Cybersecurity specialists are sounding the alarm on a sophisticated investment scam intertwining deceptive social media advertisements, counterfeit corporate endorsements, and AI-driven video testimonials featuring well-known public figures. This intricate fraud scheme culminates in both financial theft and compromised personal data.
“The ultimate objective of these fraudsters is to lure unsuspecting victims into phishing traps that collect sensitive information,” stated ESET in its H2 2024 Threat Report, as disclosed to The Hacker News.
This Slovak cybersecurity firm has coined the scam “Nomani,” a term reflective of the phrase “no money.” According to their findings, this operation surged by an alarming 335% from H1 to H2 2024, with over 100 fresh URLs emerging daily between May and November of this year.
A Complex Web of Deception
The modus operandi begins with fraudulent advertisements propagated across social media platforms. In some instances, the scammers target individuals already victimized by earlier scams, baiting them with Europol- or INTERPOL-themed promises of assistance, such as recovering stolen funds via clickable links.
These deceptive advertisements stem from a combination of fake accounts and hijacked legitimate profiles, including those belonging to small enterprises, government bodies, and popular micro-influencers with sizable audiences. Dissemination tactics also extend to Messenger, Threads, and glowing—yet fabricated—Google reviews.
ESET revealed that another significant subset of accounts amplifying Nomani ads comprises newly minted profiles with trivial follower counts, forgettable names, and sparse activity histories.
The malicious URLs embedded within these ads redirect users to sites mimicking local news outlets or reputable entities. These sites leverage stolen logos, branding, and elaborate designs to feign authenticity. Some even masquerade as cryptocurrency management platforms under names that change frequently, such as Quantum Bumex, Immediate Mator, or Bitcoin Trader.
The Lure of Fictitious Profits
Once the phishing sites harvest victims’ personal data, the perpetrators escalate the scam. Victims are contacted directly, coaxed into “investing” in fabricated financial products that display spectacular—yet entirely fake—returns. In severe cases, individuals are persuaded to secure loans or install remote access applications on their devices.
“When victims attempt to withdraw the promised earnings, they are compelled to pay additional fees and provide further personal details, including identification documents and credit card information,” ESET explained. “Ultimately, the scammers vanish with both the victims’ funds and sensitive data, embodying the notorious ‘pig butchering’ scam model.”
Evidence of Organized Criminal Networks
Indicators suggest that Nomani is orchestrated by Russian-speaking cybercriminals, evidenced by Cyrillic annotations within the source code and the use of Yandex tools for visitor analytics.
Similar to other large-scale fraud operations like Telekopye, it appears that specialized groups oversee distinct facets of the operation—ranging from exploiting Meta accounts and crafting phishing websites to managing fraudulent advertisements and operating call centers.
“Through adept social engineering and strategic trust-building, these scammers often circumvent even the most robust banking safeguards, including verification calls and authorization protocols,” ESET highlighted.
A Broader Trend in Fraudulent Operations
This revelation coincides with a South Korean crackdown on a sprawling fraud network that illicitly obtained nearly $6.3 million via counterfeit online trading platforms in an operation dubbed MIDAS. Law enforcement seized over 20 servers linked to the syndicate and apprehended 32 individuals involved.
The MIDAS scheme relied on SMS campaigns, phone calls, YouTube videos, and KakaoTalk chat rooms to ensnare victims. The fraudulent platform, disguised as a legitimate home trading system (HTS), retrieved real-time stock prices from authentic brokerage servers and presented them using public charting libraries. However, no actual trades were executed.
Instead, the platform’s primary feature—a screen capture function—was exploited to surveil users, steal unauthorized information, and deny victims access to their funds.