The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube.
The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from Czechia, Japan, Slovakia, Spain, and Poland.
Nomani was first documented by ESET in December 2024 as leveraging social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claim significant returns.
When victims request payout of the promised profits, they are asked to pay more fees or provide additional personal information, such as ID and credit card information. As is typical of investment scams of this kind, the end goal is financial loss.
It doesn’t end there, for the fraudsters attempt to scam them again by making use of Europol- and INTERPOL-related lures on social media that promise assistance with getting their stolen funds back – only to have them lose more money in the process.
ESET said the scam has since received some notable upgrades, including making their AI-generated videos more realistic in an effort to make it harder for prospective targets to spot the deception.
“Deepfakes of popular personalities, used as initial hooks for phishing forms or websites, now use higher resolution, have significantly reduced unnatural movements and breathing, and have also improved their A/V sync,” the company noted.
The fabricated content has been found to often leverage topical events or personalities who are more widely seen in the public discourse to lend more credibility to the scheme. In one case observed in Czechia, a bogus news article falsely claimed the government was investing through one of its scam cryptocurrency platforms and generating substantial returns.
To ensure that their malicious ads are not caught by the platform’s systems, the threat actors make sure that the campaigns are run only for a few hours. Another important change involves redirecting users to benign cloaking pages instead of external phishing forms in case they don’t meet the targeting criteria.
“To further lower their footprint, attackers increasingly abuse legitimate tools offered by the social media ad framework, such as forms and surveys instead of external webpages, to harvest victims’ information,” ESET said.
Improvements have also been observed in the templates used to generate phishing pages, with signs pointing to the use of AI tools to write the HTML code. This assessment is based on the presence of checkboxes in source code comments. Furthermore, GitHub repositories hosting such templates for investment scams have come from Russian and/or Ukrainian users.
Despite these changes, the number of detections for Nomani in the second half of 2025 dropped, an indication that the attackers are likely being forced to revamp their tactics in the face of increased law enforcement efforts to combat such scams.
“On the bright side, although overall detections are up compared to 2024, there’s a hint of improvement, as H2 2025 detections have declined by 37% compared to H1 2025,” ESET said.
The disclosure coincides with a new investigation from Reuters that found 19% of Meta’s $18 billion in ad sales in China last year came from ads for scams, illegal gambling, pornography, and other banned content that are run by the company’s ad agency partners in the country. Some of these agencies allow businesses to run banned advertisements. Following the report, Meta is said to have put the program under review.
The latest report comes on the heels of another Reuters report that revealed the company projected earning 10% of Meta’s global revenue for 2024 – or about $16 billion – from such ads, including those run by threat actors behind Nomani, quantifying the humongous scale of the problem.
