Threat Actors Exploit Facebook Ads to Distribute Malware and Steal Wallet Passwords

The Pi Network community eagerly celebrated Pi2Day, an event traditionally associated with platform updates, feature launches, and significant milestones. However, this year’s festivities have been overshadowed by a sinister wave of cyberattacks.

Cybercriminals have capitalized on the event’s hype, launching a malicious ad campaign on Facebook to target unsuspecting users with phishing scams and malware distribution.

According to Bitdefender Labs researcher Ionut Baltariu, these attacks are part of a broader, ongoing operation exploiting trust in popular cryptocurrency brands and platforms.

Pi2Day Event Targeted by Sophisticated Phishing

The campaign, which began on June 24, involves over 140 variations of deceptive ads leveraging Pi2Day branding and Pi Network’s recognizable visuals.

These ads, targeting users across regions like the US, Europe, Australia, China, Vietnam, India, and the Philippines, drive traffic to fraudulent websites and malicious applications.

The primary goal of these threat actors appears to be stealing cryptocurrency wallet recovery phrases and deploying malware to compromise user systems.

The sophistication and scale of the operation suggest a coordinated effort by a single threat actor group, employing identical infrastructure patterns and evasion tactics across multiple parallel fraud schemes on Meta’s platform.

One of the key tactics in this campaign involves phishing pages designed to mimic legitimate Pi Wallet portals.

These fake websites lure users with promises of claiming 628 Pi tokens or accessing exclusive airdrop events, tricking them into entering their 24-word recovery phrases.

Once submitted, these phrases grant attackers full control over the victims’ wallets, enabling immediate fund transfers.

This method preys on the inexperience of many Pi Network users, who may not understand the critical importance of keeping recovery phrases private or recognizing that even seemingly verified Facebook ads can be fraudulent.

In parallel, attackers are distributing malware through fake “mining apps” and “claim” software promising bonuses of 31.4 PI.

These applications, often disguised as installers for desktop systems, embed malicious payloads identified by Bitdefender as Generic.MSIL.WMITask and Generic.JS.WMITask.

These strains, previously documented in May 2025 research, are multi-stage malware capable of stealing saved credentials, logging keystrokes, downloading additional malicious components, and evading detection through obfuscation and sandbox evasion techniques.

The combination of social engineering with urgent reward timers and the allure of easy mining Pi Network’s hallmark makes this campaign particularly dangerous for novice users unfamiliar with cryptocurrency security practices.

Broader Implications of Coordinated Crypto Scams

According to the Report, Baltariu’s analysis also links this Pi2Day scam to other fraudulent campaigns exploiting platforms like Binance and TradingView.

These operations share common characteristics: they abuse trust in well-known platforms, utilize deceptive Facebook ads to drive traffic to malicious destinations, and deploy the same multi-stage malware strains.

This convergence of tactics and infrastructure strongly indicates that a single organized group is orchestrating these efforts to maximize reach and financial gain.

The use of Meta’s advertising ecosystem as a primary attack vector highlights a critical vulnerability in how social media platforms can be weaponized against users, especially during high-profile events like Pi2Day.

As cryptocurrency adoption grows, such scams underscore the urgent need for user education on digital security and the importance of robust platform oversight to curb malicious advertising.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates