Over 10M Crypto Users Exposed to Malware via Deceptive Ad Campaign: Check Point

Highlights:

• JSCEAL malware tricks users with fake crypto apps and hidden JavaScript code.
• Over 10 million people have been exposed globally through deceptive crypto-related online ads.
• Anti-malware tools help detect threats and protect sensitive crypto data from theft.

In a recent blog post, Check Point Research warned crypto traders about a new online threat that targets crypto-related information. The firm stated that it has been tracking a malware campaign called “JSCEAL,” which tricks crypto users by pretending to be popular crypto trading apps. The campaign has been running since at least March 2024 and has gradually changed over time. “The global reach could easily exceed 10 million,” Check Point said. It is said to use online ads to mislead users into downloading fake apps that mimic nearly 50 well-known crypto trading platforms, such as Binance, MetaMask, and Kraken.

Malicious executions of compiled JavaScript, leading to the of JSCEAL — a stealthy, multi-stage crypto stealer :
⚠️ Malicious ads for fake crypto apps installers
🧩 Modular PowerShell loaders
🕵️ Unique evasion techniques that kept the campaign undetectedhttps://t.co/S9DTH0QU0i

— Check Point Research (@_CPResearch_) July 29, 2025

Fake Crypto Apps Steal Data from Millions of Users

When someone clicks the ad and visits the fake site, they’re asked to download an app, thinking it’s the real one used for crypto trading. Once the person installs the fake app, the malware secretly enters their device. To make it seem trustworthy, the fake app even opens the real website of the crypto company it’s pretending to be. While the victim thinks everything is fine, the malware is working in the background and stealing important personal information. This includes things like saved passwords, location, email details, network info, and other crypto-related data.

The hackers use a two-step method. First, they lead users to a fake website, then they get them to download the malware. This makes it harder for security software to notice the threat, especially since the website and malware run at the same time. Sometimes, the malware isn’t installed right away, which also helps it stay hidden for longer.

Check Point said that in the first half of 2025, around 35,000 of these fake ads were shown and got millions of views in the EU alone. The security firm estimates that each fake ad reached at least 100 people in the European Union. So with 35,000 ads, around 3.5 million people in the EU were exposed. They haven’t counted users outside the EU, but since the global number of social media users is much higher.

Experts Advise Anti-Malware Tools to Combat Hidden Threats

Check Point said the malware’s main goal is to collect as much information as possible from the infected device and send it to the hacker. It also steals browser cookies to see which websites the victim visits and can interfere with crypto tools like MetaMask.

If they find that a victim has more valuable data, they may add extra code to steal even more and delete all traces of the malware from the device. However, Check Point says that users can still protect themselves. The firm said that anti-malware software that can detect harmful JavaScript is very useful for stopping the malware, even after a device is infected.