The fraudulent investment scheme Nomani has seen a 62 percent increase in activity in 2025, according to cybersecurity firm ESET, with campaigns now spreading beyond Facebook to platforms including YouTube. The Slovak security company reported blocking over 64,000 unique URLs tied to the scam this year, with the majority of detections originating from Czechia, Japan, Slovakia, Spain, and Poland. First documented by ESET in December 2024, Nomani uses social media malvertising, company-branded posts, and AI-generated video testimonials to lure victims into investing in fake financial products promising high returns.
Nomani targets users by exploiting the appeal of credible endorsements and artificially generated content. Victims requesting payouts are typically asked to pay additional fees or provide sensitive personal information such as ID and credit card details, leading to financial loss. In a recurring tactic, fraudsters then attempt to scam the same victims again by posing as Europol or INTERPOL affiliates promising assistance with recovering stolen funds. ESET noted that the campaign has recently evolved, with AI-generated videos becoming more realistic, featuring higher resolution, improved audio-visual synchronization, and reduced unnatural movements to make the scams harder to detect.
The fabricated content often incorporates current events or high-profile personalities to appear legitimate. For example, in Czechia, a fake news article claimed government investments through a scam cryptocurrency platform were generating substantial returns. Attackers have also adjusted their methods to avoid detection by social media platforms. Campaigns are typically run for only a few hours and may redirect users to benign cloaking pages if they do not meet targeting criteria. Fraudsters increasingly abuse legitimate tools within social media advertising frameworks, such as surveys and forms, to harvest sensitive information without triggering automated security systems.
ESET further reported improvements in phishing page templates, with evidence of AI tools being used to generate the HTML code. Some GitHub repositories hosting these templates have been traced to Russian and Ukrainian users. Despite the rise in overall detections compared to 2024, the second half of 2025 saw a 37 percent decline in incidents compared to the first half, suggesting that attackers are adapting their strategies amid intensified law enforcement measures. The report coincides with Reuters investigations highlighting the broader scale of the problem, revealing that a significant portion of Meta’s ad revenue in China comes from banned content, including scams like Nomani. Threat actors behind such campaigns contributed to a projection of approximately 10 percent of Meta’s global revenue in 2024, reflecting the immense scale of online investment fraud.
The evolving tactics of Nomani underscore the growing sophistication of online investment scams and the persistent risk to users interacting with social media advertisements. ESET’s findings highlight the importance of vigilance, strong online security practices, and continuous monitoring of emerging cyber threats as scams increasingly integrate AI technology and social engineering techniques.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
