A disinformation-for-profit network uses trusted news brands, real personalities, fabricated media narratives, emotional hooks, and advanced evasion techniques to drive victims – all users of Meta platforms – into investment fraud funnels, researchers say.
Table of Contents
Key takeaways
- Scam network runs 310+ Meta malvertising campaigns across 25 countries, impersonating trusted brands to enable investment fraud.
- Victims click fake ads, get redirected to fraudulent sites, submit details, then face pressure to deposit unrecoverable funds.
- Slavic-speaking criminals likely operate these financially motivated scams, with no evidence of state involvement.
Bitdefender Labs analyzed as many as 310 malvertising campaigns distributed through paid advertising on Meta platforms and says it’s a sprawling global scam infrastructure spanning at least 25 countries worldwide.
“The narratives vary, but the financial objective is consistent: drive users into deposit-based investment fraud funnels,” say the researchers.
They describe the campaigns as “three distinct but structurally identical scam sub-campaigns operated by what appears to be at least two to three separate threat actor groups using the same scam playbook, combined with a smaller fourth independent sub-campaign.”
Unsurprisingly, most of the narratives – whether it’s a fake broadcast scandal, a celebrity will revelation, or a “national investment platform” – ultimately pivot to investment scams. The crooks behind these campaigns attempt to harvest user data for fraudulent purposes.
“These fake narratives are used as bait. The real objective is investment fraud, through high-risk trading platforms, binary options type schemes, crypto schemes, and direct deposit funnels,” Bitdefender Labs explained in a blog post.
“The end destination is consistent: lead-generation pages that collect details for follow-on contact and pressure tactics typical of investment fraud funnels.”
Here’s how it usually works. Users see a sponsored post on Facebook that appears to point to a trusted site.
In the United Kingdom, the campaigns most often impersonate the BBC or the Bank of England. In Spain, Banco Santander and BBVA are targeted.
According to the researchers, a large part of the malvertising campaigns have observable signals of a Russian-speaking operator. Bitdefender Labs isolated every instance where direct, observable signals of a Russian-speaking operator appeared in raw ad metadata on Meta.
However, there’s no actual evidence of state sponsorship or intelligence agency involvement. The ongoing hypothesis is that the campaigns are part of financially motivated criminal activity.
Besides, the mixture of Russian and Ukrainian Cyrillic across scam campaigns suggests a multi-national Slavic-speaking operator team, rather than a strictly Russian-language actor.