Researchers have uncovered a profit‑driven disinformation network that leverages trusted news brands, real public figures, fabricated media stories, emotional manipulation, and sophisticated evasion techniques to lure Meta platform users into investment fraud schemes.
Key Findings
- A large-scale scam operation is running over 310 malvertising campaigns across 25 countries, impersonating reputable brands to funnel victims into investment fraud.
- Users who click on deceptive ads are redirected to fraudulent websites, where they’re pressured into depositing money they can never recover.
- The activity appears to be run by Slavic‑speaking cybercriminals, with no signs of involvement by any government or state-backed organization.
Bitdefender Labs analyzed more than 310 paid malvertising campaigns running on Meta platforms, describing a massive global fraud infrastructure that spans at least 25 countries.
“The narratives change, but the financial goal stays the same: push users toward deposit‑based investment fraud schemes,” the researchers said.
According to the analysis, the operation consists of “three distinct but structurally identical scam clusters, seemingly controlled by two or three separate threat groups following the same playbook, along with one smaller stand‑alone cluster.”
Most narratives whether a staged news scandal, a bogus celebrity revelation, or a fake “national investment opportunity” ultimately funnel victims toward investment scams. The operators’ main goal is to harvest user data for fraudulent financial exploitation.
“These fabricated stories serve as bait. The real target is investment fraud through high-risk trading sites, binary options schemes, crypto scams, or direct deposit traps,” Bitdefender Labs explained.
All paths lead to lead‑generation pages designed to capture personal information for follow-up contact and aggressive pressure tactics typical of investment fraud operations.
How the Scam Works
Victims typically encounter a sponsored Facebook post that appears to come from a trustworthy organization.
- In the UK, scammers often impersonate the BBC or the Bank of England.
- In Spain, they commonly mimic Banco Santander or BBVA.
After clicking the ad, users are silently redirected through multiple URLs before landing on a fabricated news article or dramatic story. They’re then prompted to “sign up,” “unlock the story,” or “start earning.”
Once victims provide personal details such as name, phone number, and email, they are funneled into an investment scam call center.
A so-called “broker” contacts them, pretends to represent a legitimate trading platform, and pressures them to make an initial deposit. Victims are shown a fake dashboard with fabricated profits and urged to invest more. However, withdrawing funds is nearly impossible.
“Each narrative is easy to localize, reuse, and emotionally manipulate—exactly why they work so well on social media,” Bitdefender noted.
Who Is Behind the Campaigns?
Researchers found strong indicators that many campaigns are being operated by Russian-speaking individuals, based on language metadata in the ads. Bitdefender isolated every instance containing direct evidence of a Russian-speaking operator.
However, there is no evidence suggesting government or intelligence agency involvement. Analysts believe the operation is purely financially motivated.
Additionally, the mixture of Russian and Ukrainian Cyrillic across various campaigns suggests a multi-national Slavic-speaking criminal group, rather than a single Russian-language threat actor.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
