According to ESET data, the fraudulent investment scheme known as Nomani has increased by 62%, and campaigns distributing this threat have expanded beyond Facebook to other social media platforms such as YouTube.
A Slovak cybersecurity company said it has blocked more than 64,000 unique URLs related to the threat this year. The majority of detections occurred in the Czech Republic, Japan, Slovakia, Spain, and Poland.
Nomani was first documented by ESET in December 2024 as using social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to trick users into investing money in non-existent investment products by falsely claiming large amounts of revenue.
Once victims request payment of the promised benefits, they are asked to pay additional fees or provide additional personal information such as ID or credit card information. As is typical with this type of investment fraud, the end goal is financial loss.
The scammers don’t stop there and try to scam again using Europol and Interpol-linked decoys on social media promising help in recovering stolen funds, only to lose even more money in the process.
ESET says the scam has since undergone some notable upgrades, including making the AI-generated video more realistic to make it harder for potential targets to spot the scam.
“Deepfakes of popular celebrities used as phishing forms and initial hooks for websites now use higher resolution, significantly reduced unnatural movement and breathing, and improved A/V sync,” the company noted.
Fabricated content often leverages high-profile events or more widely visible figures in public life to lend credibility to its plans. In one case observed in the Czech Republic, a fake news article claimed that the government was making large profits by investing through one of the fraudulent cryptocurrency platforms.
To prevent malicious ads from being captured by the platform’s systems, attackers ensure that their campaigns only run for a few hours. Another important change includes redirecting users to a secure cloaking page instead of an external phishing form in case they don’t meet the targeting criteria.
“To further reduce their footprint, attackers are increasingly leveraging legitimate tools provided by social media advertising frameworks, such as forms and surveys, instead of external web pages to collect information on victims,” ESET said.
There have also been improvements to the templates used to generate phishing pages, and there are signs that AI tools are being used to create the HTML code. This evaluation is based on the presence of checkboxes within source code comments. Additionally, GitHub repositories hosting templates for such investment scams are provided by users in Russia and Ukraine.
Despite these changes, Nomani detections decreased in the second half of 2025. This indicates that attackers may be forced to modify their tactics in the face of increased law enforcement efforts to combat such scams.
“On the bright side, although the overall number of detections has increased compared to 2024, there are signs of improvement as detections in the second half of 2025 are down 37% compared to the first half of 2025,” ESET said.
The disclosure coincided with a new Reuters investigation that found 19% of Meta’s $18 billion in advertising revenue in China last year came from ads for scams, illegal gambling, pornography and other prohibited content run by the company’s advertising agency partners in the country. Some of these agencies allow businesses to display prohibited advertising. Mehta is said to have reconsidered the program following the report.
This latest report quantifies the sheer scale of the problem, revealing that the company expects to derive 10% of Meta’s global revenue in 2024, or about $16 billion, from such ads, including those run by the threat actors behind Nomani.
Source link
