A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations, security researchers warn.
This ongoing campaign, tracked by Bitdefender Labs for the past year, has reportedly moved from Meta’s Facebook Ads to appear across both Google Ads and YouTube, putting many more users at risk.
This campaign was previously reported by Hackread.com for exploiting Facebook Ads using fake crypto sites and celebrity images to spread malware, but has now evolved its tactics.
How the Scam Works
Research reveals that the cyber criminals behind this attack are highly organised, using over 500 different website addresses and publishing thousands of malicious ads every day in different languages (mostly English, Vietnamese and Thai).
They run their ads by taking control of legitimate, verified business accounts on Google and YouTube, including the hijacked Google advertiser account of a design agency in Norway. For your information, TradingView Premium is a paid service that offers advanced tools and features for financial trading analysis.
To appear real, the scammers hijack a verified YouTube channel, delete all its original content, and rebrand it to look exactly like the official TradingView page, including the correct logos and banner art. They even copy playlists from the real channel so that the fake one appears active, abusing the verified badge to trick users into assuming authenticity.
They then use paid ads to push special videos that are hidden from public view, called unlisted videos, to avoid detection. One such video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” gathered over 182,000 views in just a few days through this aggressive advertising.
However, close inspection reveals red flags, such as a different channel handle (not @TradingView) and a low overall registered view count, which would be impossible for the popular trading platform.
The Threat
This campaign’s core objective seems to be to get users to download a dangerous file disguised as the free premium app. This file is actually a type of spyware called Trojan.Agent.GOSL, which can remotely control a victim’s computer. This program is designed to steal highly sensitive information, including passwords, personal data, and cryptocurrency wallet details.
Shared with Hackread.com, this research warns content creators that having their business accounts compromised not only damages their reputation but also allows scammers to take over the connected, verified YouTube channel and use it as a weapon.
That’s why you should always download software from official websites. Bitdefender advises users to carefully check the channel handle and subscriber count, and consider any ad promising free premium access to an app that is normally paid a major red flag.
