• Cyber Syrup
  • Posts
  • Investment Scams Leveraging AI, Malvertising, and Social Media: Meet Nomani

Investment Scams Leveraging AI, Malvertising, and Social Media: Meet Nomani

Cybersecurity researchers are raising alarms about a sophisticated investment scam that uses social media malvertising, company-branded content, and AI-powered video testimonials featuring famous personalities to deceive victims

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Start learning AI in 2025

Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.

It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Investment Scams Leveraging AI, Malvertising, and Social Media: Meet Nomani

Cybersecurity researchers are raising alarms about a sophisticated investment scam that uses social media malvertising, company-branded content, and AI-powered video testimonials featuring famous personalities to deceive victims. This multi-layered attack scheme ultimately results in financial losses and data theft.

ESET, a prominent cybersecurity company, has tracked this evolving scam under the name "Nomani"—a play on the phrase “no money.” According to ESET’s H2 2024 Threat Report, the campaign surged by over 335% between the first and second halves of 2024, with more than 100 new malicious URLs being detected daily between May and November 2024.

How the Nomani Scam Works

The attack begins with fraudulent advertisements on social media platforms, including Facebook, Messenger, and Threads. These ads frequently target users who may have been victims of previous scams, leveraging fake lures with Europol or INTERPOL-branded messages that promise help recovering lost funds.

  1. Malicious Ads and Distribution Tactics

    • Fraudsters distribute malicious ads through both fake accounts and stolen profiles. These profiles may belong to small businesses, government entities, or micro-influencers with tens of thousands of followers.

    • The attackers also spread deceptive content by posting positive reviews on Google to enhance credibility.

    ESET notes that many of the distributing accounts are either recently created with easy-to-forget names, minimal posts, and very few followers, or are compromised legitimate profiles.

  2. Phishing Websites
    Clicking on these malicious ads directs victims to phishing websites designed to steal personal data. These websites are highly convincing and often:

    • Mimic local news outlets to gain trust.

    • Abuse logos and branding of legitimate organizations.

    • Advertise fraudulent cryptocurrency platforms under ever-changing names such as Quantum Bumex, Immediate Mator, or Bitcoin Trader.

Manipulating Victims: From Data Theft to Financial Loss

The phishing websites collect contact details, which the attackers use to make direct calls to victims. By leveraging persuasive social engineering tactics, the scammers manipulate victims into:

  • Investing money in fake platforms with promises of high returns.

  • Taking out loans under the pretense of boosting investments.

  • Installing remote access apps on their devices, allowing attackers further access to sensitive information.

The scam escalates when victims attempt to withdraw their supposed profits. At this stage, fraudsters demand additional fees and request more sensitive information, including IDs and credit card details. Ultimately, the victims lose both their money and personal data, with the scammers disappearing—a method similar to pig butchering scams.

Who Is Behind Nomani?

Evidence suggests that Russian-speaking threat actors are behind the Nomani campaign. Key indicators include:

  • Source code comments written in Cyrillic.

  • Use of Yandex tools to track website visitors.

The scale of Nomani aligns with major scam operations like Telekopye, where different criminal groups handle various parts of the attack chain. These groups specialize in:

  • Stealing and abusing Meta accounts for ads.

  • Building sophisticated phishing infrastructure.

  • Operating call centers to manipulate victims directly.

Global Fraud Trends: Lessons from South Korea’s MIDAS Operation

The emergence of Nomani coincides with other large-scale fraud networks. For instance, South Korean law enforcement recently dismantled a network that defrauded $6.3 million using fake online trading platforms, in an operation dubbed MIDAS.

Key findings from the MIDAS case include:

  • Victims were lured through SMS, phone calls, and YouTube videos, with additional engagement in KakaoTalk chat rooms.

  • Fraudulent programs appeared legitimate by connecting to real brokerage firm servers to display accurate stock prices and charts.

  • Instead of enabling actual trades, the programs used screen capture tools to spy on victims, steal data, and refuse withdrawals.

The MIDAS case highlights how cybercriminals blend legitimate-looking tools with malicious intent, an approach similar to the tactics seen in the Nomani scam.

How to Protect Yourself

  1. Be Skeptical of “Too-Good-to-Be-True” Ads

    • Avoid clicking on ads promising high investment returns or help recovering lost funds.

  2. Verify Websites and Applications

    • Use official company websites rather than clicking on links in social media ads or messages.

    • Check domain names for signs of phishing.

  3. Beware of Remote Access Requests

    • Never install remote access tools unless explicitly required by verified IT personnel or trusted platforms.

  4. Report Suspicious Activity

    • If you encounter suspicious ads, phishing emails, or fraudulent platforms, report them to social media platforms and cybersecurity authorities.

  5. Strengthen Your Online Security

    • Enable two-factor authentication (2FA) for online accounts.

    • Use reputable antivirus software to protect against malware infections.

Conclusion

The Nomani scam underscores the growing sophistication of modern cyber fraud schemes. By blending AI-powered video testimonials, social media malvertising, and convincing phishing tactics, attackers are deceiving victims at scale. As scams like Nomani grow in complexity, individuals and businesses must remain vigilant, exercise caution online, and adopt strong cybersecurity measures.

With law enforcement agencies and cybersecurity experts actively addressing these threats, public awareness is key to preventing further financial and data losses.