Warning cybersecurity company checkpoints warn that an estimated 10 million people around the world are springing fake cryptographic apps exposed to online ads.
Check Point Research said Tuesday it was tracking a malware campaign called “JSceal,” which targets crypto users by impersonating a common crypto trading app.
The campaign has been active since at least March 2024 and “evolved over time,” the company added. Trick the victims using ads to install fake apps that say “issuing as almost 50 common cryptocurrency trading apps” including Binance, Metamask and Kraken.
Crypto users are key targets for a variety of malicious campaigns, and crypto theft victims have little requiring to collect funds.
It is estimated that 10 million will be targeted by malicious ads
According to Checkpoint, Meta’s advertising tool said 35,000 malicious ads were promoted in the first half of 2025, leading to “millions of viewing in the EU alone.”
The company estimates that at least 3.5 million people have been exposed to advertising campaigns within the EU, but also areas that “faintly pretend to be Asian crypto and financial institutions” are in areas with relatively large numbers of social media users.
“Global reach can easily exceed 10 million,” Checkpoint said.
Malicious Facebook ads using the logo of popular financial data site TradingView. Source: Checkpoint
The company noted that it is usually impossible to determine the full scope of a malware campaign, and reaching ads “is not equal to the number of victims.”
Malware uses “unique elimination prevention methods”
The latest iteration of malware campaigns uses a “unique ejection prevention method,” resulting in a “very low detection rate” that prevents detection for a long time.
Victims who click on malicious ads are directed at fake sites that appear legal to download malware, and the attacker’s website and installation software run simultaneously.
Fake apps open programs that direct you towards legitimate sites for your app. The victims believe they downloaded them to deceive them, but they collect “sensitive user information primarily related to cryptography.”
Related: Threat actors targeting crypto users using “elaborate social engineering schemes” – Reports
Malware uses the popular programming language JavaScript, which does not require the victim input to be performed. Checkpoint said it strived to analyze the malware as “challenging and time-consuming” with “combination of compiled code and heavy obfuscation.”
Account and password have been scooped up with a malware net
According to checkpoints, the main purpose of malware is to collect as much information as possible about infected devices and send it to the threat actors they use.
Some of the information the program was collecting was user keyboard input (which allows you to view the password) along with stealing telegram account information and autocomplete passwords.
Malware collects browser cookies. It allows you to view websites that victims often visit, and you can manipulate encryption-related web extensions such as MetaMask.
It said that anti-malware software that detects malicious JavaScript execution is “very effective” at stopping attacks on already infected devices.
magazine: Inside a 30,000 phone bot farm, steal crypto air drops from real users
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
