Cybersecurity researchers are sounding the alarm over a widespread malvertising campaign targeting cryptocurrency users. Fake advertisements impersonating popular crypto platforms such as Binance, MetaMask, and Kraken have exposed millions to malware designed to steal wallet credentials, browser data, and other private information.
Malvertising targets crypto users at scale
Check Point Research has identified a malicious campaign dubbed JSCEAL that uses deceptive online ads to lure users into downloading counterfeit crypto apps. These ads mimic trusted services and redirect users to fake download pages, from which malware can be installed unknowingly. The campaign has been active since at least March 2024 and continues evolving.
Check Point estimates that over 10 million users globally have been exposed to these ads. In the European Union alone, around 3.5 million impressions were recorded in the first half of 2025. with extensive targeting also reported in Asia via fake versions of local crypto institutions.
How the malware works
Once a user follows the deceptive ad and installs the fake application, the malware begins to harvest sensitive data:
Keystroke logging, browser cookies, autocomplete passwords
Telegram account credentials
Manipulation of browser-based crypto wallet extensions
Access to seed phrases and private keys stored or autofilled in wallet apps
Infected apps impersonate nearly 50 different cryptocurrency platforms, enhancing the deceptive realism and baiting users into entering private credentials.
Why crypto users are prime targets
Cryptocurrency users are often more vulnerable to fraud due to:
Immutability and anonymity: Blockchain transactions are irreversible, and tracing attackers is very difficult.
Limited recourse: Once funds are taken, recovery options are minimal.
Trust in familiar platform branding: Users are more likely to trust an ad that looks like one from Binance or MetaMask.
Comparison with other malware threats
JSCEAL represents one of several recent malware campaigns targeting crypto users. Others include:
SparkKitty and SparkCat: These malware types infiltrate mobile apps and use optical character recognition (OCR) to scan phones for seed phrase screenshots stored in photo galleries.
Crocodilus malware: An Android trojan that triggers fake overlays to trick users into revealing wallet keys, then hijacks accounts using accessibility features.
Together, these threats show a growing sophistication: from fake overlays and OCR-based stealing to widespread malvertising campaigns.
Prevention and protection tips
Only install apps from trusted sources, such as official app stores.
Avoid clicking on ads, particularly those promising quick crypto gains or using familiar crypto branding.
Verify web addresses and developer details of any crypto platform before downloading.
Enable security tools like Google Play Protect or reputable mobile antivirus apps.
Double-check app permissions before granting access to sensitive device functions.
Conclusion
The JSCEAL campaign underscores an urgent threat landscape: malicious advertising networks distributing fake crypto apps capable of stealing sensitive data. With exposure estimates exceeding 10 million users worldwide, it's clear that no demographic of crypto holders is immune.
Robust hygiene—avoiding ads, confirming app authenticity, and using protective tools—remains vital. Given that blockchain thefts offer little recovery options, users must remain vigilant to protect their digital assets.


















