Malware Ads Posing As Crypto Apps May Have Reached 10M users

An estimated 10 million people globally have been exposed to online advertisements spruiking fake crypto apps with malware, warns cybersecurity firm Check Point.

Check Point Research said on Tuesday that it had been tracking a malware campaign it named “JSCEAL” that targets crypto users by impersonating common crypto trading apps.

The campaign has been active since at least March 2024 and has “gradually evolved over time,” the company added. It uses advertisements to trick victims into installing fake apps that “impersonate almost 50 common cryptocurrency trading apps,” including Binance, MetaMask and Kraken.

Crypto users are a key target of various malicious campaigns as victims of crypto theft have little recourse to recover their funds, and blockchains anonymize bad actors, making it difficult to uncover those behind the schemes.

10 million are estimated to be targeted by malicious ads

Check Point said Meta’s ad tools showed 35,000 malicious ads were promoted in the first half of 2025, which led to “a few million views in the EU alone.”

The firm estimated that at least 3.5 million were exposed to the ad campaigns within the EU, but they also “impersonated Asian crypto and financial institutions” — regions with a comparably higher number of social media users.

“The global reach could easily exceed 10 million,” Check Point said.

The firm noted that it’s typically impossible to determine the full scope of a malware campaign and that advertising reach “does not equal the number of victims.”

Malware uses “unique anti-evasion methods”

The latest iteration of the malware campaign uses “unique anti-evasion methods,” which resulted in “extremely low detection rates” and allowed it to go undetected for so long, Check Point said.

Victims who click a malicious ad are directed to a legitimate-appearing but fake site to download the malware, and the attacker’s website and installation software run simultaneously, which Check Point said “significantly complicates analysis and detection efforts” as they’re hard to detect in isolation.

The fake app opens a program that directs to the legit site of the app a victim believes they have downloaded to deceive them, but in the background, it’s collecting “sensitive user information, primarily crypto-related.”

Related: Threat actors using ‘elaborate social engineering scheme’ to target crypto users — Report 

The malware uses the popular programming language JavaScript, which doesn’t need the victim’s input to run. Check Point said a “combination of compiled code and heavy obfuscation” made its effort to analyse the malware “challenging and time-consuming.”

Accounts and passwords scooped up in malware’s net

Check Point said that the malware’s main purpose is to gather as much information on the infected device as possible to send it to a threat actor to use.

Some of the information that the programs were collecting was user keyboard inputs — which can reveal passwords — along with stealing Telegram account information and autocomplete passwords.

The malware also collects browser cookies, which can show what websites a victim visits often, and it can manipulate crypto-related web extensions such as MetaMask.

It said that anti-malware software that detects malicious JavaScript executions would be “very effective” at stopping an attack on an already-infected device.

Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users