Known as a fraudulent investment scheme Nomani According to ESET data, a 62% increase has been observed as threat-spreading campaigns have expanded beyond Facebook to include other social media platforms such as YouTube.
The Slovak cybersecurity company said it has blocked more than 64,000 unique URLs linked to the threat this year. Most of the investigations came from Czechia, Japan, Slovakia, Spain and Poland.
Nomani was first documented by ESET in December 2024 as leveraging social media malware, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claimed significant returns.
When victims request payment of promised profits, they are asked to pay additional fees or provide additional personal information such as ID and credit card information. As with such investment scams, the end goal is financial loss.
It doesn’t end there, as fraudsters attempt to defraud them again by using Europol- and Interpol-related lures on social media, promising assistance in recovering their stolen funds – only to lose even more money in the process.
ESET said the scam has since received some notable upgrades, including making their AI-generated videos more realistic in an effort to make the deception harder for potential targets to spot.
“Deepfakes of popular personalities used in phishing forms or as initial hooks for websites now use higher resolution, significantly reducing unnatural movements and breathing, and their A/V sync has also been improved,” the company said.
It has been found that fabricated content often takes advantage of current events or personalities that are more widely seen in public discussion to give the scheme greater credibility. In one case observed in Czechia, a fake news article falsely claimed that the government was investing through one of its scam cryptocurrency platforms and generating substantial returns.
To ensure that their malicious ads are not caught by the platform’s systems, threat actors ensure that campaigns are only run for a certain number of hours. Another significant change includes redirecting users to benign cloaking pages instead of external phishing forms if they do not meet the targeting criteria.
“To further narrow their reach, attackers are abusing the legitimate tools offered by social media advertising frameworks, such as forms and surveys instead of external webpages, to capture victims’ information,” ESET said.
The templates used to create phishing pages have also seen improvements, indicating the use of AI tools to write HTML code. This evaluation is based on the presence of checkboxes in source code comments. Furthermore, GitHub repositories hosting such templates for investment scams came from Russian and/or Ukrainian users.
Despite these changes, the number of Nomani detections declined in the second half of 2025, a sign that attackers are being forced to improve their tactics in the face of increased law enforcement efforts to combat such scams.
“On a positive note, although overall detections increased compared to 2024, there is a sign of improvement as detections declined by 37% in H2 2025 compared to H1 2025,” ESET said.
The revelations coincide with a new Reuters investigation that found 19% of Meta’s $18 billion ad sales in China last year came from ads for scams, illegal gambling, pornography and other banned content that are run by the company’s ad agency partners in the country. Some of these agencies allow businesses to run restricted advertising. It is said that after the report, Meta has reviewed the program.
The latest report follows another report from Reuters revealing that the company projected 10% of Meta’s global revenue for 2024 – or about $16 billion – will be earned from such ads, including those run by the threat actors behind Nomani, underscoring the sheer scale of the problem.
