Malicious Campaigns – Cybercriminals Exploit Facebook Ads to Distribute Malware and Harvest Wallet Credentials

As the Pi Network community geared up to celebrate Pi2Day on June 28, 2025, a landmark annual event featuring platform updates and product launches, cybercriminals orchestrated a sophisticated scam campaign, leveraging Facebook’s advertising platform to target unsuspecting crypto enthusiasts.

Security researchers at Bitdefender Labs, led by Ionut Baltariu, have uncovered a coordinated operation responsible for phishing attacks and malware distribution under the guise of Pi2Day promotions.

Malicious Campaigns – Cybercriminals Exploit Facebook Ads

Since June 24, threat actors have deployed over 140 Facebook ad variations, all mimicking legitimate Pi2Day branding and Pi Network visuals.

Disguised as official wallet gateways or airdrop events, these ads redirect users to phishing websites that prompt them to enter sensitive 24-word wallet recovery phrases.

Victims who input their credentials unwittingly grant attackers complete access to their cryptocurrency wallets, allowing for the instant theft of funds.

A parallel attack vector involves fake “mining apps” and airdrop installers promising bonuses of 31.4 or 628 Pi tokens.

These downloadable PC applications, analyzed by Bitdefender, contain advanced malware strains, including Generic.MSIL.WMITask and Generic.JS.WMITask. Once installed, these malicious payloads can:

• Steal saved credentials and private wallet keys
• Log keystrokes, capturing sensitive information
• Download further malicious modules
• Employ obfuscation and sandbox evasion to avoid detection

Bitdefender’s analysis ties these new Pi2Day scams to an ongoing, large-scale campaign that also targets users of other crypto brands, including Binance and TradingView. In all observed cases, the adversaries leverage Meta’s ad infrastructure to maximize reach with sophisticated phishing and malware attacks.

Technical Tactics & User Risks

The attackers have demonstrated technical acumen, reusing infrastructure and malware strains while varying the thematic branding to match current crypto events.

Their phishing sites are near-perfect clones of legitimate Pi Wallet portals, and fake mining tools employ multi-stage infection chains to ensure persistence and stealth.

Notably, many Pi Network participants are beginners in cryptocurrency, making them especially vulnerable.

The urgency induced by exclusive airdrops and countdown timers, combined with the perceived legitimacy of verified Facebook ads, increases the scam’s effectiveness.

How to Stay Safe

Bitdefender was the first cybersecurity vendor to detect and block these threat variants. It has since updated its platforms to block access to all known malicious domains associated with the scam. To protect themselves, users should:

• Never enter wallet recovery phrases on unofficial sites.
• Be skeptical of ads offering giveaways or free mining apps.
• Download software only from official sources.
• Utilize security tools like Bitdefender Scamio to verify suspicious offers.

Bitdefender continues to monitor these evolving threats, urging crypto investors to exercise heightened caution when interacting with all Facebook crypto ads, including those from verified accounts. As cybercriminals exploit every opportunity, ongoing vigilance remains the best defense.