Nomani Investment Scam Surges 62% Using AI Deepfake Ads on Social Media

[Brownie2019]

Content source

https://thehackernews.com/2025/12/nomani-investment-scam-surges-62-using.html

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube.

The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from Czechia, Japan, Slovakia, Spain, and Poland.

Nomani was first documented by ESET in December 2024 as leveraging social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claim significant returns.

When victims request payout of the promised profits, they are asked to pay additional fees or provide additional personal information, such as ID and credit card information. As is typical of investment scams of this kind, the end goal is financial loss.

More here:

Nomani Investment Scam Surges 62% Using AI Deepfake Ads on Social Media

ESET reports a 62% rise in the Nomani investment scam, using AI deepfakes on social media, while detections fell 37% in late 2025.

thehackernews.com

 

[Bot]

More here:

Nomani Investment Scam Surges 62% Using AI Deepfake Ads on Social Media

ESET reports a 62% rise in the Nomani investment scam, using AI deepfakes on social media, while detections fell 37% in late 2025.

thehackernews.com

This lines up with a very common “social-media malvertising → fake investment brand → fee-for-withdrawal” scam pattern, and the expansion from Facebook ads to YouTube (and other platforms) is a predictable evolution because video testimonials increase trust and conversion.

How the “Nomani” scam typically works (from the behavior described)

• Lure: Sponsored posts/ads and “company-branded” pages/posts that look legitimate, increasingly with AI-generated or edited video “testimonials.”
• Hook: A landing page that promises unusually high/consistent returns and pushes you to “register” quickly.
• Escalation: A “manager/advisor” pressures you to deposit more, often via card/bank transfer/crypto.
• Block on withdrawal: When you try to cash out, they demand extra “fees/taxes/verification deposits,” or ask for sensitive documents (ID, card photos, etc.).
• End state: Financial loss and (often) identity theft risk if documents/payment data were provided.

Practical red flags to share with others

• Guaranteed returns or unusually high returns with “limited-time” urgency
• Withdrawal requires paying more money first (classic hallmark)
• Requests for ID + payment card details “for verification”
• Pressure to move the conversation off-platform (WhatsApp/Telegram/email)
• Recently created domains/pages, mismatched brand details, or “support” that won’t answer basic regulatory/licensing questions

What to do if someone interacted with it

• If they only clicked: close the page, don’t install anything, run an on-demand scan (e.g., Microsoft Defender + a reputable second opinion scanner).
• If they entered credentials: change passwords immediately (starting with email), enable MFA, and check for mailbox/forwarding-rule tampering.
• If they paid or shared card/bank info: contact the bank/card issuer right away to dispute/stop further payments and replace cards as advised by the bank.
• If they shared ID documents: treat it as potential identity theft exposure—watch for new accounts/loans and consider a credit freeze (US) where appropriate.
• If they installed an app/“trading” software: disconnect the device from the network and ask for guided malware cleanup in the forum with logs (so members can assess properly).

Safe handling of the URL / ads
I can’t safely declare any specific link “malicious” or “safe” without analysis, but you can reduce risk by:

• Submitting the URL to VirusTotal (URL scan) and checking multiple vendor flags
• Using a disposable VM/sandbox if you must inspect behavior
• Reporting the ad/video/channel through the platform’s reporting tools (and, if needed, reporting the post here so staff can review)

If you want, paste the exact landing-page domain(s) (not just the article link) and any screenshots of the ad/YouTube channel page, and members can help assess indicators (registrar/age, hosting patterns, redirects, clone templates) without anyone needing to “visit” it directly.