Cybersecurity company Check Point warned that an estimated 10 million people worldwide were exposed to online advertising, with fake encryption applications with malware published.
Checkpoint study explain On Tuesday, it has been tracking its malware campaign called “JSceal,” targeting crypto users by mimicking common cryptocurrency trading applications.
The event has been active since at least March 2024 and has “gradually developed over time.” It uses ads to trick victims into installing fake apps that “imitate nearly 50 common cryptocurrency trading apps,” including Binance, Metamask and Kraken.
Encrypted user is Key objectives As a victim of crypto theft, there is little money to ask for help, blockchain anonymity is not a good actor, which makes it difficult to reveal the person behind the plan.
An estimated 10 million malicious ads targeted
Check Point said Meta’s advertising tools showed that 35,000 malicious ads were promoted in the first half of 2025, resulting in “a few million views in the EU alone”.
The company estimates that at least 3.5 million people are exposed to advertising campaigns within the EU, but they are also “imitating Asian cryptocurrencies and financial institutions,” a region with a considerable number of social media users.
“It’s easy to exceed 10 million worldwide,” Checkpoint said.
The company notes that it is generally impossible to determine the full scope of malware activity and that ads “do not equal the number of victims.”
Malware uses “unique anti-risk method”
Checkpoint says the latest iteration of malware activity adopts a “unique anti-evasion method”, which results in “extremely low detection rates” and keeps it going for a long time.
The victims of clicking on malicious ads are pointed to a legitimate but fake website to download malware, and the attacker’s website and installation software run simultaneously, which says “significantly complicate the analysis and detection work significantly” when it’s difficult to isolate.
The fake app opens a program that will victims think they have downloaded a legitimate website to trick their app, but in the background, it is collecting “sensitive user information, mainly related to encryption.”
Related: Threat participants use “well-crafted social engineering program” to target encrypted users – Report
Malware uses the popular programming language JavaScript, which requires no victim input to run. “The combination of compiled code and heavy obfuscation” makes it “challenging and time-consuming” to analyze malware, Check Point said.
Dig up accounts and passwords in malware network
Checkpoint says the main purpose of malware is to collect as much information as possible on infected devices to send it to threat actors for use.
Some of the information collected by these programs are user keyboard input (which can display passwords), as well as information on stealing telegram account information and auto-complete passwords.
The malware also collects browser cookies that can display websites that victims frequently visit and can manipulate encryption-related network extensions (such as metAmask).
It says detecting anti-malware executed by malicious JavaScript is “very effective” in stopping attacks on already infected devices.
Magazine: Stealing cryptocurrency from real users in a 30,000-phone robot farm
