Cybercriminals Use Facebook Ads to Spread Malware and Harvest Wallet Passwords

The annual Pi2Day event, celebrated by the global Pi Network community on June 28, has this year been hijacked by cybercriminals launching an extensive, multi-pronged ad campaign primarily through Facebook. 

Traditionally a landmark occasion marked by feature releases and key ecosystem updates, Pi2Day has instead become the backdrop for an elaborate operation targeting users’ cryptocurrency wallets and personal data. 

Bitdefender Labs researcher Ionut Baltariu has traced this wave of scams as part of an ongoing campaign that also exploits other major cryptocurrency platforms such as Binance and TradingView.

Sophisticated Phishing Campaigns 

Threat actors have rolled out over 140 distinct ad variations using official Pi2Day branding and Pi Network visual elements. 

These ads, which appear convincingly authentic, redirect unsuspecting users to phishing websites or prompt downloads of malicious applications. 

The campaign’s reach is global, with victims identified in regions including the United States, Europe, Australia, China, Vietnam, India, and the Philippines.

One branch of the scam relies on phishing portals meticulously crafted to mimic legitimate Pi Wallet services. 

Users are enticed to enter their 24-word recovery phrase under the guise of claiming 628 Pi tokens or participating in exclusive airdrop events tied to the Pi2Day celebrations. 

Once a recovery phrase is provided, attackers can instantly compromise the wallet and move any stored assets out of the victim’s control.

A parallel attack vector leverages supposed “free Pi mining” or reward apps, available as PC installers. 

In reality, these applications are laced with malware strains previously identified by Bitdefender, notably Generic.MSIL.WMITask and Generic.JS.WMITask. 

These programs are designed to surreptitiously steal stored credentials, crypto wallet keys, and log user input. 

Additionally, they can download further malicious components and employ advanced evasion techniques, such as obfuscation and sandbox detection, to avoid traditional security defenses.

Trust in Popular Platforms

The Pi Network’s promise of accessible, smartphone-based “mining” and its rapidly growing user base make it a prime target for such schemes. 

The majority of users are drawn by the network’s ease of use and community rewards, with many lacking prior experience in safeguarding digital assets. 

This inexperience is exploited by the attackers, who bank on victims not understanding the necessity of keeping recovery phrases confidential or the fact that even Facebook ads, which often appear verified, can be vehicles for fraud.

The campaigns are further engineered for virality by blending the urgency of countdown timers, the allure of free tokens, and the timing around anticipated platform milestones. 

These social engineering elements are carefully chosen to drive impulsive actions from users who are eager to participate in the event or secure additional rewards.

Analysis reveals that all sides of the operation ranging from Pi Network-themed phishing to fake security alerts from Binance and TradingView share critical similarities. 

Each exploits the trust of widely recognized brands, leverages deceptive Facebook advertising, and delivers variants of the same multi-stage malware. 

Moreover, the infrastructure and techniques for detection evasion are identical across the campaigns, strongly suggesting that a single organized threat group is orchestrating these attacks in tandem.

Bitdefender’s findings underscore the urgent need for heightened vigilance among cryptocurrency users, especially during high-profile events that attract both genuine community attention and malicious opportunists. 

While active takedown and awareness efforts are underway, users are urged never to share wallet recovery phrases and to remain skeptical of promotional offers even those delivered via seemingly official social media channels.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates