Researchers have uncovered a sprawling fraud operation that bought hundreds of thousands of paid ads on Meta platforms (Facebook and Instagram) to lure people across Asia Pacific into fake apps, phishing pages, and bogus investment schemes. Between January and April 2026, Bitdefender Labs counted more than 400,000 scam ad sightings tied to over 12,000 distinct campaigns spread across 13 countries in the region. Malvertising, the practice of buying legitimate ad slots to push malicious links, gives these crews instant reach into the feeds of ordinary users, and the scale here shows just how cheaply that reach can be rented.
The takeaway for readers is simple. A polished ad that looks like real news or a familiar trading app, even one showing a genuine-looking domain in its preview, may route you straight to a credential-stealing site or a malware download once you click.
Who is affected
The campaigns hit users in 13 Asia Pacific markets, with Australia alone accounting for 52 percent of all observed campaigns. Health-themed scams led the dataset at 19 percent, finance followed at 18 percent, and the rest spanned entertainment, gambling, beauty, online courses, and software. Despite that variety, Bitdefender found the operation reuses the same small set of playbooks and frequently the same backend infrastructure, including identical fake pages, redirect chains, and even the same fraudulent accounts appearing in multiple countries at once.
How the attack works
The structure rarely changes even as the creative does. A user sees a paid ad that looks legitimate, clicks it, and a post-click redirect hands the victim through one or more intermediary pages before depositing them on a fake site, a phishing form, or a malicious download. Because those final destinations rotate constantly, the campaigns are slippery to detect and slow to take down. The same redirect-chain tactic shows up in other current ad and download abuse, including fake developer-tool sites that hijack downloads to spread stealers.
Bitdefender groups the activity into three repeatable patterns. The first is fake app and download traps that impersonate platforms such as Binance, TradingView, and Wise, dangling a bonus or a premium desktop app that ends at a credential-stealing site or malware; this pattern recurs across Vietnam, Japan, Bangladesh, Thailand, Malaysia, New Zealand, and the Philippines using near-identical infrastructure. The second is scandal and celebrity bait, which fabricates breaking news involving central banks, economists, or public figures (including the Reserve Bank of Australia and Bank Negara Malaysia) to manufacture urgency and trust. The third is AI-themed investment scams that pitch AI-powered insights, stock diagnostics, or automated trading strategies rather than openly promising returns.
Localized lures, shared backbone
The operators tune delivery to each market. In Australia the lures are polished and often pose as breaking news; in India the emphasis is scale, with the same message pushed through dozens of fake accounts at once; across Southeast Asia the approaches blend. In Bangladesh ads use local language and familiar figures, in Singapore some campaigns embed real financial data to make fake tools look credible, and in Indonesia low-cost offers pull targets into private messages rather than websites. Based on the shared fake pages, redirect chains, reused accounts, and campaign templates Bitdefender observed, the firm assesses with high confidence that many nominally separate campaigns are run as a single cross-border system that changes its surface while keeping the same core playbook. The finance campaigns mirror tactics Bitdefender documented earlier in 2026 in a global investment-scam network that also abused Meta's ad system, an approach reminiscent of the broader rise in deepfake-driven investment fraud.
What you should do
Bitdefender did not publish hard network indicators for this ecosystem, which is consistent with infrastructure that rotates rapidly. In place of IoCs, the practical defenses are behavioral. Be skeptical of investment or health ads that lean on urgency and celebrity or brand endorsement, verify where a previewed or shortened link actually leads before clicking, and treat any ad that pushes a desktop app download or steers you into an out-of-band chat as suspect. Defensive teams should watch for redirect chains that begin at social-media ad clicks and resolve to newly registered domains. The full breakdown is in the original report from Bitdefender Labs researchers Alina Bizga, Alexandra-Svetlana Dinulica, and Vlad Sireanu.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.