The Scam That Won’t Quit: Malicious “TradingView Premium” Ads Jump from Meta to Google and YouTube

Over the past year, Bitdefender researchers have been monitoring a persistent malicious campaign that initially spread via Facebook Ads, promising “free access” to TradingView Premium and other trading or financial platforms.

According to researchers at Bitdefender Labs, this campaign has now expanded beyond Meta platforms, infiltrating both YouTube and Google Ads, exposing content creators and regular users alike to increased risks.

Unlike legitimate ads, these malicious campaigns redirect us

For HomeFor BusinessFor Partners

The Scam That Won’t Quit: Malicious “TradingView Premium” Ads Jump from Meta to Google and YouTube

Alin MOLOCE
Ionut Alexandru BALTARIU
Alina BÎZGĂ

September 25, 2025

[The Scam That Won’t Quit: Malicious “TradingView Premium” Ads Jump from Meta to Google and YouTube]

Over the past year, Bitdefender researchers have been monitoring a persistent malicious campaign that initially spread via Facebook Ads, promising “free access” to TradingView Premium and other trading or financial platforms.

According to researchers at Bitdefender Labs, this campaign has now expanded beyond Meta platforms, infiltrating both YouTube and Google Ads, exposing content creators and regular users alike to increased risks.

Unlike legitimate ads, these malicious campaigns redirect users to malware-laced downloads aiming to steal credentials and compromise accounts.

You can read more about these global malvertising campaigns here:

• Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide
• Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands
• Pi2Day Scams: Crypto Users Targeted in Coordinated Facebook Ad Campaign Delivering Malware and Stealing Wallets
• Facebook Ad Scam Tricks Investors with Fake Messages and Malware Disguised as ‘Verified Facebook App’

Hijacked Google Ads account and TradingView Impersonation on YouTube: How the Scam Works

Looking into the specifics of the scam impersonating TradingView, researchers found that threat actors hijacked the Google advertiser account of a design agency in Norway. Separately, the cybercrooks also took over a YouTube account to which they could begin redirecting victims through Google’s ads system. Once again, the verified status of the compromised YouTube channel, combined with its new branding and TradingView visuals, allowed cybercriminals to impersonate the official TradingView channel. The rebranded channel was designed to be nearly indistinguishable from TradingView’s by:

• Reusing official branding, with logos, banners, and visual elements identical to the real TradingView.
• Mirroring playlists – playlists on the homepage are linked from the official TradingView channel, making the fake channel look active, even though it has no videos of its own.
• Abusing the verified badge on YouTube – since the channel was previously verified for legitimate reasons, users assume authenticity without checking deeper.

You may also want to read: Malicious Facebook Ads Push Fake ‘Meta Verified’ Browser Extensions to Steal Accounts

Upon closer inspection, several red flags emerge:

• The channel handle is different (not @TradingView);
• The channel itself contains no original content, only having 96 registered views, which would be impossible for a legitimate channel given Tradingview’s popularity;
• The impersonation relies entirely on unlisted ad videos shown only through paid placements, avoiding public scrutiny;

One ad video is titled “Free TradingView Premium – Secret Method They Don’t Want You to Know”. Despite being unlisted, it gained over 182,000 views in just a few days through aggressive advertising.

The video’s generic promotional content mentions the capabilities of the TradingView application. The description of the unlisted video includes a link where the user can download the malicious executable. Just as in the Meta ads, the user might end up on a benign page if the attackers don’t think the requests were made from a valid target.

Why unlisted videos? The unlisted status is deliberate, of course. By not being publicly searchable, these malicious videos avoid casual reporting and platform moderation. Instead, they are shown exclusively through ad placements, ensuring they reach their targets while remaining hidden from public view.

The description promises benefits such as simplified trading, personalized indicators, and “reasonable” trading strategies. To build trust, it even includes disclaimers about financial risks. However, these messages mask the real intent:

• Redirecting victims to malware downloads;
• Using phishing pages to steal credentials;
• Spreading across multiple channels and domains.

How Business Accounts Become Weapons

This case highlights a growing risk: when a company’s Google account is compromised, its connected YouTube channel can be stripped of all original content and repurposed for scam and other malicious activities.

Here’s how compromise can occur:

• You or your staff members fall for a phishing email, malicious attachment, or credential-stealing campaign that gives attackers access to the Google account.
• Since YouTube is tied to Google, the attackers gain control of the channel.
• To erase any trace of the original business identity, attackers delete existing videos, branding, and playlists.
• The account is rebranded to impersonate a popular brand such as TradingView. Verified badges and existing subscriber counts lend credibility.
• Instead of building organic reach, attackers exploit Google Ads to push malware-laden unlisted videos directly to users.

Malware Analysis

Upon analyzing the malware, Bitdefender researchers identified that, while it shares traits with past samples (such as those detected as Generic.MSIL.WMITask), the initial downloader was custom-built to resist detection and analysis.

• Oversized downloader – at over 700 MB, it is too large for most automated analysis platforms to process.
• Anti-sandbox capabilities – it checks for virtualized or sandboxed environments, making both automated and manual dynamic analysis difficult.
• Multi-stage infection – once it bypasses these defenses, the malware proceeds with techniques consistent with past infostealer campaigns.

While the old samples were communicating with the “front-end” via plain HTTP requests on various ports (30303, 30308) and routes (/s, /set, /q, /query), the new sample communicates using websockets, on the port 30000 and the /config route.

The cybercrooks changed the Front-End scripts so they are not as easy to investigate. The code is first obfuscated and encrypted with AES-CBC.

Then, the decrypted service worker code is also obfuscated. Upon deobfuscation, it can be seen that it uses https://jimmywarting.github.io/StreamSaver.js to deliver the malicious file (when the user downloads it). This can be done to avoid detection and to make manual analysis more difficult. We can also see the configuration for communicating with the malicious executable:

[...]

*Original source*