Hackers initiated malicious Windows advertisements on Facebook., 2026/02/25 13:05:15

Cybercriminals have initiated fake advertisements on Facebook that disguise themselves as a Windows 11 update, leading to the theft of cryptocurrency wallet data, according to analysts from Malwarebytes.

The attack targets regular users working from home or in an office setting. Specialized filtering techniques enable the perpetrators to conceal the malicious resource from data center IP addresses and security systems.

After clicking on the ad, the user is redirected to a site that visually mimics the official Microsoft website. The domain name closely resembles the original company address, making it challenging to identify the counterfeit.

Subsequently, a malicious program begins downloading, which, upon installation, searches for cryptocurrency wallet files and seed phrases, sending this information to the hackers, experts warn. 

This is not the first instance of hackers utilizing Facebook ads to steal cryptocurrency wallet data. Last year, criminals posted approximately 140 fake ads under the Pi Network brand. Users were redirected to phishing sites with promises of free tokens or participation in airdrops, requiring them to enter their wallet recovery phrase. The attack affected users in the USA, Europe, Australia, China, and India.

Hayden Adams, the founder of the decentralized exchange Uniswap, previously cautioned about counterfeit advertisements masquerading as promotions for his platform. He noted that one victim had already lost a six-figure sum.

According to DeepStrike, in 2025, malware stole around 1.8 billion credentials. In January, the amount of cryptocurrency stolen through exploits and fraud reached $370.3 million — the highest monthly figure in 11 months, reported CertiK.