Full Report
The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from
Analysis Summary
# Incident Report: Surge in Nomani Investment Scam Campaigns
## Executive Summary
The Nomani fraudulent investment scheme has experienced a 62% surge in activity, driven by expanded social media distribution across platforms like Facebook and YouTube. Attackers are leveraging sophisticated, higher-resolution AI deepfakes and exploiting legitimate social media advertising frameworks to distribute malicious content, resulting in significant financial loss for victims. Cybersecurity firm ESET responded by actively blocking tens of thousands of malicious URLs.
## Incident Details
- **Discovery Date:** Data analyzed in December 2025 (Reporting period covers the year 2025).
- **Incident Date:** Activity documented starting as early as December 2024, with significant escalation throughout 2025.
- **Affected Organization:** N/A (This involves widespread consumer fraud, not a single corporate breach).
- **Sector:** Financial Fraud / Online Scams (Targeting general online users).
- **Geography:** Detections concentrated in Czechia, Japan, Slovakia, Spain, and Poland.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2025, with some campaigns deliberately run for only a few hours to evade platform detection.
- **Vector:** Social media malvertising, company-branded posts, and AI-powered video testimonials (Deepfakes).
- **Details:** Attackers use high-quality deepfakes of popular personalities or leverage topical events to give credibility to the non-existent investment products.
### Lateral Movement
- *Not explicitly detailed in the context of a network intrusion; the "movement" is the expansion of the campaign vector across social media platforms (Facebook to YouTube, etc.).*
### Data Exfiltration/Impact
- **Details:** Initial impact is financial loss when victims invest. Subsequent impact occurs when victims are scammed again by actors posing as law enforcement (Europol/INTERPOL lures) to "recover" lost funds for an additional fee. Secondarily, PII/financial details (ID, credit card info) are harvested during payout requests.
### Detection & Response
- **Detection:** Detected and analyzed by ESET, which blocked over 64,000 unique URLs associated with the threat in 2025.
- **Response Actions:** ESET actively monitored and blocked malicious URLs. Organizations utilizing the social media ad frameworks (e.g., Meta) are under pressure due to related Reuters investigations concerning ad fraud tolerance.
## Attack Methodology
- **Initial Access:** Malicious advertisements on social media platforms (Facebook, YouTube) using high-resolution, realistic AI Deepfakes as initial hooks.
- **Persistence:** Not applicable in a traditional host-based sense; persistence is maintained by continuously launching new ad campaigns and victim re-scams.
- **Privilege Escalation:** N/A.
- **Defense Evasion:**
1. Running campaigns for only a few hours to avoid platform detection systems.
2. Redirecting users to benign *cloaking pages* if they do not meet targeting criteria, showing the phishing attempt only to the intended audience.
3. Abusing legitimate ad framework tools (forms, surveys) instead of external webpages to harvest information.
- **Credential Access:** Victims are prompted for ID and credit card information when attempting to withdraw promised profits.
- **Discovery:** N/A (Scam actors conduct reconnaissance on social media trends/personalities).
- **Lateral Movement:** Expansion of the campaign vector from Facebook to other platforms like YouTube.
- **Collection:** Harvesting personal details (ID, credit card info) and victim funds.
- **Exfiltration:** Direct financial loss from victims; collection of PII/financial data.
- **Impact:** Secondary attack vector involves using fake law enforcement lures (Europol/INTERPOL) to extract further funds from initial victims.
## Impact Assessment
- **Financial:** **62% increase** in the threat's activity. Significant financial loss to end-users who are double-scammed.
- **Data Breach:** Collection of victims' personal information, including ID and credit card details.
- **Operational:** No specific corporate operational impact mentioned, as this is a widespread consumer threat.
- **Reputational:** Reputational damage to the personalities whose likenesses are used in the deepfakes, and to the social media platforms unknowingly hosting the ads.
## Indicators of Compromise
- **Network Indicators (Defanged):** Over 64,000 unique URLs blocked by ESET throughout the year [Hypothetical domain structure: `hxxp://scam-investment-platform[.]xyz`].
- **File Indicators:** N/A (Primarily URL/Web-based delivery).
- **Behavioral Indicators:** Use of very high-resolution, seemingly professional AI-generated video testimonials with improved A/V sync; immediate request for secondary fees upon stated profit withdrawal.
## Response Actions
- **Containment Measures:** ESET blocked identified malicious URLs. Attackers mitigate platform detection by running ad campaigns only for a few hours.
- **Eradication Steps:** ESET continuously monitors and updates blocks against associated URLs.
- **Recovery Actions:** Law enforcement efforts (mentioned as potentially slowing down H2 2025 detections) are an external factor in the threat's progression.
## Lessons Learned
- **Key Takeaways:**
1. Adversaries are rapidly weaponizing advanced AI/Deepfake technology to increase the realism and credibility of online scams.
2. Threat actors are innovating defense evasion by abusing legitimate, built-in features of advertising platforms (using internal forms instead of external web pages).
3. Scams often involve a secondary recovery fraud layer targeting original victims.
- **What Could Have Been Done Better:** Social media platforms need more robust, proactive detection systems for high-sophistication AI-generated malicious content distributed via their advertising channels.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Increase public awareness regarding investment scams utilizing deepfake endorsements on social media.
2. Financial institutions should advise clients to be highly skeptical of unsolicited investment opportunities promising significant, rapid returns, especially if presented via video testimonial on social media.
3. Social media platforms must enhance detection mechanisms specifically targeting rapid, short-duration ad campaigns that utilize synthetic media (deepfakes) for financial solicitation.
4. Users should avoid clicking links in unsolicited social media ads leading to third-party financial opportunity pages.