Bitdefender has published new findings on a fake trading platform scam that is targeting users through Google, YouTube, and Meta advertising systems.
The investigation notes that a persistent malicious campaign, which began by distributing deceptive Facebook Ads offering ‘free access’ to TradingView Premium and similar financial platforms, has now widened its reach to Google and YouTube. Researchers warn that both content creators and general users are now at risk as scammers deploy new methods to distribute credential-stealing malware.
Alin Moloce, a Researcher at Bitdefender Labs, stated that the campaign has evolved beyond its initial presence on Meta platforms. The scam now affects YouTube and Google Ads, using a variety of strategies to bypass both automated and manual checks, and to broaden its pool of potential victims.
The campaign operates by luring victims into downloading malware via convincing ads that pose as genuine trading or financial services. Unlike legitimate adverts, which link directly to real company resources, the scam redirects users to malware-infected downloads. The targeting has also widened to include both ordinary internet users and content creators, whose online accounts can become vulnerable to takeover if compromised.
Expanding scam methods
Bitdefender’s analysis found that attackers hijacked the Google advertiser account of a Norwegian design agency and separately took control of a verified YouTube channel. Using these credentials, the scammers were able to present themselves as the official TradingView channel, leveraging the existing verified badge and mimicking official branding and playlist arrangements. This made the fake channel difficult to distinguish from the authentic one at a glance.
Critical signs of deception included a subtly different YouTube channel handle, lack of original content, and a suspiciously low number of registered views that did not match the popularity of the genuine TradingView channel. However, one ad video titled ‘Free TradingView Premium – Secret Method They Don’t Want You to Know’ reportedly gathered more than 182,000 views in just a few days. The video was unlisted, meaning it could only be found through direct links from ads, evading public moderation and scrutiny.
The unlisted status is deliberate, of course. By not being publicly searchable, these malicious videos avoid casual reporting and platform moderation. Instead, they are shown exclusively through ad placements, ensuring they reach their targets while remaining hidden from public view.
The ad description included a download link to a malicious executable. Depending on the attackers’ analysis of the user, the link could either direct to a benign website or to the actual malware. Messaging in the ads assured potential victims of benefits like simplified trading and ‘reasonable’ strategies, while attempting to gain trust through disclaimers about financial risks.
Business accounts as targets
The research highlighted the mounting risk posed when a company’s Google account is hijacked. This can rapidly cascade to compromise a connected YouTube channel, which may then be wiped of original content and rebranded for further malicious promotions.
Scammers typically gain access via phishing or credential-stealing attacks. Once inside, they delete existing content and assume the identity of a recognised brand, enabling them to use reputable advertising infrastructure for malicious purposes.
Malware characteristics
Bitdefender’s examination of the malware revealed new features designed to make detection and analysis more challenging. The downloader, over 700 MB in size, is larger than commonly analysed files. It contains anti-sandbox measures and proceeds through multiple infection stages after evading detection. The malware uses encrypted and obfuscated service worker code and employs the StreamSaver.js library to further complicate efforts to analyse its behaviour.
Attackers have also integrated several tracking mechanisms, such as PostHog, Facebook Pixel, Google Ads Conversion Tracking, and Microsoft Ads Pixel, often without user consent. These trackers may help tune the campaign and reduce exposure to detection by sending benign content to users deemed not to be valid targets.
The malware’s capabilities include intercepting all network traffic, harvesting cookies and passwords, keylogging, taking screenshots, stealing cryptocurrency wallet data, and ensuring long-term persistence on infected devices.
Scope of campaign
Bitdefender identified over 500 domains and subdomains linked to the infrastructure behind this scam, along with developing variants for macOS and Android to widen the scope of victims. The researchers noted the use of hijacked channels and thousands of sham Facebook pages as part of the distribution strategy. The campaign is active worldwide, targeting users in several languages and rapidly deploying new websites and ad creative to avoid takedown.
Advice for users and creators
Users are advised to be suspicious of ads promoting free access to premium trading software, to scrutinise the channel handle and subscriber count on videos, and to avoid downloading software from third-party links. Reporting suspicious adverts through platform channels, as well as using security solutions, is strongly recommended.
Content creators and business account holders are urged to implement strong multi-factor authentication, review account recovery procedures, audit permissions, and remain vigilant for signs of unauthorised activity such as abrupt changes to branding or posted content.
The Bitdefender report concludes that scam awareness remains important, as impersonation campaigns and ad-based attacks are evolving.