Nomani Investment Scam Surges With AI Deepfakes

The Nomani investment scheme has seen a staggering 62% surge in activity, according to the latest data from ESET. The campaign, which focuses on distributing malicious threats, has significantly expanded its reach beyond Facebook to include major platforms like YouTube.

Researchers at the Slovak cybersecurity firm recently released a report indicating they have blocked over 64,000 unique URLs associated with this specific threat this year. While the scam is global, a majority of the detections have been concentrated in Czechia, Japan, Slovakia, Spain, and Poland.

How the Nomani Scam Operates

Nomani was first documented in late 2024 as a sophisticated operation leveraging social media malvertising and company-branded posts. The real hook, however, is the use of artificial intelligence (AI)-powered video testimonials. These videos are designed to deceive users into putting their money into non-existent investment products that promise “guaranteed” high returns.

The trap snaps shut when victims try to withdraw their supposed profits. Suddenly, they are asked to pay “processing fees” or provide sensitive personal information, including ID documents and credit card details. Like most investment scams, the end goal is total financial loss for the victim.

But it doesn’t end there. The fraudsters often try to scam the same victims a second time. They deploy “recovery” lures on social media, posing as Europol or INTERPOL representatives. These fake agents promise to help recover stolen funds—only to lead the victims into losing even more money through new fees.

Technical Upgrades and AI Deepfakes

ESET noted that the scam has received some notable technical upgrades recently. The AI-generated videos have become far more realistic, making it increasingly difficult for even savvy users to spot the deception.

“Deepfakes of popular personalities, used as initial hooks for phishing forms or websites, now use higher resolution, have significantly reduced unnatural movements and breathing, and have also improved their A/V sync,” the company noted in its research.

These fabricated clips often leverage topical news events or well-known public figures to lend credibility to the scheme. In one instance observed in Czechia, a bogus news article claimed the government was investing through one of these scam cryptocurrency platforms to generate massive returns.

Evading Detection with “Cloaking” and AI Code

To ensure their malicious ads aren’t flagged by platform moderation systems, threat actors run their campaigns for very short windows—sometimes just a few hours. They also use “cloaking” pages. If a user clicking the ad doesn’t meet specific targeting criteria (like location or device type), they are redirected to a harmless-looking page instead of the phishing site.

Furthermore, attackers are abusing legitimate social media ad tools, such as built-in forms and surveys, to harvest victim data directly on the platform rather than sending them to external websites. This significantly lowers their digital footprint.

There is also evidence that threat actors are using AI tools to write the HTML code for their phishing templates. This was discovered through specific checkboxes found in source code comments. Interestingly, GitHub repositories hosting these templates appear to be linked to Russian and Ukrainian users.

A Slight Decline in the Second Half of 2025

Despite the overall year-over-year surge, there is a bit of a silver lining. The number of Nomani detections in the second half of 2025 actually dropped. This suggests that increased law enforcement efforts might be forcing attackers to stop and revamp their tactics.

“On the bright side, although overall detections are up compared to 2024, there’s a hint of improvement, as H2 2025 detections have declined by 37% compared to H1 2025,” ESET stated.

The Global Ad Fraud Problem

This surge in Nomani activity comes alongside a major Reuters investigation revealing that roughly 19% of Meta’s $18 billion in ad sales in China last year came from scams, illegal gambling, and other banned content. These ads are often funneled through the company’s ad agency partners.

Reports suggest that these agencies even allow businesses to bypass standard restrictions to run prohibited advertisements. Meta has since stated that the program is under review.

When you consider that Nomani is just one of many such schemes, the scale of the problem is humongous. It highlights a critical need for better moderation and more awareness as AI continues to make these fraudulent campaigns look more legitimate than ever.