Using verified YouTube accounts increases trust and leads victims to sites disguised as legitimate.
According to Bitdefender, one video titled 'Free TradingView Premium — Secret Method They Don’t Want You to Know' garnered over 182,000 views in just a few days.
The video description included a link to a malicious executable file. It used an evasion mechanism that displayed a harmless page to unsuitable users. The video was hidden and did not appear in searches, making it difficult to detect and report to Google.
There is no public data on the exact amount of cryptocurrency stolen specifically through fake ads. However, according to Chainalysis, in 2025 the total damage from crypto scams amounted to about $17 billion.
According to DeepStrike, in 2025, fraudsters infected millions of devices and stole about 1.8 billion credentials. The report notes:
"Everything related to money — online banking, PayPal, cryptocurrency wallets — is an obvious target for cybercriminals."
#хакеры #hackers #Facebook #Windows #Write2Earn
