Criminals are targeting Bitcoin owners on Facebook with a multi-stage malware campaign - follow these steps to stay safe

Skip to main content
Tech Radar Pro
Tech Radar Gaming
Tech Radar Pro
TechRadar the business technology experts
Search TechRadar
View Profile
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
Expert Insights
Website builders
Web hosting
World Password Day
Best website builder
Best web hosting
Best office chairs
Expert Insights
Criminals are targeting Bitcoin owners on Facebook with a multi-stage malware campaign - follow these steps to stay safe
Wayne Williams
11 May 2025
No, Zendaya, Elon Musk, and Cristiano Ronaldo are not trying to steal your crypto
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Pexels)
Experts warn Facebook crypto ads now deliver malware through trusted brand impersonation
Malware deploys only when victims meet specific browser or profile criteria
Local server and PowerShell commands allow stealthy data exfiltration and control
A new wave of malware attacks is targeting Bitcoin and crypto owners through Facebook ads that mimic trusted names in the industry.
Bitdefender says it has uncovered a multi-stage malvertising campaign that exploits the reputations of well-known platforms like Binance, TradingView, ByBit, and others.
These malicious ads don’t just trick users, they also adapt in real time to avoid detection and deliver malware only when conditions are ideal for the attackers.
You may like
Millions at risk as cybercriminals successfully compromise popular YouTube accounts: here's how to stay safe
Hackers go after influencers and content creators to hit followers with malware, steal data
Zoom remote control feature abused for crypto stealing cyberattacks
Highly evasive delivery system
(Image credit: Bitdefender)
The scheme begins when cybercriminals hijack or create Facebook accounts and use Meta’s ad network to run fraudulent promotions.
These ads feature fake offers and use photos of celebrities - Zendaya, Elon Musk, and Cristiano Ronaldo are the usual suspects - to appear more convincing.
Once clicked, users are redirected to lookalike websites that impersonate legitimate cryptocurrency services and prompt them to download what appears to be a desktop client.
The malware delivery system is highly evasive. Bitdefender says the front-end of the fake site works with a local server quietly spun up by the initial install, allowing attackers to send payloads directly to the victim's system while dodging most security software.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Delivery only happens if the victim meets specific criteria, such as being logged into Facebook, using a preferred browser like Microsoft Edge, or matching a certain demographic profile.
Some malware samples run lightweight .NET servers locally and communicate with the website using advanced scripts that execute encoded PowerShell commands. These can exfiltrate sensitive data like installed software, system and OS info, and even GPU details.
Depending on the findings, the malware may download further payloads or simply go dormant if it suspects it's being analyzed in a sandbox.
Bitdefender researchers found hundreds of Facebook accounts promoting these campaigns. One ran more than 100 ads in a single day. Many ads target men aged 18 and older, with examples found in Bulgaria and Slovakia.
How to stay safe
(Image credit: Amazon India)
Scrutinize ads carefully: Be highly skeptical of ads offering free crypto tools or financial perks. Always verify links before clicking.
Download from official sources only: Visit platforms like Binance or TradingView directly. Never trust redirects from ads.
Use link-checking tools: Tools like Bitdefender Scamio or Link Checker can alert you to dangerous URLs before you engage.
Keep your security software up to date: Use a reputable antivirus that gets regular updates to catch evolving threats.
Watch for suspicious browser behavior: Pages that insist you use Edge or redirect erratically are massive red flags.
Report shady ads: Flag suspicious content on Facebook to help others avoid falling into the same trap.
You might also like
Stay protected with the best antivirus tools around
We've also rounded up the best free antivirus solutions
Hackers steal over $1bn in one of the biggest crypto thefts ever
Wayne Williams
Social Links Navigation
Wayne Williams is a freelancer writing news for TechRadar Pro. He has been writing about computers, technology, and the web for 30 years. In that time he wrote for most of the UK’s PC magazines, and launched, edited and published a number of them too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Millions at risk as cybercriminals successfully compromise popular YouTube accounts: here's how to stay safe
Hackers go after influencers and content creators to hit followers with malware, steal data
Zoom remote control feature abused for crypto stealing cyberattacks
Criminals are spreading malware disguised as DeepSeek AI
Fake PDF converters are spreading malware to steal user information and worse - here's how to stay secure
AI is fueling the biggest financial scams ever—cyber safety experts are fighting back
Latest in Security
AI is making phishing emails far more convincing with fewer typos and better formatting: Here's how to stay safe
Microsoft employees join the list of those banned from using DeepSeek
Cisco has patched a worrying flaw which could have let attackers hijack devices
A top VC firm says investor details were stolen in a data breach
Popular employee monitoring software hijacked to launch ransomware attacks
Textbook and testing giant Pearson hit by cyberattack, customer data leaked
Latest in News
The latest Samsung Galaxy S25 Edge leak shows off the phone's design – and a potential price
Quordle hints and answers for Monday, May 12 (game #1204)
NYT Connections hints and answers for Monday, May 12 (game #701)
NYT Strands hints and answers for Monday, May 12 (game #435)
If you're already subscribed to Whoop, you can now get a free upgrade to the latest devices after a user backlash
A huge Sony Xperia 1 VII leak hints at the design, colors, and features of the upcoming flagship
LATEST ARTICLES
This note-taking app might help you get more organized than ever
I may have found my perfect PC chassis: A Ryzen 7 rig, built in a foldable keyboard that you can fit into a (large) trouser pocket
I tested the Loop Switch 2 earbuds at the Miami F1, and I’m never going to a gig or race without them again
What is a HEPA filter, and what is it used for?
Asus brings Nvidia's fastest superchip to a very boring desktop PC chassis, but there's even a DVD player and a mysterious slot
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future's experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait...