An investigation reveals a global network of scams spread on Facebook and Instagram

While Meta recently filed a lawsuit against two Brazilian companies for advertising scams, an investigation conducted by researchers at Bitdefender Labs reveals the existence of a vast fraud ecosystem that relies on this same advertising infrastructure.

Present in at least 25 countries, this operation illustrates the evolution of financial cybercrime strategies, now structured as veritable large-scale platforms…

A Global Fraud Machine Based on Meta Advertising

Between February 9 and March 5, 2026, Bitdefender researchers analyzed 310 fraudulent advertising campaigns distributed via Meta platforms. In total, more than 26,000 ads were identified, in more than fifteen languages and across six continents.

According to the the investigation, behind these campaigns lies a coordinated ecosystem that systematically aims to direct internet users toward investment fraud. The scenarios vary from country to country, but the mechanism remains the same, with advertisements taking the form of exclusive revelations, television scandals, or supposed limited opportunities. These ads often mimic established media outlets and use the names of public figures to bolster their credibility, as in France where some variations feature media personalities like Léa Salamé or politicians in fictional articles.

Once the internet user is convinced, they are encouraged to fill out a form with their contact information. This information is then used to fuel fraud networks where operators directly contact victims to pressure them into investing in fake trading or cryptocurrency platforms.

An industrial system designed to bypass moderation

One of the most striking aspects of this operation lies in the techniques used to evade automated detection systems. Researchers observed several evasion methods built directly into the infrastructure.

Some advertisements, for example, display a preview linking to a legitimate domain, sometimes even to google.com. However, after a click, a chain of invisible redirects leads the user to a fraudulent page.

Cybercriminals also operate farms of fake websites that mimic well-known media outlets, such as Le Monde, as well as using character substitution techniques.

Specifically, Latin letters are replaced with visually identical Cyrillic equivalents, which allows the attacker to bypass automated filters while remaining undetected by the user.

In some cases, perfectly legitimate websites, such as those of restaurants or local businesses, are even used as front URLs to conceal the attack.

An organization structured like a franchise model…

Analysis of metadata and technical infrastructure suggests that this fraud is not the work of a single group. Researchers suggest that several distinct operators share the same tools and methods. The system likely operates on an affiliate model, where a shared "toolkit" allows teams to launch their own campaigns while using the same monetization mechanisms. However, traces found in some campaigns reveal operational signals in Russian, although there is no evidence to attribute the operation to a state actor.