Check Point Warns of Malicious Ads Promoting Fake Crypto Apps Loaded With Advanced Malware
Cybersecurity firm Check Point has issued a global warning after uncovering a widespread malware campaign that uses malicious advertisements to distribute fake cryptocurrency trading apps. The campaign, dubbed “JSCEAL,” is believed to have exposed over 10 million users worldwide since it began in March 2024.
The attack specifically targets crypto users, who are often unable to recover lost funds due to the pseudonymous and irreversible nature of blockchain transactions.
Fake Ads Impersonating Popular Crypto Platforms
According to Check Point Research, the campaign tricks users into downloading malware by impersonating nearly 50 widely used crypto apps, including Binance, MetaMask, Kraken, and others. The fake apps are promoted via ads on social media platforms, where they mimic legitimate branding and websites.
“The malware campaign has gradually evolved over time,” the firm said, noting that the attackers continuously update their tactics to evade detection.
Meta’s ad analytics revealed that 35,000 malicious ads were run in the first half of 2025, with an estimated 3.5 million users exposed within the EU alone. Given the campaign’s reach in other high-user regions, particularly in Asia, Check Point estimates the total global exposure may exceed 10 million.
However, the firm clarified that advertising reach does not equate to the number of infected users, and that determining the full scale of the campaign remains difficult.
Advanced Evasion Techniques Make Malware Hard to Detect
One of the most alarming aspects of the JSCEAL campaign is its use of “unique anti-evasion methods” that make it extremely difficult to detect.
When a victim clicks a fake ad, they are directed to a legitimate-looking but fake website, which initiates the simultaneous launch of both the malware and the authentic-looking app. This tactic masks malicious activity, making it hard for both users and analysts to realize something is wrong.
“The fake app runs alongside a real website, deceiving the user while silently collecting sensitive crypto-related information in the background,” Check Point explained.
The malware is written in JavaScript, a commonly used programming language that does not require user input to execute. The code is heavily obfuscated and partially compiled, which makes it difficult for cybersecurity researchers to reverse engineer.
Malware Targets Crypto Credentials and Device Data
Once installed, the malware’s primary objective is to gather sensitive data from the infected device and send it to the attacker’s server.
The information harvested includes:
-
Keystroke logs (potentially capturing passwords)
-
Telegram account data
-
Saved login credentials via browser autocomplete
-
Browser cookies (revealing browsing history and activity)
-
Manipulation of browser-based crypto wallets, including MetaMask
This makes the malware especially dangerous for users who manage their crypto through web-based tools and mobile apps — a common practice among retail investors.
“It’s not just about stealing crypto; it’s about compromising an entire device and its digital identity,” said a Check Point researcher.
Anti-Malware Software Still Effective — If Installed in Time
While the JSCEAL campaign has proven difficult to detect, advanced anti-malware software that scans for JavaScript-based threats can still block infections — especially on devices already at risk.
Check Point emphasized that the malware’s success relies heavily on social engineering and user trust in recognizable crypto brands. Once a user downloads the fake app, it may be too late unless proactive security measures are in place.
The firm urged users to:
-
Avoid downloading apps from ads or unofficial links
-
Install security software that monitors script-based activity
-
Regularly update all crypto apps from official sources
-
Use multi-factor authentication wherever possible
Crypto Users Remain Prime Targets
Crypto investors continue to be frequent targets of malware campaigns due to the irreversible nature of crypto transactions and the difficulty of tracing blockchain-based theft. As a result, malicious actors are increasingly focused on exploiting user behavior and poor security hygiene rather than technical flaws in blockchain protocols.
Check Point concluded its report with a reminder that even the most convincing-looking apps or websites can be part of elaborate scams:
“Always verify the source. If an offer or app seems too convenient to be true, it probably is.”
